From 97817942ace06b4d1bcea3aac27c2542c16af14f Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 6 Dec 2013 13:07:12 +0000 Subject: [PATCH 001/177] Initial setup of the repo --- .gitignore | 0 sources | 0 2 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 .gitignore create mode 100644 sources diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/sources b/sources new file mode 100644 index 0000000..e69de29 From 672dedfae29115ad48816ce7be1eda52546ab183 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 6 Dec 2013 14:24:37 +0100 Subject: [PATCH 002/177] Initial import (#1027770) --- .gitignore | 1 + PACKAGE-LICENSING | 148 +++++++++++++++++++++++++++ ocserv-http-parser.patch | 139 +++++++++++++++++++++++++ ocserv-pamd.conf | 5 + ocserv-tests.patch | 91 +++++++++++++++++ ocserv.conf | 215 +++++++++++++++++++++++++++++++++++++++ ocserv.service | 14 +++ ocserv.spec | 144 ++++++++++++++++++++++++++ sources | 1 + 9 files changed, 758 insertions(+) create mode 100644 PACKAGE-LICENSING create mode 100644 ocserv-http-parser.patch create mode 100644 ocserv-pamd.conf create mode 100644 ocserv-tests.patch create mode 100644 ocserv.conf create mode 100644 ocserv.service create mode 100644 ocserv.spec diff --git a/.gitignore b/.gitignore index e69de29..3b179d1 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1 @@ +/ocserv-0.2.1.tar.xz diff --git a/PACKAGE-LICENSING b/PACKAGE-LICENSING new file mode 100644 index 0000000..8215872 --- /dev/null +++ b/PACKAGE-LICENSING @@ -0,0 +1,148 @@ +Note that ocserv contains components under different (but compatible) licenses. +A breakdown of those is given below. + +GPL (v2 or later) +----------------- +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/common.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/config.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/cookies.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/html.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ip-lease.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/log.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/main-auth.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/main-config.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/main-misc.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/main-resume.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/main-user.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/main.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ocpasswd.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/pam.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/plain.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/route-add.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/sec-mod.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/setproctitle.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/system.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/tlslib.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/tun.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/worker-auth.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/worker-bandwidth.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/worker-extras.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/worker-misc.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/worker-privs.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/worker-resume.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/worker-tun.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/worker-vpn.c + +# Note that these files were marked as GPLv3 or later by the gnulib-tool, +# but this is a bug: http://lists.gnu.org/archive/html/bug-gnulib/2013-11/msg00062.html +GPL (v2 or later) +----------------- +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/build-aux/snippet/arg-nonnull.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/build-aux/snippet/c++defs.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/build-aux/snippet/warn-on-use.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/build-aux/snippet/_Noreturn.h + + +BSD (3 clause) and GPL (v2 or later) +-------------------------------- +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/icmp-ping.c + + +LGPL (v2.1 or later) +-------------------- +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/memchr.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/c-ctype.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/c-ctype.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/c-strcase.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/c-strcasecmp.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/c-strncasecmp.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/cloexec.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/cloexec.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/close.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/dup2.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/errno.in.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/fcntl.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/fcntl.in.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/fd-hook.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/fd-hook.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/fseek.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/fseeko.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/fstat.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/getdelim.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/getdtablesize.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/getline.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/getpass.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/getpass.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/lseek.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/malloc.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/memmem.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/minmax.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/msvc-inval.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/msvc-inval.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/msvc-nothrow.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/msvc-nothrow.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/realloc.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/stdbool.in.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/stddef.in.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/stdint.in.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/stdio-impl.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/stdio.in.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/stdlib.in.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/str-two-way.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/strdup.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/string.in.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/sys_stat.in.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/sys_types.in.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/time.in.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/unistd.in.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/common.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/cookies.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/gettime.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/html.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/icmp-ping.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ip-lease.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ipc.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/main-auth.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/main.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/pam.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/plain.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/route-add.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/script-list.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/sec-mod.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/setproctitle.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/str.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/str.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/system.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/tlslib.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/tun.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/vpn.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/worker-bandwidth.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/worker.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ccan/htable/htable.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ccan/htable/htable.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ccan/htable/htable_type.h + + +CC0 (public domain) +-------------------- +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ccan/build_assert/build_assert.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ccan/container_of/container_of.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ccan/check_type/check_type.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ccan/hash/hash.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ccan/hash/hash.h + + +MIT +-------------------- +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ccan/list/list.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ccan/list/list.h + + +Auto-generated files +-------------------- +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/unistd.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ocpasswd-args.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ocpasswd-args.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ocserv-args.c +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ocserv-args.h +/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/version.inc diff --git a/ocserv-http-parser.patch b/ocserv-http-parser.patch new file mode 100644 index 0000000..ba40b75 --- /dev/null +++ b/ocserv-http-parser.patch @@ -0,0 +1,139 @@ +diff -ur ocserv-0.2.1.orig/configure.ac ocserv-0.2.1/configure.ac +--- ocserv-0.2.1.orig/configure.ac 2013-11-06 20:47:34.000000000 +0100 ++++ ocserv-0.2.1/configure.ac 2013-11-11 13:48:45.536372275 +0100 +@@ -94,6 +94,27 @@ + AC_DEFINE([ANYCONNECT_CLIENT_COMPAT], [], [Enable Anyconnect compatibility]) + fi + ++dnl Test for http_parser library ++with_local_http_parser=yes ++LIBS="$oldlibs -lhttp_parser" ++AC_MSG_CHECKING([for http_parser library]) ++AC_LINK_IFELSE([AC_LANG_PROGRAM([ ++ #include ],[ ++ http_parser_init(0, 0);])], ++ [AC_MSG_RESULT(yes) ++ AC_SUBST([HTTP_PARSER_LIBS], [-lhttp_parser]) ++ AC_SUBST([HTTP_PARSER_CFLAGS], []) ++ with_local_http_parser=no], ++ [AC_MSG_RESULT(no) ++ AC_MSG_WARN([[ ++*** ++*** libhttp-parser not found. ++*** An included version of the library will be used. ++*** ]])]) ++LIBS="$oldlibs" ++AM_CONDITIONAL(LOCAL_HTTP_PARSER, test "x$with_local_http_parser" != xno) ++ ++ + dnl needed in the included PCL + AC_C_VOLATILE + AC_C_CONST +diff -ur ocserv-0.2.1.orig/src/Makefile.am ocserv-0.2.1/src/Makefile.am +--- ocserv-0.2.1.orig/src/Makefile.am 2013-11-05 19:59:45.000000000 +0100 ++++ ocserv-0.2.1/src/Makefile.am 2013-11-11 13:48:45.536372275 +0100 +@@ -3,10 +3,18 @@ + AM_CPPFLAGS = -I$(srcdir)/../gl/ -I$(builddir)/../gl/ \ + -I$(srcdir)/ -I$(builddir)/../ $(LIBOPTS_CFLAGS) + ++if LOCAL_HTTP_PARSER ++AM_CPPFLAGS += -I$(srcdir)/http-parser/ ++HTTP_PARSER_SOURCES = http-parser/http_parser.c http-parser/http_parser.h ++NEEDED_HTTP_PARSER_LIBS = ++else ++NEEDED_HTTP_PARSER_LIBS = $(HTTP_PARSER_LIBS) ++endif ++ + if NEED_LIBOPTS +-LIBOPTS = ../libopts/libopts.a ++NEEDED_LIBOPTS = ../libopts/libopts.a + else +-LIBOPTS = $(LIBOPTS_LDADD) ++NEEDED_LIBOPTS = $(LIBOPTS_LDADD) + endif + + EXTRA_DIST = ccan/licenses/BSD-MIT version.inc.in \ +@@ -24,21 +32,21 @@ + ocserv_SOURCES = ocserv-args.def ocserv-args.c ocserv-args.h + + ocserv_SOURCES += main.c main-auth.c worker-vpn.c worker-auth.c tlslib.c \ +- http-parser/http_parser.c ipc.h cookies.c worker-tun.c main-misc.c \ ++ ipc.h cookies.c worker-tun.c main-misc.c \ + main-config.c ip-lease.c ip-lease.h \ +- vpn.h cookies.h tlslib.h http-parser/http_parser.h log.c tun.c tun.h \ ++ vpn.h cookies.h tlslib.h log.c tun.c tun.h \ + config.c pam.c pam.h worker-resume.c worker.h main-resume.c main.h \ + worker-extras.c main-auth.h html.c html.h \ + main-user.c worker-misc.c setproctitle.h route-add.c route-add.h \ + setproctitle.c worker-privs.c plain.c plain.h common.h common.c \ + sec-mod.c sec-mod.h script-list.h system.c system.h icmp-ping.c icmp-ping.h \ + worker-bandwidth.c worker-bandwidth.h \ +- str.c str.h gettime.h $(CCAN_SOURCES) ++ str.c str.h gettime.h $(CCAN_SOURCES) $(HTTP_PARSER_SOURCES) + + +-ocserv_LDADD = ../gl/libgnu.a $(LIBOPTS) ++ocserv_LDADD = ../gl/libgnu.a $(NEEDED_LIBOPTS) + ocserv_LDADD += $(LIBGNUTLS_LIBS) $(PAM_LIBS) $(LIBUTIL) \ +- $(LIBSECCOMP) $(LIBWRAP) $(LIBCRYPT) ++ $(LIBSECCOMP) $(LIBWRAP) $(LIBCRYPT) $(NEEDED_HTTP_PARSER_LIBS) + + if PCL + ocserv_LDADD += $(PCL_LIBS) +@@ -54,7 +62,7 @@ + ocpasswd_SOURCES = ocpasswd-args.def ocpasswd-args.c ocpasswd-args.h \ + ocpasswd.c + +-ocpasswd_LDADD = ../gl/libgnu.a $(LIBOPTS) ++ocpasswd_LDADD = ../gl/libgnu.a $(NEEDED_LIBOPTS) + ocpasswd_LDADD += $(LIBGNUTLS_LIBS) $(LIBCRYPT) + + ocpasswd-args.c ocpasswd-args.h: $(srcdir)/ocpasswd-args.def +diff -ur ocserv-0.2.1.orig/src/vpn.h ocserv-0.2.1/src/vpn.h +--- ocserv-0.2.1.orig/src/vpn.h 2013-11-05 19:34:54.000000000 +0100 ++++ ocserv-0.2.1/src/vpn.h 2013-11-11 13:49:03.608470106 +0100 +@@ -23,7 +23,7 @@ + + #include + #include +-#include ++#include + #include + #include + #include +diff -ur ocserv-0.2.1.orig/src/worker-auth.c ocserv-0.2.1/src/worker-auth.c +--- ocserv-0.2.1.orig/src/worker-auth.c 2013-11-05 19:38:09.000000000 +0100 ++++ ocserv-0.2.1/src/worker-auth.c 2013-11-11 13:48:45.537372280 +0100 +@@ -41,7 +41,7 @@ + #include + #include + +-#include ++#include + + #define SUCCESS_MSG_HEAD "\n" \ + "\n" \ +diff -ur ocserv-0.2.1.orig/src/worker-tun.c ocserv-0.2.1/src/worker-tun.c +--- ocserv-0.2.1.orig/src/worker-tun.c 2013-11-05 19:38:22.000000000 +0100 ++++ ocserv-0.2.1/src/worker-tun.c 2013-11-11 13:48:45.537372280 +0100 +@@ -45,8 +45,6 @@ + #include + #include + +-#include +- + /* if local is non zero it returns the local, otherwise the remote */ + static + int get_ip(struct worker_st* ws, int fd, int family, unsigned int local, +diff -ur ocserv-0.2.1.orig/src/worker-vpn.c ocserv-0.2.1/src/worker-vpn.c +--- ocserv-0.2.1.orig/src/worker-vpn.c 2013-11-05 20:06:51.000000000 +0100 ++++ ocserv-0.2.1/src/worker-vpn.c 2013-11-11 13:48:45.537372280 +0100 +@@ -49,7 +49,7 @@ + #include + #include + +-#include ++#include + + /* after that time (secs) of inactivity in the UDP part, connection switches to + * TCP (if activity occurs there). diff --git a/ocserv-pamd.conf b/ocserv-pamd.conf new file mode 100644 index 0000000..968e252 --- /dev/null +++ b/ocserv-pamd.conf @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth include password-auth +account required pam_nologin.so +account include password-auth +session include password-auth diff --git a/ocserv-tests.patch b/ocserv-tests.patch new file mode 100644 index 0000000..e700e81 --- /dev/null +++ b/ocserv-tests.patch @@ -0,0 +1,91 @@ +diff -ur ocserv-0.2.1.orig/tests/Makefile.in ocserv-0.2.1/tests/Makefile.in +--- ocserv-0.2.1.orig/tests/Makefile.in 2013-11-06 20:47:51.000000000 +0100 ++++ ocserv-0.2.1/tests/Makefile.in 2013-11-11 13:56:15.231784324 +0100 +@@ -1,4 +1,4 @@ +-# Makefile.in generated by automake 1.14 from Makefile.am. ++# Makefile.in generated by automake 1.13.4 from Makefile.am. + # @configure_input@ + + # Copyright (C) 1994-2013 Free Software Foundation, Inc. +@@ -721,6 +721,8 @@ + HAVE_WCHAR_T = @HAVE_WCHAR_T@ + HAVE__BOOL = @HAVE__BOOL@ + HAVE__EXIT = @HAVE__EXIT@ ++HTTP_PARSER_CFLAGS = @HTTP_PARSER_CFLAGS@ ++HTTP_PARSER_LIBS = @HTTP_PARSER_LIBS@ + INCLUDE_NEXT = @INCLUDE_NEXT@ + INCLUDE_NEXT_AS_FIRST_DIRECTIVE = @INCLUDE_NEXT_AS_FIRST_DIRECTIVE@ + INSTALL = @INSTALL@ +diff -ur ocserv-0.2.1.orig/tests/test1.config ocserv-0.2.1/tests/test1.config +--- ocserv-0.2.1.orig/tests/test1.config 2013-07-06 15:10:57.000000000 +0200 ++++ ocserv-0.2.1/tests/test1.config 2013-11-11 13:56:15.231784324 +0100 +@@ -132,7 +132,7 @@ + # The user the worker processes will be run as. It should be + # unique (no other services run as this user). + run-as-user = nobody +-run-as-group = nogroup ++run-as-group = nobody + + # Network settings + +diff -ur ocserv-0.2.1.orig/tests/test2.config ocserv-0.2.1/tests/test2.config +--- ocserv-0.2.1.orig/tests/test2.config 2013-07-06 16:54:44.000000000 +0200 ++++ ocserv-0.2.1/tests/test2.config 2013-11-11 13:56:15.231784324 +0100 +@@ -132,7 +132,7 @@ + # The user the worker processes will be run as. It should be + # unique (no other services run as this user). + run-as-user = nobody +-run-as-group = nogroup ++run-as-group = nobody + + # Network settings + +diff -ur ocserv-0.2.1.orig/tests/test3.config ocserv-0.2.1/tests/test3.config +--- ocserv-0.2.1.orig/tests/test3.config 2013-10-29 20:11:52.000000000 +0100 ++++ ocserv-0.2.1/tests/test3.config 2013-11-11 13:56:15.232784330 +0100 +@@ -132,7 +132,7 @@ + # The user the worker processes will be run as. It should be + # unique (no other services run as this user). + run-as-user = nobody +-run-as-group = nogroup ++run-as-group = nobody + + # Network settings + +diff -ur ocserv-0.2.1.orig/tests/test-iroute ocserv-0.2.1/tests/test-iroute +--- ocserv-0.2.1.orig/tests/test-iroute 2013-10-30 12:39:28.000000000 +0100 ++++ ocserv-0.2.1/tests/test-iroute 2013-11-11 13:56:32.933878367 +0100 +@@ -35,7 +35,7 @@ + + echo -n "Checking if routes have been applied... " + +-if [ ! -f test-iroute.tmp ];then ++if [ ! -f ./test-iroute.tmp ];then + fail $PID "Temporary file cannot be found" + fi + +Only in ocserv-0.2.1/tests: test-iroute~ +diff -ur ocserv-0.2.1.orig/tests/test-iroute.config ocserv-0.2.1/tests/test-iroute.config +--- ocserv-0.2.1.orig/tests/test-iroute.config 2013-10-30 12:31:33.000000000 +0100 ++++ ocserv-0.2.1/tests/test-iroute.config 2013-11-11 13:56:15.232784330 +0100 +@@ -132,7 +132,7 @@ + # The user the worker processes will be run as. It should be + # unique (no other services run as this user). + run-as-user = nobody +-run-as-group = nogroup ++run-as-group = nobody + + # Network settings + +diff -ur ocserv-0.2.1.orig/tests/test-pass-script.config ocserv-0.2.1/tests/test-pass-script.config +--- ocserv-0.2.1.orig/tests/test-pass-script.config 2013-10-31 17:20:37.000000000 +0100 ++++ ocserv-0.2.1/tests/test-pass-script.config 2013-11-11 13:56:15.232784330 +0100 +@@ -132,7 +132,7 @@ + # The user the worker processes will be run as. It should be + # unique (no other services run as this user). + run-as-user = nobody +-run-as-group = nogroup ++run-as-group = nobody + + # Network settings + diff --git a/ocserv.conf b/ocserv.conf new file mode 100644 index 0000000..baa7bca --- /dev/null +++ b/ocserv.conf @@ -0,0 +1,215 @@ +# User authentication method. Could be set multiple times and in that case +# all should succeed. +# Options: certificate, pam. +#auth = "certificate" +#auth = "plain[./sample.passwd]" +auth = "pam" + +# A banner to be displayed on clients +#banner = "Welcome" + +# Use listen-host to limit to specific IPs or to the IPs of a provided hostname. +#listen-host = [IP|HOSTNAME] + +# Limit the number of clients. Unset or set to zero for unlimited. +#max-clients = 1024 +max-clients = 16 + +# Limit the number of client connections to one every X milliseconds +# (X is the provided value). Set to zero for no limit. +#rate-limit-ms = 100 + +# Limit the number of identical clients (i.e., users connecting multiple times) +# Unset or set to zero for unlimited. +max-same-clients = 2 + +# TCP and UDP port number +tcp-port = 4443 +udp-port = 4443 + +# Keepalive in seconds +keepalive = 32400 + +# Dead peer detection in seconds +dpd = 60 + +# MTU discovery (DPD must be enabled) +try-mtu-discovery = false + +# The key and the certificates of the server +# The key may be a file, or any URL supported by GnuTLS (e.g., +# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user +# or pkcs11:object=my-vpn-key;object-type=private) +# +# There may be multiple certificate and key pairs and each key +# should correspond to the preceding certificate. +server-cert = /etc/ocserv/server.crt +server-key = /etc/ocserv/server.key + +# Diffie-Hellman parameters. Only needed if you require support +# for the DHE ciphersuites (by default this server supports ECDHE). +# Can be generated using: +# certtool --generate-dh-params --outfile /path/to/dh.pem +#dh-params = /path/to/dh.pem + +# If you have a certificate from a CA that provides an OCSP +# service you may provide a fresh OCSP status response within +# the TLS handshake. That will prevent the client from connecting +# independently on the OCSP server. +# You can update this response periodically using: +# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response +# Make sure that you replace the following file in an atomic way. +#ocsp-response = /path/to/ocsp.der + +# In case PKCS #11 or TPM keys are used the PINs should be available +# in files. The srk-pin-file is applicable to TPM keys only (It's the storage +# root key). +#pin-file = /path/to/pin.txt +#srk-pin-file = /path/to/srkpin.txt + +# The Certificate Authority that will be used +# to verify clients if certificate authentication +# is set. +#ca-cert = /etc/ocserv/ca.crt + +# The object identifier that will be used to read the user ID in the client certificate. +# The object identifier should be part of the certificate's DN +# Useful OIDs are: +# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1 +#cert-user-oid = 0.9.2342.19200300.100.1.1 + +# The object identifier that will be used to read the user group in the client +# certificate. The object identifier should be part of the certificate's DN +# Useful OIDs are: +# OU (organizational unit) = 2.5.4.11 +#cert-group-oid = 2.5.4.11 + +# A revocation list of ca-cert is set +#crl = /path/to/crl.pem + +# GnuTLS priority string +tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT" + +# To enforce perfect forward secrecy (PFS) on the main channel. +#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA" + +# The time (in seconds) that a client is allowed to stay connected prior +# to authentication +auth-timeout = 40 + +# The time (in seconds) that a client is not allowed to reconnect after +# a failed authentication attempt. +min-reauth-time = 2 + +# Cookie validity time (in seconds) +# Once a client is authenticated he's provided a cookie with +# which he can reconnect. This option sets the maximum lifetime +# of that cookie. +cookie-validity = 172800 + +# Script to call when a client connects and obtains an IP +# Parameters are passed on the environment. +# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), +# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP +# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON +# may be "connect" or "disconnect". +#connect-script = /usr/bin/myscript +#disconnect-script = /usr/bin/myscript + +# UTMP +use-utmp = true + +# PID file +#pid-file = /var/run/ocserv.pid + +# The default server directory. Does not require any devices present. +chroot-dir = /var/ocserv/ + +# socket file used for IPC, will be appended with .PID +# It must be accessible within the chroot environment (if any) +socket-file = ocserv.sock + +# The user the worker processes will be run as. It should be +# unique (no other services run as this user). +run-as-user = ocserv +run-as-group = ocserv + +# Network settings + +device = vpns + +# The default domain to be advertised +#default-domain = example.com + +#ipv4-network = 192.168.1.0 +#ipv4-netmask = 255.255.255.0 +# Use the keywork local to advertize the local P-t-P address as DNS server +# ipv4-dns = 192.168.2.1 +#ipv4-dns = local + +# The NBNS server (if any) +#ipv4-nbns = 192.168.2.3 + +#ipv6-address = +#ipv6-dns = + +# The IPv6 subnet prefix +#ipv6-prefix = + +# Prior to leasing any IP from the pool ping it to verify that +# it is not in use by another (unrelated to this server) host. +ping-leases = false + +# Leave empty to assign the default MTU of the device +# mtu = + +# Unset to enable bandwidth restrictions (in bytes/sec). The +# setting here is global, but can also be set per user or per group. +#rx-data-per-sec = 40960 +#tx-data-per-sec = 40960 + +# The number of packets (of MTU size) that are available in +# the output buffer. The default is low to improve latency. +# Setting it higher will improve throughput. +output-buffer = 100 + +#route = 192.168.1.0/255.255.255.0 +#route = 192.168.5.0/255.255.255.0 + +# Configuration files that will be applied per user connection or +# per group. Each file name on these directories must match the username +# or the groupname. +# The options allowed in the configuration files are ipv?-dns, ipv?-nbns, +# ipv?-network, ipv?-netmask, ipv6-prefix, iroute and route. +# +# Note that the 'iroute' option allows to add routes on the server +# based on a user or group. The syntax depends on the input accepted +# by the commands route-add-cmd and route-del-cmd (see below). + +#config-per-user = /etc/ocserv/config-per-user/ +#config-per-group = /etc/ocserv/config-per-group/ + +# The system command to use to setup a route. %R will be replaced with the +# route/mask and %D with the (tun) device. +# +# The following example is from linux systems. %R should be something +# like 192.168.2.0/24 (so iroute in this system has different syntax than route) + +route-add-cmd = "ip route add %R dev %D" +route-del-cmd = "ip route delete %R dev %D" + +# +# The following options are for (experimental) AnyConnect client +# compatibility. + +# Client profile xml. A sample file exists in doc/profile.xml. +# This file must be accessible from inside the worker's chroot. +# The profile is ignored by the openconnect client. +#user-profile = profile.xml + +# Unless set to false it is required for clients to present their +# certificate even if they are authenticating via a previously granted +# cookie. Legacy CISCO clients do not do that, and thus this option +# should be set for them. +#always-require-cert = false + diff --git a/ocserv.service b/ocserv.service new file mode 100644 index 0000000..3b39466 --- /dev/null +++ b/ocserv.service @@ -0,0 +1,14 @@ +[Unit] +Description=OpenConnect SSL VPN server +Documentation=man:ocserv(8) +After=syslog.target network.target + +[Service] +PrivateTmp=true +Type=forking +PIDFile=/var/run/ocserv.pid +ExecStart=/usr/sbin/ocserv --pid-file /var/run/ocserv.pid --config /etc/ocserv/ocserv.conf +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/ocserv.spec b/ocserv.spec new file mode 100644 index 0000000..1368da1 --- /dev/null +++ b/ocserv.spec @@ -0,0 +1,144 @@ +Name: ocserv +Version: 0.2.1 +Release: 6%{?dist} +Summary: OpenConnect SSL VPN server + +# For a breakdown of the licensing, see PACKAGE-LICENSING +# To simplify licenses LGPLv2+ files have been promoted to GPLv2+. +License: GPLv2+ and BSD and MIT and CC0 +URL: http://www.infradead.org/ocserv/ +Source0: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz +Source1: ocserv.conf +Source2: ocserv.service +Source3: ocserv-pamd.conf +Source4: PACKAGE-LICENSING + +# Taken from upstream: +# http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 +Patch0: ocserv-http-parser.patch +Patch1: ocserv-tests.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: gnutls-devel +BuildRequires: pam-devel +BuildRequires: iproute +BuildRequires: systemd +BuildRequires: autogen-libopts-devel >= 5.18 +BuildRequires: autogen +BuildRequires: pcllib-devel, http-parser-devel, tcp_wrappers-devel +BuildRequires: automake, autoconf + +Requires: iproute +Requires: pam +Requires(pre): shadow-utils +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +#gnulib is bundled. See https://fedorahosted.org/fpc/ticket/174 +Provides: bundled(gnulib) +#CCAN is bundled. See https://fedorahosted.org/fpc/ticket/364 +Provides: bundled(bobjenkins-hash) bundled(ccan-container_of) +Provides: bundled(ccan-htable) bundled(ccan-list) +Provides: bundled(ccan-check_type) bundled(ccan-build_assert) + +%description +OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to be +a secure, small, fast and configurable VPN server that uses standard +protocols such as TLS 1.2, and Datagram TLS. It implements the +OpenConnect SSL VPN protocol, which is compatible with the AnyConnect +SSL VPN protocol. + +%prep +%setup -q +%patch0 -p1 +%patch1 -p1 +rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h +rm -f libopts/*.c libopts/*.h libopts/*/*.c libopts/*/*.h +rm -f src/pcl/*.c src/pcl/*.h +# GPLv3 in headers was a gnulib bug: +# http://lists.gnu.org/archive/html/bug-gnulib/2013-11/msg00062.html +sed -i 's/either version 3 of the License/either version 2 of the License/g' build-aux/snippet/* +# remove GPLv3 components +rm -f tests/test-* tests/common.sh + +%build +autoreconf -fi + +%configure + +# disable the smp_mflags until an issue with the dependencies in the +# autogen'erated files is fixed +make #%{?_smp_mflags} + +%pre +getent group ocserv &>/dev/null || groupadd -r ocserv +getent passwd ocserv &>/dev/null || \ + /usr/sbin/useradd -r -g ocserv -s /sbin/nologin -c ocserv \ + -d /var/lib/ocserv ocserv + +%post +%systemd_post ocserv.service + +%preun +%systemd_preun ocserv.service + +%postun +%systemd_postun ocserv.service + +%install +rm -rf %{buildroot} +cp -a %{SOURCE4} PACKAGE-LICENSING +mkdir -p %{buildroot}/%{_sysconfdir}/pam.d/ +mkdir -p %{buildroot}/%{_sysconfdir}/ocserv/ +install -p -m 644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/pam.d/ocserv +install -p -m 644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/ocserv/ +mkdir -p %{buildroot}/%{_unitdir} +install -p -m 644 %{SOURCE2} %{buildroot}/%{_unitdir} +mkdir -p %{buildroot}/var/lib/ocserv/ +%make_install + +%clean +rm -rf %{buildroot} + +%files +%defattr(-,root,root,-) + +%dir /var/lib/ocserv +%dir %{_sysconfdir}/ocserv + +%config(noreplace) %{_sysconfdir}/ocserv/ocserv.conf +%config(noreplace) %{_sysconfdir}/pam.d/ocserv + +%doc AUTHORS ChangeLog NEWS COPYING LICENSE README TODO PACKAGE-LICENSING +%doc src/ccan/licenses/CC0 src/ccan/licenses/LGPL-2.1 src/ccan/licenses/BSD-MIT +%{_mandir}/man8/ocserv.8* +%{_mandir}/man8/ocpasswd.8* +%{_bindir}/ocpasswd +%{_sbindir}/ocserv +%{_unitdir}/ocserv.service + +%changelog +* Fri Dec 6 2013 Nikos Mavrogiannopoulos - 0.2.1-6 +- Added exception for the bundling of CCAN components. + +* Wed Nov 13 2013 Nikos Mavrogiannopoulos - 0.2.1-5 +- Updated the way PACKAGE-LICENSING is handled. + +* Tue Nov 12 2013 Nikos Mavrogiannopoulos - 0.2.1-4 +- Replaced gnulib's GPLv3+ license with GPLv2+. According to + http://lists.gnu.org/archive/html/bug-gnulib/2013-11/msg00062.html + it was a gnulib bug. +- Reduced the number of applicable licenses by upgrading LGPLv2+ + components to GPLv2+. +- Added PACKAGE-LICENSING. + +* Mon Nov 11 2013 Nikos Mavrogiannopoulos - 0.2.1-3 +- Updated spec to add http-parser and pcllib as dependencies. +- Bundled library files are removed. +- Updated license information. + +* Fri Nov 8 2013 Nikos Mavrogiannopoulos - 0.2.1-2 +- Updated spec to account improvements suggested by Alec Leamas. + +* Thu Nov 7 2013 Nikos Mavrogiannopoulos - 0.2.1-1 +- Initial version of the package diff --git a/sources b/sources index e69de29..84447ec 100644 --- a/sources +++ b/sources @@ -0,0 +1 @@ +99f239f796c9d29746e307e6a51999f0 ocserv-0.2.1.tar.xz From e0d05d7de926578ddc6fd214f548093133b5b131 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 6 Dec 2013 14:35:59 +0100 Subject: [PATCH 003/177] compile with any version of libopts --- ocserv.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 1368da1..7f35e14 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -23,7 +23,7 @@ BuildRequires: gnutls-devel BuildRequires: pam-devel BuildRequires: iproute BuildRequires: systemd -BuildRequires: autogen-libopts-devel >= 5.18 +BuildRequires: autogen-libopts-devel BuildRequires: autogen BuildRequires: pcllib-devel, http-parser-devel, tcp_wrappers-devel BuildRequires: automake, autoconf From 89a912e128817a73728aac47ff75946c56d8b68a Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 6 Dec 2013 15:19:39 +0100 Subject: [PATCH 004/177] corrected chroot directory --- ocserv.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ocserv.conf b/ocserv.conf index baa7bca..a8d983e 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -123,7 +123,7 @@ use-utmp = true #pid-file = /var/run/ocserv.pid # The default server directory. Does not require any devices present. -chroot-dir = /var/ocserv/ +chroot-dir = /var/lib/ocserv/ # socket file used for IPC, will be appended with .PID # It must be accessible within the chroot environment (if any) From 642f6cd3b101a1e4f69dc334cfb55a249ea13f60 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 6 Dec 2013 15:21:42 +0100 Subject: [PATCH 005/177] use the correct config file --- ocserv.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/ocserv.spec b/ocserv.spec index 7f35e14..d2328ab 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -55,6 +55,7 @@ SSL VPN protocol. rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h rm -f libopts/*.c libopts/*.h libopts/*/*.c libopts/*/*.h rm -f src/pcl/*.c src/pcl/*.h +sed -i 's|/etc/ocserv.conf|/etc/ocserv/ocserv.conf|g' src/config.c # GPLv3 in headers was a gnulib bug: # http://lists.gnu.org/archive/html/bug-gnulib/2013-11/msg00062.html sed -i 's/either version 3 of the License/either version 2 of the License/g' build-aux/snippet/* From 8e96cd34fb39ff4b8e7378339d14d3cbbba1593e Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 16 Dec 2013 10:32:18 +0100 Subject: [PATCH 006/177] updated to 0.2.3 --- .gitignore | 1 + ocserv-http-parser.patch | 139 --------------------------------------- ocserv-tests.patch | 91 ------------------------- ocserv.conf | 12 ++++ ocserv.spec | 27 ++++---- sources | 2 +- 6 files changed, 27 insertions(+), 245 deletions(-) delete mode 100644 ocserv-http-parser.patch delete mode 100644 ocserv-tests.patch diff --git a/.gitignore b/.gitignore index 3b179d1..3475ef7 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ /ocserv-0.2.1.tar.xz +/ocserv-0.2.3.tar.xz diff --git a/ocserv-http-parser.patch b/ocserv-http-parser.patch deleted file mode 100644 index ba40b75..0000000 --- a/ocserv-http-parser.patch +++ /dev/null @@ -1,139 +0,0 @@ -diff -ur ocserv-0.2.1.orig/configure.ac ocserv-0.2.1/configure.ac ---- ocserv-0.2.1.orig/configure.ac 2013-11-06 20:47:34.000000000 +0100 -+++ ocserv-0.2.1/configure.ac 2013-11-11 13:48:45.536372275 +0100 -@@ -94,6 +94,27 @@ - AC_DEFINE([ANYCONNECT_CLIENT_COMPAT], [], [Enable Anyconnect compatibility]) - fi - -+dnl Test for http_parser library -+with_local_http_parser=yes -+LIBS="$oldlibs -lhttp_parser" -+AC_MSG_CHECKING([for http_parser library]) -+AC_LINK_IFELSE([AC_LANG_PROGRAM([ -+ #include ],[ -+ http_parser_init(0, 0);])], -+ [AC_MSG_RESULT(yes) -+ AC_SUBST([HTTP_PARSER_LIBS], [-lhttp_parser]) -+ AC_SUBST([HTTP_PARSER_CFLAGS], []) -+ with_local_http_parser=no], -+ [AC_MSG_RESULT(no) -+ AC_MSG_WARN([[ -+*** -+*** libhttp-parser not found. -+*** An included version of the library will be used. -+*** ]])]) -+LIBS="$oldlibs" -+AM_CONDITIONAL(LOCAL_HTTP_PARSER, test "x$with_local_http_parser" != xno) -+ -+ - dnl needed in the included PCL - AC_C_VOLATILE - AC_C_CONST -diff -ur ocserv-0.2.1.orig/src/Makefile.am ocserv-0.2.1/src/Makefile.am ---- ocserv-0.2.1.orig/src/Makefile.am 2013-11-05 19:59:45.000000000 +0100 -+++ ocserv-0.2.1/src/Makefile.am 2013-11-11 13:48:45.536372275 +0100 -@@ -3,10 +3,18 @@ - AM_CPPFLAGS = -I$(srcdir)/../gl/ -I$(builddir)/../gl/ \ - -I$(srcdir)/ -I$(builddir)/../ $(LIBOPTS_CFLAGS) - -+if LOCAL_HTTP_PARSER -+AM_CPPFLAGS += -I$(srcdir)/http-parser/ -+HTTP_PARSER_SOURCES = http-parser/http_parser.c http-parser/http_parser.h -+NEEDED_HTTP_PARSER_LIBS = -+else -+NEEDED_HTTP_PARSER_LIBS = $(HTTP_PARSER_LIBS) -+endif -+ - if NEED_LIBOPTS --LIBOPTS = ../libopts/libopts.a -+NEEDED_LIBOPTS = ../libopts/libopts.a - else --LIBOPTS = $(LIBOPTS_LDADD) -+NEEDED_LIBOPTS = $(LIBOPTS_LDADD) - endif - - EXTRA_DIST = ccan/licenses/BSD-MIT version.inc.in \ -@@ -24,21 +32,21 @@ - ocserv_SOURCES = ocserv-args.def ocserv-args.c ocserv-args.h - - ocserv_SOURCES += main.c main-auth.c worker-vpn.c worker-auth.c tlslib.c \ -- http-parser/http_parser.c ipc.h cookies.c worker-tun.c main-misc.c \ -+ ipc.h cookies.c worker-tun.c main-misc.c \ - main-config.c ip-lease.c ip-lease.h \ -- vpn.h cookies.h tlslib.h http-parser/http_parser.h log.c tun.c tun.h \ -+ vpn.h cookies.h tlslib.h log.c tun.c tun.h \ - config.c pam.c pam.h worker-resume.c worker.h main-resume.c main.h \ - worker-extras.c main-auth.h html.c html.h \ - main-user.c worker-misc.c setproctitle.h route-add.c route-add.h \ - setproctitle.c worker-privs.c plain.c plain.h common.h common.c \ - sec-mod.c sec-mod.h script-list.h system.c system.h icmp-ping.c icmp-ping.h \ - worker-bandwidth.c worker-bandwidth.h \ -- str.c str.h gettime.h $(CCAN_SOURCES) -+ str.c str.h gettime.h $(CCAN_SOURCES) $(HTTP_PARSER_SOURCES) - - --ocserv_LDADD = ../gl/libgnu.a $(LIBOPTS) -+ocserv_LDADD = ../gl/libgnu.a $(NEEDED_LIBOPTS) - ocserv_LDADD += $(LIBGNUTLS_LIBS) $(PAM_LIBS) $(LIBUTIL) \ -- $(LIBSECCOMP) $(LIBWRAP) $(LIBCRYPT) -+ $(LIBSECCOMP) $(LIBWRAP) $(LIBCRYPT) $(NEEDED_HTTP_PARSER_LIBS) - - if PCL - ocserv_LDADD += $(PCL_LIBS) -@@ -54,7 +62,7 @@ - ocpasswd_SOURCES = ocpasswd-args.def ocpasswd-args.c ocpasswd-args.h \ - ocpasswd.c - --ocpasswd_LDADD = ../gl/libgnu.a $(LIBOPTS) -+ocpasswd_LDADD = ../gl/libgnu.a $(NEEDED_LIBOPTS) - ocpasswd_LDADD += $(LIBGNUTLS_LIBS) $(LIBCRYPT) - - ocpasswd-args.c ocpasswd-args.h: $(srcdir)/ocpasswd-args.def -diff -ur ocserv-0.2.1.orig/src/vpn.h ocserv-0.2.1/src/vpn.h ---- ocserv-0.2.1.orig/src/vpn.h 2013-11-05 19:34:54.000000000 +0100 -+++ ocserv-0.2.1/src/vpn.h 2013-11-11 13:49:03.608470106 +0100 -@@ -23,7 +23,7 @@ - - #include - #include --#include -+#include - #include - #include - #include -diff -ur ocserv-0.2.1.orig/src/worker-auth.c ocserv-0.2.1/src/worker-auth.c ---- ocserv-0.2.1.orig/src/worker-auth.c 2013-11-05 19:38:09.000000000 +0100 -+++ ocserv-0.2.1/src/worker-auth.c 2013-11-11 13:48:45.537372280 +0100 -@@ -41,7 +41,7 @@ - #include - #include - --#include -+#include - - #define SUCCESS_MSG_HEAD "\n" \ - "\n" \ -diff -ur ocserv-0.2.1.orig/src/worker-tun.c ocserv-0.2.1/src/worker-tun.c ---- ocserv-0.2.1.orig/src/worker-tun.c 2013-11-05 19:38:22.000000000 +0100 -+++ ocserv-0.2.1/src/worker-tun.c 2013-11-11 13:48:45.537372280 +0100 -@@ -45,8 +45,6 @@ - #include - #include - --#include -- - /* if local is non zero it returns the local, otherwise the remote */ - static - int get_ip(struct worker_st* ws, int fd, int family, unsigned int local, -diff -ur ocserv-0.2.1.orig/src/worker-vpn.c ocserv-0.2.1/src/worker-vpn.c ---- ocserv-0.2.1.orig/src/worker-vpn.c 2013-11-05 20:06:51.000000000 +0100 -+++ ocserv-0.2.1/src/worker-vpn.c 2013-11-11 13:48:45.537372280 +0100 -@@ -49,7 +49,7 @@ - #include - #include - --#include -+#include - - /* after that time (secs) of inactivity in the UDP part, connection switches to - * TCP (if activity occurs there). diff --git a/ocserv-tests.patch b/ocserv-tests.patch deleted file mode 100644 index e700e81..0000000 --- a/ocserv-tests.patch +++ /dev/null @@ -1,91 +0,0 @@ -diff -ur ocserv-0.2.1.orig/tests/Makefile.in ocserv-0.2.1/tests/Makefile.in ---- ocserv-0.2.1.orig/tests/Makefile.in 2013-11-06 20:47:51.000000000 +0100 -+++ ocserv-0.2.1/tests/Makefile.in 2013-11-11 13:56:15.231784324 +0100 -@@ -1,4 +1,4 @@ --# Makefile.in generated by automake 1.14 from Makefile.am. -+# Makefile.in generated by automake 1.13.4 from Makefile.am. - # @configure_input@ - - # Copyright (C) 1994-2013 Free Software Foundation, Inc. -@@ -721,6 +721,8 @@ - HAVE_WCHAR_T = @HAVE_WCHAR_T@ - HAVE__BOOL = @HAVE__BOOL@ - HAVE__EXIT = @HAVE__EXIT@ -+HTTP_PARSER_CFLAGS = @HTTP_PARSER_CFLAGS@ -+HTTP_PARSER_LIBS = @HTTP_PARSER_LIBS@ - INCLUDE_NEXT = @INCLUDE_NEXT@ - INCLUDE_NEXT_AS_FIRST_DIRECTIVE = @INCLUDE_NEXT_AS_FIRST_DIRECTIVE@ - INSTALL = @INSTALL@ -diff -ur ocserv-0.2.1.orig/tests/test1.config ocserv-0.2.1/tests/test1.config ---- ocserv-0.2.1.orig/tests/test1.config 2013-07-06 15:10:57.000000000 +0200 -+++ ocserv-0.2.1/tests/test1.config 2013-11-11 13:56:15.231784324 +0100 -@@ -132,7 +132,7 @@ - # The user the worker processes will be run as. It should be - # unique (no other services run as this user). - run-as-user = nobody --run-as-group = nogroup -+run-as-group = nobody - - # Network settings - -diff -ur ocserv-0.2.1.orig/tests/test2.config ocserv-0.2.1/tests/test2.config ---- ocserv-0.2.1.orig/tests/test2.config 2013-07-06 16:54:44.000000000 +0200 -+++ ocserv-0.2.1/tests/test2.config 2013-11-11 13:56:15.231784324 +0100 -@@ -132,7 +132,7 @@ - # The user the worker processes will be run as. It should be - # unique (no other services run as this user). - run-as-user = nobody --run-as-group = nogroup -+run-as-group = nobody - - # Network settings - -diff -ur ocserv-0.2.1.orig/tests/test3.config ocserv-0.2.1/tests/test3.config ---- ocserv-0.2.1.orig/tests/test3.config 2013-10-29 20:11:52.000000000 +0100 -+++ ocserv-0.2.1/tests/test3.config 2013-11-11 13:56:15.232784330 +0100 -@@ -132,7 +132,7 @@ - # The user the worker processes will be run as. It should be - # unique (no other services run as this user). - run-as-user = nobody --run-as-group = nogroup -+run-as-group = nobody - - # Network settings - -diff -ur ocserv-0.2.1.orig/tests/test-iroute ocserv-0.2.1/tests/test-iroute ---- ocserv-0.2.1.orig/tests/test-iroute 2013-10-30 12:39:28.000000000 +0100 -+++ ocserv-0.2.1/tests/test-iroute 2013-11-11 13:56:32.933878367 +0100 -@@ -35,7 +35,7 @@ - - echo -n "Checking if routes have been applied... " - --if [ ! -f test-iroute.tmp ];then -+if [ ! -f ./test-iroute.tmp ];then - fail $PID "Temporary file cannot be found" - fi - -Only in ocserv-0.2.1/tests: test-iroute~ -diff -ur ocserv-0.2.1.orig/tests/test-iroute.config ocserv-0.2.1/tests/test-iroute.config ---- ocserv-0.2.1.orig/tests/test-iroute.config 2013-10-30 12:31:33.000000000 +0100 -+++ ocserv-0.2.1/tests/test-iroute.config 2013-11-11 13:56:15.232784330 +0100 -@@ -132,7 +132,7 @@ - # The user the worker processes will be run as. It should be - # unique (no other services run as this user). - run-as-user = nobody --run-as-group = nogroup -+run-as-group = nobody - - # Network settings - -diff -ur ocserv-0.2.1.orig/tests/test-pass-script.config ocserv-0.2.1/tests/test-pass-script.config ---- ocserv-0.2.1.orig/tests/test-pass-script.config 2013-10-31 17:20:37.000000000 +0100 -+++ ocserv-0.2.1/tests/test-pass-script.config 2013-11-11 13:56:15.232784330 +0100 -@@ -132,7 +132,7 @@ - # The user the worker processes will be run as. It should be - # unique (no other services run as this user). - run-as-user = nobody --run-as-group = nogroup -+run-as-group = nobody - - # Network settings - diff --git a/ocserv.conf b/ocserv.conf index a8d983e..19e40fd 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -134,6 +134,18 @@ socket-file = ocserv.sock run-as-user = ocserv run-as-group = ocserv +# Set the protocol-defined priority (SO_PRIORITY) for packets to +# be sent. That is a number from 0 to 6 with 0 being the lowest +# priority. Alternatively this can be used to set the IP Type- +# Of-Service, by setting it to a hexadecimal number (e.g., 0x20). +# This can be set per user/group or globally. +#net-priority = 3 + +# Set the VPN worker process into a specific cgroup. This is Linux +# specific and can be set per user/group or globally. +#cgroup = "cpuset,cpu:test" + + # Network settings device = vpns diff --git a/ocserv.spec b/ocserv.spec index d2328ab..bc87405 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ Name: ocserv -Version: 0.2.1 -Release: 6%{?dist} +Version: 0.2.3 +Release: 1%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -15,8 +15,6 @@ Source4: PACKAGE-LICENSING # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 -Patch0: ocserv-http-parser.patch -Patch1: ocserv-tests.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: gnutls-devel @@ -42,28 +40,25 @@ Provides: bundled(ccan-htable) bundled(ccan-list) Provides: bundled(ccan-check_type) bundled(ccan-build_assert) %description -OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to be -a secure, small, fast and configurable VPN server that uses standard -protocols such as TLS 1.2, and Datagram TLS. It implements the -OpenConnect SSL VPN protocol, which is compatible with the AnyConnect -SSL VPN protocol. +OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to be a +secure, small, fast and configurable VPN server. It implements the OpenConnect +SSL VPN protocol, and has also (currently experimental) compatibility with +clients using the AnyConnect SSL VPN protocol. The OpenConnect VPN protocol +uses the standard IETF security protocols such as TLS 1.2, and Datagram TLS +to provide the secure VPN service. %prep %setup -q -%patch0 -p1 -%patch1 -p1 rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h rm -f libopts/*.c libopts/*.h libopts/*/*.c libopts/*/*.h rm -f src/pcl/*.c src/pcl/*.h sed -i 's|/etc/ocserv.conf|/etc/ocserv/ocserv.conf|g' src/config.c +sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/*.config # GPLv3 in headers was a gnulib bug: # http://lists.gnu.org/archive/html/bug-gnulib/2013-11/msg00062.html sed -i 's/either version 3 of the License/either version 2 of the License/g' build-aux/snippet/* -# remove GPLv3 components -rm -f tests/test-* tests/common.sh %build -autoreconf -fi %configure @@ -119,6 +114,10 @@ rm -rf %{buildroot} %{_unitdir}/ocserv.service %changelog +* Mon Dec 16 2013 Nikos Mavrogiannopoulos - 0.2.3-1 +- Updated to latest upstream version (0.2.3). +- Corrected the chroot directory in config file. + * Fri Dec 6 2013 Nikos Mavrogiannopoulos - 0.2.1-6 - Added exception for the bundling of CCAN components. diff --git a/sources b/sources index 84447ec..8e4e1da 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -99f239f796c9d29746e307e6a51999f0 ocserv-0.2.1.tar.xz +8ea3cd7decf8a95f96e41f6a2ea5152c ocserv-0.2.3.tar.xz From 3dc34d462651279ce8c293819dee2485ef8ce758 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 27 Jan 2014 10:43:16 +0100 Subject: [PATCH 007/177] updated to ocserv 0.3.0 --- .gitignore | 1 + ocserv.conf | 13 +++++++---- ocserv.service | 4 +++- ocserv.spec | 47 ++++++++++++++++++++++++++++++++++++--- org.infradead.ocserv.conf | 14 ++++++++++++ sources | 2 +- 6 files changed, 72 insertions(+), 9 deletions(-) create mode 100644 org.infradead.ocserv.conf diff --git a/.gitignore b/.gitignore index 3475ef7..a04b424 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ /ocserv-0.2.1.tar.xz /ocserv-0.2.3.tar.xz +/ocserv-0.3.0.tar.xz diff --git a/ocserv.conf b/ocserv.conf index 19e40fd..53e1af5 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -43,8 +43,8 @@ try-mtu-discovery = false # # There may be multiple certificate and key pairs and each key # should correspond to the preceding certificate. -server-cert = /etc/ocserv/server.crt -server-key = /etc/ocserv/server.key +server-cert = /etc/pki/ocserv/public/server.crt +server-key = /etc/pki/ocserv/private/server.key # Diffie-Hellman parameters. Only needed if you require support # for the DHE ciphersuites (by default this server supports ECDHE). @@ -70,7 +70,7 @@ server-key = /etc/ocserv/server.key # The Certificate Authority that will be used # to verify clients if certificate authentication # is set. -#ca-cert = /etc/ocserv/ca.crt +ca-cert = /etc/pki/ocserv/cacerts/ca.crt # The object identifier that will be used to read the user ID in the client certificate. # The object identifier should be part of the certificate's DN @@ -116,6 +116,11 @@ cookie-validity = 172800 #connect-script = /usr/bin/myscript #disconnect-script = /usr/bin/myscript +# D-BUS usage. If disabled occtl tool cannot be used. If enabled +# then ocserv must have access to register org.infradead.ocserv +# D-BUS service. See doc/dbus/org.infradead.ocserv.conf +use-dbus = true + # UTMP use-utmp = true @@ -223,5 +228,5 @@ route-del-cmd = "ip route delete %R dev %D" # certificate even if they are authenticating via a previously granted # cookie. Legacy CISCO clients do not do that, and thus this option # should be set for them. -#always-require-cert = false +cisco-client-compat = true diff --git a/ocserv.service b/ocserv.service index 3b39466..86fca91 100644 --- a/ocserv.service +++ b/ocserv.service @@ -1,7 +1,9 @@ [Unit] Description=OpenConnect SSL VPN server Documentation=man:ocserv(8) -After=syslog.target network.target +After=syslog.target +After=network.target +After=dbus.service [Service] PrivateTmp=true diff --git a/ocserv.spec b/ocserv.spec index bc87405..c477f2a 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ Name: ocserv -Version: 0.2.3 +Version: 0.3.0 Release: 1%{?dist} Summary: OpenConnect SSL VPN server @@ -12,6 +12,7 @@ Source1: ocserv.conf Source2: ocserv.service Source3: ocserv-pamd.conf Source4: PACKAGE-LICENSING +Source5: org.infradead.ocserv.conf # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 @@ -22,10 +23,15 @@ BuildRequires: pam-devel BuildRequires: iproute BuildRequires: systemd BuildRequires: autogen-libopts-devel +BuildRequires: protobuf-c-devel +BuildRequires: libnl3-devel +BuildRequires: readline-devel +BuildRequires: dbus-devel BuildRequires: autogen BuildRequires: pcllib-devel, http-parser-devel, tcp_wrappers-devel BuildRequires: automake, autoconf +Requires: gnutls-utils Requires: iproute Requires: pam Requires(pre): shadow-utils @@ -50,11 +56,12 @@ to provide the secure VPN service. %prep %setup -q rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h +rm -rf src/protobuf/ rm -f libopts/*.c libopts/*.h libopts/*/*.c libopts/*/*.h rm -f src/pcl/*.c src/pcl/*.h sed -i 's|/etc/ocserv.conf|/etc/ocserv/ocserv.conf|g' src/config.c sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/*.config -# GPLv3 in headers was a gnulib bug: +# GPLv3 in headers is a gnulib bug: # http://lists.gnu.org/archive/html/bug-gnulib/2013-11/msg00062.html sed -i 's/either version 3 of the License/either version 2 of the License/g' build-aux/snippet/* @@ -64,13 +71,41 @@ sed -i 's/either version 3 of the License/either version 2 of the License/g' bui # disable the smp_mflags until an issue with the dependencies in the # autogen'erated files is fixed -make #%{?_smp_mflags} +make %{?_smp_mflags} %pre getent group ocserv &>/dev/null || groupadd -r ocserv getent passwd ocserv &>/dev/null || \ /usr/sbin/useradd -r -g ocserv -s /sbin/nologin -c ocserv \ -d /var/lib/ocserv ocserv +mkdir -p %{_sysconfdir}/pki/ocserv/public +mkdir -p -m 700 %{_sysconfdir}/pki/ocserv/private +mkdir -p %{_sysconfdir}/pki/ocserv/cacerts +#generate CA certificate/key +if test ! -f %{_sysconfdir}/pki/ocserv/private/ca.key;then +certtool --generate-privkey --outfile %{_sysconfdir}/pki/ocserv/private/ca.key +echo "cn=`hostname -f` CA" >%{_sysconfdir}/pki/ocserv/ca.tmpl +echo "serial=1" >>%{_sysconfdir}/pki/ocserv/ca.tmpl +echo "ca" >>%{_sysconfdir}/pki/ocserv/ca.tmpl +echo "cert_signing_key" >>%{_sysconfdir}/pki/ocserv/ca.tmpl +certtool --template %{_sysconfdir}/pki/ocserv/ca.tmpl \ + --generate-self-signed --load-privkey %{_sysconfdir}/pki/ocserv/private/ca.key \ + --outfile %{_sysconfdir}/pki/ocserv/cacerts/ca.crt +#rm -f %{_sysconfdir}/pki/ocserv/ca.tmpl +fi +#generate server certificate/key +if test ! -f %{_sysconfdir}/pki/ocserv/private/server.key;then +certtool --generate-privkey --outfile %{_sysconfdir}/pki/ocserv/private/server.key +echo "cn=`hostname -f`" >%{_sysconfdir}/pki/ocserv/server.tmpl +echo "serial=2" >>%{_sysconfdir}/pki/ocserv/server.tmpl +echo "signing_key" >>%{_sysconfdir}/pki/ocserv/server.tmpl +echo "encryption_key" >>%{_sysconfdir}/pki/ocserv/server.tmpl +certtool --template %{_sysconfdir}/pki/ocserv/server.tmpl \ + --generate-certificate --load-privkey %{_sysconfdir}/pki/ocserv/private/server.key \ + --load-ca-certificate %{_sysconfdir}/pki/ocserv/cacerts/ca.crt --load-ca-privkey \ + %{_sysconfdir}/pki/ocserv/private/ca.key --outfile %{_sysconfdir}/pki/ocserv/public/server.crt +#rm -f %{_sysconfdir}/pki/ocserv/server.tmpl +fi %post %systemd_post ocserv.service @@ -88,6 +123,8 @@ mkdir -p %{buildroot}/%{_sysconfdir}/pam.d/ mkdir -p %{buildroot}/%{_sysconfdir}/ocserv/ install -p -m 644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/pam.d/ocserv install -p -m 644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/ocserv/ +mkdir -p %{buildroot}/%{_sysconfdir}/dbus-1/system.d/ +install -p -m 644 %{SOURCE5} %{buildroot}/%{_sysconfdir}/dbus-1/system.d/ mkdir -p %{buildroot}/%{_unitdir} install -p -m 644 %{SOURCE2} %{buildroot}/%{_unitdir} mkdir -p %{buildroot}/var/lib/ocserv/ @@ -103,13 +140,17 @@ rm -rf %{buildroot} %dir %{_sysconfdir}/ocserv %config(noreplace) %{_sysconfdir}/ocserv/ocserv.conf +%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.infradead.ocserv.conf %config(noreplace) %{_sysconfdir}/pam.d/ocserv + %doc AUTHORS ChangeLog NEWS COPYING LICENSE README TODO PACKAGE-LICENSING %doc src/ccan/licenses/CC0 src/ccan/licenses/LGPL-2.1 src/ccan/licenses/BSD-MIT %{_mandir}/man8/ocserv.8* +%{_mandir}/man8/occtl.8* %{_mandir}/man8/ocpasswd.8* %{_bindir}/ocpasswd +%{_bindir}/occtl %{_sbindir}/ocserv %{_unitdir}/ocserv.service diff --git a/org.infradead.ocserv.conf b/org.infradead.ocserv.conf new file mode 100644 index 0000000..8c69f93 --- /dev/null +++ b/org.infradead.ocserv.conf @@ -0,0 +1,14 @@ + + + + + + + + + + + + diff --git a/sources b/sources index 8e4e1da..a5c1666 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -8ea3cd7decf8a95f96e41f6a2ea5152c ocserv-0.2.3.tar.xz +f6d64451ac8c458c7bdd40ee8ff51192 ocserv-0.3.0.tar.xz From a54d692ba315ab4849601ea073dfc04487ed775f Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 27 Jan 2014 10:44:33 +0100 Subject: [PATCH 008/177] added changelog entry --- ocserv.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ocserv.spec b/ocserv.spec index c477f2a..f8290bb 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -155,6 +155,10 @@ rm -rf %{buildroot} %{_unitdir}/ocserv.service %changelog +* Mon Jan 27 2014 Nikos Mavrogiannopoulos - 0.3.0-1 +- Updated to latest upstream version (0.3.0). +- Certificates and private keys are auto-generated. + * Mon Dec 16 2013 Nikos Mavrogiannopoulos - 0.2.3-1 - Updated to latest upstream version (0.2.3). - Corrected the chroot directory in config file. From c95eb0798ce01283f778883722a3d305d35fe5cd Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 27 Jan 2014 11:23:57 +0100 Subject: [PATCH 009/177] do not output anything when generating certificates --- ocserv.spec | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ocserv.spec b/ocserv.spec index f8290bb..c0c3ea8 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -83,19 +83,19 @@ mkdir -p -m 700 %{_sysconfdir}/pki/ocserv/private mkdir -p %{_sysconfdir}/pki/ocserv/cacerts #generate CA certificate/key if test ! -f %{_sysconfdir}/pki/ocserv/private/ca.key;then -certtool --generate-privkey --outfile %{_sysconfdir}/pki/ocserv/private/ca.key +certtool --generate-privkey --outfile %{_sysconfdir}/pki/ocserv/private/ca.key >/dev/null 2>&1 echo "cn=`hostname -f` CA" >%{_sysconfdir}/pki/ocserv/ca.tmpl echo "serial=1" >>%{_sysconfdir}/pki/ocserv/ca.tmpl echo "ca" >>%{_sysconfdir}/pki/ocserv/ca.tmpl echo "cert_signing_key" >>%{_sysconfdir}/pki/ocserv/ca.tmpl certtool --template %{_sysconfdir}/pki/ocserv/ca.tmpl \ --generate-self-signed --load-privkey %{_sysconfdir}/pki/ocserv/private/ca.key \ - --outfile %{_sysconfdir}/pki/ocserv/cacerts/ca.crt + --outfile %{_sysconfdir}/pki/ocserv/cacerts/ca.crt >/dev/null 2>&1 #rm -f %{_sysconfdir}/pki/ocserv/ca.tmpl fi #generate server certificate/key if test ! -f %{_sysconfdir}/pki/ocserv/private/server.key;then -certtool --generate-privkey --outfile %{_sysconfdir}/pki/ocserv/private/server.key +certtool --generate-privkey --outfile %{_sysconfdir}/pki/ocserv/private/server.key >/dev/null 2>&1 echo "cn=`hostname -f`" >%{_sysconfdir}/pki/ocserv/server.tmpl echo "serial=2" >>%{_sysconfdir}/pki/ocserv/server.tmpl echo "signing_key" >>%{_sysconfdir}/pki/ocserv/server.tmpl @@ -103,7 +103,7 @@ echo "encryption_key" >>%{_sysconfdir}/pki/ocserv/server.tmpl certtool --template %{_sysconfdir}/pki/ocserv/server.tmpl \ --generate-certificate --load-privkey %{_sysconfdir}/pki/ocserv/private/server.key \ --load-ca-certificate %{_sysconfdir}/pki/ocserv/cacerts/ca.crt --load-ca-privkey \ - %{_sysconfdir}/pki/ocserv/private/ca.key --outfile %{_sysconfdir}/pki/ocserv/public/server.crt + %{_sysconfdir}/pki/ocserv/private/ca.key --outfile %{_sysconfdir}/pki/ocserv/public/server.crt >/dev/null 2>&1 #rm -f %{_sysconfdir}/pki/ocserv/server.tmpl fi From 9d295c61755fa20212aa690a72cd6ccad50690da Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 27 Jan 2014 11:45:34 +0100 Subject: [PATCH 010/177] more uniform handling of buildrequires --- ocserv.spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ocserv.spec b/ocserv.spec index c0c3ea8..bc27917 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -28,7 +28,9 @@ BuildRequires: libnl3-devel BuildRequires: readline-devel BuildRequires: dbus-devel BuildRequires: autogen -BuildRequires: pcllib-devel, http-parser-devel, tcp_wrappers-devel +BuildRequires: pcllib-devel +BuildRequires: http-parser-devel +BuildRequires: tcp_wrappers-devel BuildRequires: automake, autoconf Requires: gnutls-utils @@ -69,8 +71,6 @@ sed -i 's/either version 3 of the License/either version 2 of the License/g' bui %configure -# disable the smp_mflags until an issue with the dependencies in the -# autogen'erated files is fixed make %{?_smp_mflags} %pre From fcdc556224ad1d94ae5c2fcc017f45e9b5a503f4 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 29 Jan 2014 09:35:20 +0100 Subject: [PATCH 011/177] remove expiration date by default --- ocserv.spec | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ocserv.spec b/ocserv.spec index bc27917..03521cb 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -85,6 +85,7 @@ mkdir -p %{_sysconfdir}/pki/ocserv/cacerts if test ! -f %{_sysconfdir}/pki/ocserv/private/ca.key;then certtool --generate-privkey --outfile %{_sysconfdir}/pki/ocserv/private/ca.key >/dev/null 2>&1 echo "cn=`hostname -f` CA" >%{_sysconfdir}/pki/ocserv/ca.tmpl +echo "expiration_days=-1" >>%{_sysconfdir}/pki/ocserv/ca.tmpl echo "serial=1" >>%{_sysconfdir}/pki/ocserv/ca.tmpl echo "ca" >>%{_sysconfdir}/pki/ocserv/ca.tmpl echo "cert_signing_key" >>%{_sysconfdir}/pki/ocserv/ca.tmpl @@ -98,6 +99,7 @@ if test ! -f %{_sysconfdir}/pki/ocserv/private/server.key;then certtool --generate-privkey --outfile %{_sysconfdir}/pki/ocserv/private/server.key >/dev/null 2>&1 echo "cn=`hostname -f`" >%{_sysconfdir}/pki/ocserv/server.tmpl echo "serial=2" >>%{_sysconfdir}/pki/ocserv/server.tmpl +echo "expiration_days=-1" >>%{_sysconfdir}/pki/ocserv/server.tmpl echo "signing_key" >>%{_sysconfdir}/pki/ocserv/server.tmpl echo "encryption_key" >>%{_sysconfdir}/pki/ocserv/server.tmpl certtool --template %{_sysconfdir}/pki/ocserv/server.tmpl \ @@ -155,6 +157,9 @@ rm -rf %{buildroot} %{_unitdir}/ocserv.service %changelog +* Wed Jan 29 2014 Nikos Mavrogiannopoulos - 0.3.0-2 +- Generated certificates no longer carry an expiration date. + * Mon Jan 27 2014 Nikos Mavrogiannopoulos - 0.3.0-1 - Updated to latest upstream version (0.3.0). - Certificates and private keys are auto-generated. From ad60bc84c8923a0ee26a2c36476e24caa6d72d33 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 29 Jan 2014 09:36:02 +0100 Subject: [PATCH 012/177] bumped version --- ocserv.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 03521cb..76af3da 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ Name: ocserv Version: 0.3.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING From 4835271e779ec8d33c343f5f77ea3e094480430d Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 17 Feb 2014 08:27:55 +0100 Subject: [PATCH 013/177] new upstream release --- .gitignore | 1 + ocserv.conf | 14 +++++++------- ocserv.spec | 7 +++++-- sources | 2 +- 4 files changed, 14 insertions(+), 10 deletions(-) diff --git a/.gitignore b/.gitignore index a04b424..00aafc8 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ /ocserv-0.2.1.tar.xz /ocserv-0.2.3.tar.xz /ocserv-0.3.0.tar.xz +/ocserv-0.3.1.tar.xz diff --git a/ocserv.conf b/ocserv.conf index 53e1af5..9e452c8 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -30,6 +30,9 @@ udp-port = 4443 # Keepalive in seconds keepalive = 32400 +# Rekey time in seconds +rekey-time 172800 + # Dead peer detection in seconds dpd = 60 @@ -160,18 +163,15 @@ device = vpns #ipv4-network = 192.168.1.0 #ipv4-netmask = 255.255.255.0 -# Use the keywork local to advertize the local P-t-P address as DNS server -# ipv4-dns = 192.168.2.1 -#ipv4-dns = local +#ipv4-dns = 192.168.2.1 # The NBNS server (if any) #ipv4-nbns = 192.168.2.3 -#ipv6-address = -#ipv6-dns = - -# The IPv6 subnet prefix +# The IPv6 subnet +#ipv6-network = #ipv6-prefix = +#ipv6-dns = # Prior to leasing any IP from the pool ping it to verify that # it is not in use by another (unrelated to this server) host. diff --git a/ocserv.spec b/ocserv.spec index 76af3da..f0f92af 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ Name: ocserv -Version: 0.3.0 -Release: 2%{?dist} +Version: 0.3.1 +Release: 1%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -157,6 +157,9 @@ rm -rf %{buildroot} %{_unitdir}/ocserv.service %changelog +* Mon Feb 17 2014 Nikos Mavrogiannopoulos - 0.3.1-1 +- new upstream release + * Wed Jan 29 2014 Nikos Mavrogiannopoulos - 0.3.0-2 - Generated certificates no longer carry an expiration date. diff --git a/sources b/sources index a5c1666..d6781a1 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -f6d64451ac8c458c7bdd40ee8ff51192 ocserv-0.3.0.tar.xz +22bd81fd4f60e27fe85aac8fd73dada3 ocserv-0.3.1.tar.xz From 8afbd5807d30cc1e88c0a4e1dbc038ce3f5d2e94 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 17 Feb 2014 08:36:36 +0100 Subject: [PATCH 014/177] fixes in default config --- ocserv.conf | 4 ++-- ocserv.spec | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ocserv.conf b/ocserv.conf index 9e452c8..4b523d2 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -163,7 +163,7 @@ device = vpns #ipv4-network = 192.168.1.0 #ipv4-netmask = 255.255.255.0 -#ipv4-dns = 192.168.2.1 +#dns = 192.168.2.1 # The NBNS server (if any) #ipv4-nbns = 192.168.2.3 @@ -171,7 +171,7 @@ device = vpns # The IPv6 subnet #ipv6-network = #ipv6-prefix = -#ipv6-dns = +#dns = # Prior to leasing any IP from the pool ping it to verify that # it is not in use by another (unrelated to this server) host. diff --git a/ocserv.spec b/ocserv.spec index f0f92af..29ce110 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ Name: ocserv Version: 0.3.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -157,7 +157,7 @@ rm -rf %{buildroot} %{_unitdir}/ocserv.service %changelog -* Mon Feb 17 2014 Nikos Mavrogiannopoulos - 0.3.1-1 +* Mon Feb 17 2014 Nikos Mavrogiannopoulos - 0.3.1-2 - new upstream release * Wed Jan 29 2014 Nikos Mavrogiannopoulos - 0.3.0-2 From 2e7890b870be1458e94c2326d5864a6329318add Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 17 Feb 2014 08:42:45 +0100 Subject: [PATCH 015/177] more config updates --- ocserv.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ocserv.conf b/ocserv.conf index 4b523d2..43391e2 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -166,7 +166,7 @@ device = vpns #dns = 192.168.2.1 # The NBNS server (if any) -#ipv4-nbns = 192.168.2.3 +#nbns = 192.168.2.3 # The IPv6 subnet #ipv6-network = @@ -196,8 +196,8 @@ output-buffer = 100 # Configuration files that will be applied per user connection or # per group. Each file name on these directories must match the username # or the groupname. -# The options allowed in the configuration files are ipv?-dns, ipv?-nbns, -# ipv?-network, ipv?-netmask, ipv6-prefix, iroute and route. +# The options allowed in the configuration files are dns, nbns, +# ipv?-network, ipv4-netmask, ipv6-prefix, iroute and route. # # Note that the 'iroute' option allows to add routes on the server # based on a user or group. The syntax depends on the input accepted From 50490ebb14fba43b79922972c1efb06ea53a94d4 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 17 Feb 2014 15:52:29 +0100 Subject: [PATCH 016/177] Added missing profile file. --- ocserv.conf | 2 +- ocserv.spec | 18 ++++++++++++------ profile.xml | 32 ++++++++++++++++++++++++++++++++ 3 files changed, 45 insertions(+), 7 deletions(-) create mode 100644 profile.xml diff --git a/ocserv.conf b/ocserv.conf index 43391e2..36d4987 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -222,7 +222,7 @@ route-del-cmd = "ip route delete %R dev %D" # Client profile xml. A sample file exists in doc/profile.xml. # This file must be accessible from inside the worker's chroot. # The profile is ignored by the openconnect client. -#user-profile = profile.xml +user-profile = profile.xml # Unless set to false it is required for clients to present their # certificate even if they are authenticating via a previously granted diff --git a/ocserv.spec b/ocserv.spec index 29ce110..1655528 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ Name: ocserv Version: 0.3.1 -Release: 2%{?dist} +Release: 3%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -13,6 +13,7 @@ Source2: ocserv.service Source3: ocserv-pamd.conf Source4: PACKAGE-LICENSING Source5: org.infradead.ocserv.conf +Source6: profile.xml # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 @@ -77,7 +78,7 @@ make %{?_smp_mflags} getent group ocserv &>/dev/null || groupadd -r ocserv getent passwd ocserv &>/dev/null || \ /usr/sbin/useradd -r -g ocserv -s /sbin/nologin -c ocserv \ - -d /var/lib/ocserv ocserv + -d %{_localstatedir}/lib/ocserv ocserv mkdir -p %{_sysconfdir}/pki/ocserv/public mkdir -p -m 700 %{_sysconfdir}/pki/ocserv/private mkdir -p %{_sysconfdir}/pki/ocserv/cacerts @@ -129,7 +130,9 @@ mkdir -p %{buildroot}/%{_sysconfdir}/dbus-1/system.d/ install -p -m 644 %{SOURCE5} %{buildroot}/%{_sysconfdir}/dbus-1/system.d/ mkdir -p %{buildroot}/%{_unitdir} install -p -m 644 %{SOURCE2} %{buildroot}/%{_unitdir} -mkdir -p %{buildroot}/var/lib/ocserv/ +mkdir -p %{buildroot}%{_localstatedir}/lib/ocserv/ +#install -p -m 644 doc/profile.xml %{buildroot}%{_localstatedir}/lib/ocserv/ +install -p -m 644 %{SOURCE6} %{buildroot}%{_localstatedir}/lib/ocserv/ %make_install %clean @@ -138,16 +141,15 @@ rm -rf %{buildroot} %files %defattr(-,root,root,-) -%dir /var/lib/ocserv +%dir %{_localstatedir}/lib/ocserv %dir %{_sysconfdir}/ocserv %config(noreplace) %{_sysconfdir}/ocserv/ocserv.conf %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.infradead.ocserv.conf %config(noreplace) %{_sysconfdir}/pam.d/ocserv - %doc AUTHORS ChangeLog NEWS COPYING LICENSE README TODO PACKAGE-LICENSING -%doc src/ccan/licenses/CC0 src/ccan/licenses/LGPL-2.1 src/ccan/licenses/BSD-MIT +%doc src/ccan/licenses/CC0 src/ccan/licenses/LGPL-2.1 src/ccan/licenses/BSD-MIT %{_mandir}/man8/ocserv.8* %{_mandir}/man8/occtl.8* %{_mandir}/man8/ocpasswd.8* @@ -155,8 +157,12 @@ rm -rf %{buildroot} %{_bindir}/occtl %{_sbindir}/ocserv %{_unitdir}/ocserv.service +%{_localstatedir}/lib/ocserv/profile.xml %changelog +#* xxx xxx xx 2014 Nikos Mavrogiannopoulos - 0.3.1-3 +#- Added missing profile.xml + * Mon Feb 17 2014 Nikos Mavrogiannopoulos - 0.3.1-2 - new upstream release diff --git a/profile.xml b/profile.xml new file mode 100644 index 0000000..3ceb4d7 --- /dev/null +++ b/profile.xml @@ -0,0 +1,32 @@ + + + + + false + false + false + IPSec + true + AllowRemoteUsers + pinAllowed + + + Digital_Signature + + + ClientAuth + + + + + localhost + + + + + + VPN Server + localhost + + + From bacae63f2cf499f5261c41d6c36b3e0cf716758b Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 14 Mar 2014 17:02:34 +0100 Subject: [PATCH 017/177] new upstream release --- .gitignore | 1 + ocserv.spec | 12 +++++------- profile.xml | 32 -------------------------------- sources | 2 +- 4 files changed, 7 insertions(+), 40 deletions(-) delete mode 100644 profile.xml diff --git a/.gitignore b/.gitignore index 00aafc8..fc8515f 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ /ocserv-0.2.3.tar.xz /ocserv-0.3.0.tar.xz /ocserv-0.3.1.tar.xz +/ocserv-0.3.2.tar.xz diff --git a/ocserv.spec b/ocserv.spec index 1655528..2d75d7f 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ Name: ocserv -Version: 0.3.1 -Release: 3%{?dist} +Version: 0.3.2 +Release: 1%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -13,7 +13,6 @@ Source2: ocserv.service Source3: ocserv-pamd.conf Source4: PACKAGE-LICENSING Source5: org.infradead.ocserv.conf -Source6: profile.xml # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 @@ -131,8 +130,7 @@ install -p -m 644 %{SOURCE5} %{buildroot}/%{_sysconfdir}/dbus-1/system.d/ mkdir -p %{buildroot}/%{_unitdir} install -p -m 644 %{SOURCE2} %{buildroot}/%{_unitdir} mkdir -p %{buildroot}%{_localstatedir}/lib/ocserv/ -#install -p -m 644 doc/profile.xml %{buildroot}%{_localstatedir}/lib/ocserv/ -install -p -m 644 %{SOURCE6} %{buildroot}%{_localstatedir}/lib/ocserv/ +install -p -m 644 doc/profile.xml %{buildroot}%{_localstatedir}/lib/ocserv/ %make_install %clean @@ -160,8 +158,8 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog -#* xxx xxx xx 2014 Nikos Mavrogiannopoulos - 0.3.1-3 -#- Added missing profile.xml +* Fri Mar 14 2014 Nikos Mavrogiannopoulos - 0.3.2-1 +- New upstream release * Mon Feb 17 2014 Nikos Mavrogiannopoulos - 0.3.1-2 - new upstream release diff --git a/profile.xml b/profile.xml deleted file mode 100644 index 3ceb4d7..0000000 --- a/profile.xml +++ /dev/null @@ -1,32 +0,0 @@ - - - - - false - false - false - IPSec - true - AllowRemoteUsers - pinAllowed - - - Digital_Signature - - - ClientAuth - - - - - localhost - - - - - - VPN Server - localhost - - - diff --git a/sources b/sources index d6781a1..1ca45d0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -22bd81fd4f60e27fe85aac8fd73dada3 ocserv-0.3.1.tar.xz +c2cc1ddce632b725f5b82964824e6762 ocserv-0.3.2.tar.xz From 502c2d23e46de6ccad2ce6e794dda140656cb8e3 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 10 Apr 2014 14:43:02 +0200 Subject: [PATCH 018/177] new upstream release --- .gitignore | 1 + ocserv.spec | 5 ++++- sources | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index fc8515f..191c200 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ /ocserv-0.3.0.tar.xz /ocserv-0.3.1.tar.xz /ocserv-0.3.2.tar.xz +/ocserv-0.3.3.tar.xz diff --git a/ocserv.spec b/ocserv.spec index 2d75d7f..6929179 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ Name: ocserv -Version: 0.3.2 +Version: 0.3.3 Release: 1%{?dist} Summary: OpenConnect SSL VPN server @@ -158,6 +158,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Thu Apr 10 2014 Nikos Mavrogiannopoulos - 0.3.3-1 +- New upstream release + * Fri Mar 14 2014 Nikos Mavrogiannopoulos - 0.3.2-1 - New upstream release diff --git a/sources b/sources index 1ca45d0..4b92dd3 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -c2cc1ddce632b725f5b82964824e6762 ocserv-0.3.2.tar.xz +47ac15222048744c40dcaae153c2a9db ocserv-0.3.3.tar.xz From c437e0ae339c493fee4aecbc472e6d06b8cd1d6c Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 2 May 2014 13:54:34 +0200 Subject: [PATCH 019/177] new upstream release --- .gitignore | 1 + ocserv.spec | 5 ++++- sources | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 191c200..ce73977 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ /ocserv-0.3.1.tar.xz /ocserv-0.3.2.tar.xz /ocserv-0.3.3.tar.xz +/ocserv-0.3.4.tar.xz diff --git a/ocserv.spec b/ocserv.spec index 6929179..85580dc 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ Name: ocserv -Version: 0.3.3 +Version: 0.3.4 Release: 1%{?dist} Summary: OpenConnect SSL VPN server @@ -158,6 +158,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Fri May 02 2014 Nikos Mavrogiannopoulos - 0.3.4-1 +- New upstream release + * Thu Apr 10 2014 Nikos Mavrogiannopoulos - 0.3.3-1 - New upstream release diff --git a/sources b/sources index 4b92dd3..608a0ed 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -47ac15222048744c40dcaae153c2a9db ocserv-0.3.3.tar.xz +d60feddbb55a4a029284a3051d7f26e7 ocserv-0.3.4.tar.xz From 59650d4e781e87245666b8919e7b0a751a0a1e0e Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 2 May 2014 13:59:37 +0200 Subject: [PATCH 020/177] updated default config file --- ocserv.conf | 158 ++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 110 insertions(+), 48 deletions(-) diff --git a/ocserv.conf b/ocserv.conf index 36d4987..0e638e5 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -5,10 +5,18 @@ #auth = "plain[./sample.passwd]" auth = "pam" +# The plain option requires specifying a password file which contains +# entries of the following format. +# "username:groupname:encoded-password" +# One entry must be listed per line, and 'ocpasswd' can be used +# to generate password entries. +#auth = "plain[/etc/ocserv/ocpasswd]" + # A banner to be displayed on clients #banner = "Welcome" -# Use listen-host to limit to specific IPs or to the IPs of a provided hostname. +# Use listen-host to limit to specific IPs or to the IPs of a provided +# hostname. #listen-host = [IP|HOSTNAME] # Limit the number of clients. Unset or set to zero for unlimited. @@ -19,22 +27,25 @@ max-clients = 16 # (X is the provided value). Set to zero for no limit. #rate-limit-ms = 100 -# Limit the number of identical clients (i.e., users connecting multiple times) -# Unset or set to zero for unlimited. +# Limit the number of identical clients (i.e., users connecting +# multiple times). Unset or set to zero for unlimited. max-same-clients = 2 # TCP and UDP port number -tcp-port = 4443 -udp-port = 4443 +tcp-port = 443 +udp-port = 443 # Keepalive in seconds keepalive = 32400 -# Rekey time in seconds -rekey-time 172800 +# Dead peer detection in seconds. +dpd = 90 -# Dead peer detection in seconds -dpd = 60 +# Dead peer detection for mobile clients. The needs to +# be much higher to prevent such clients being awaken too +# often by the DPD messages, and save battery. +# (clients that send the X-AnyConnect-Identifier-DeviceType) +#mobile-dpd = 1800 # MTU discovery (DPD must be enabled) try-mtu-discovery = false @@ -65,29 +76,30 @@ server-key = /etc/pki/ocserv/private/server.key #ocsp-response = /path/to/ocsp.der # In case PKCS #11 or TPM keys are used the PINs should be available -# in files. The srk-pin-file is applicable to TPM keys only (It's the storage -# root key). +# in files. The srk-pin-file is applicable to TPM keys only, and is the +# storage root key. #pin-file = /path/to/pin.txt #srk-pin-file = /path/to/srkpin.txt -# The Certificate Authority that will be used -# to verify clients if certificate authentication +# The Certificate Authority that will be used to verify +# client certificates (public keys) if certificate authentication # is set. +#ca-cert = /path/to/ca.pem ca-cert = /etc/pki/ocserv/cacerts/ca.crt -# The object identifier that will be used to read the user ID in the client certificate. -# The object identifier should be part of the certificate's DN +# The object identifier that will be used to read the user ID in the client +# certificate. The object identifier should be part of the certificate's DN # Useful OIDs are: # CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1 #cert-user-oid = 0.9.2342.19200300.100.1.1 -# The object identifier that will be used to read the user group in the client -# certificate. The object identifier should be part of the certificate's DN -# Useful OIDs are: +# The object identifier that will be used to read the user group in the +# client certificate. The object identifier should be part of the certificate's +# DN. Useful OIDs are: # OU (organizational unit) = 2.5.4.11 #cert-group-oid = 2.5.4.11 -# A revocation list of ca-cert is set +# The revocation list of the certificates issued by the 'ca-cert' above. #crl = /path/to/crl.pem # GnuTLS priority string @@ -100,38 +112,60 @@ tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT" # to authentication auth-timeout = 40 +# The time (in seconds) that a client is allowed to stay idle (no traffic) +# before being disconnected. Unset to disable. +#idle-timeout = 1200 + +# The time (in seconds) that a mobile client is allowed to stay idle (no +# traffic) before being disconnected. Unset to disable. +#mobile-idle-timeout = 2400 + # The time (in seconds) that a client is not allowed to reconnect after # a failed authentication attempt. -min-reauth-time = 2 +#min-reauth-time = 2 # Cookie validity time (in seconds) # Once a client is authenticated he's provided a cookie with # which he can reconnect. This option sets the maximum lifetime # of that cookie. -cookie-validity = 172800 +cookie-validity = 86400 + +# ReKey time (in seconds) +# ocserv will ask the client to refresh keys periodically once +# this amount of seconds is elapsed. Set to zero to disable. +rekey-time = 172800 + +# ReKey method +# Valid options: ssl, new-tunnel +# ssl: Will perform an efficient rehandshake on the channel allowing +# a seamless connection during rekey. +# new-tunnel: Will instruct the client to discard and re-establish the channel. +# Use this option only if the connecting clients have issues with the ssl +# option. +rekey-method = ssl # Script to call when a client connects and obtains an IP # Parameters are passed on the environment. # REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), # DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP -# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON -# may be "connect" or "disconnect". +# in the P-t-P connection), IP_REMOTE (the VPN IP of the client), +# ID (a unique numeric ID); REASON may be "connect" or "disconnect". #connect-script = /usr/bin/myscript #disconnect-script = /usr/bin/myscript +# UTMP +use-utmp = true + # D-BUS usage. If disabled occtl tool cannot be used. If enabled # then ocserv must have access to register org.infradead.ocserv # D-BUS service. See doc/dbus/org.infradead.ocserv.conf use-dbus = true -# UTMP -use-utmp = true - -# PID file +# PID file. It can be overriden in the command line. #pid-file = /var/run/ocserv.pid # The default server directory. Does not require any devices present. -chroot-dir = /var/lib/ocserv/ +chroot-dir = /path/to/chroot # socket file used for IPC, will be appended with .PID # It must be accessible within the chroot environment (if any) @@ -153,51 +187,69 @@ run-as-group = ocserv # specific and can be set per user/group or globally. #cgroup = "cpuset,cpu:test" - +# # Network settings +# +# The name of the tun device device = vpns # The default domain to be advertised -#default-domain = example.com +default-domain = example.com -#ipv4-network = 192.168.1.0 -#ipv4-netmask = 255.255.255.0 -#dns = 192.168.2.1 +# The pool of addresses that leases will be given from. +ipv4-network = 192.168.1.0 +ipv4-netmask = 255.255.255.0 + +# The advertized DNS server. Use multiple lines for +# multiple servers. +# dns = fc00::4be0 +dns = 192.168.1.2 # The NBNS server (if any) -#nbns = 192.168.2.3 +#nbns = 192.168.1.3 + +# The IPv6 subnet that leases will be given from. +#ipv6-network = fc00:: +#ipv6-prefix = 16 -# The IPv6 subnet -#ipv6-network = -#ipv6-prefix = -#dns = +# The domains over which the provided DNS should be used. Use +# multiple lines for multiple domains. +#split-dns = example.com # Prior to leasing any IP from the pool ping it to verify that # it is not in use by another (unrelated to this server) host. ping-leases = false -# Leave empty to assign the default MTU of the device +# Unset to assign the default MTU of the device # mtu = # Unset to enable bandwidth restrictions (in bytes/sec). The # setting here is global, but can also be set per user or per group. -#rx-data-per-sec = 40960 -#tx-data-per-sec = 40960 +#rx-data-per-sec = 40000 +#tx-data-per-sec = 40000 # The number of packets (of MTU size) that are available in # the output buffer. The default is low to improve latency. # Setting it higher will improve throughput. -output-buffer = 100 +#output-buffer = 10 -#route = 192.168.1.0/255.255.255.0 +# Routes to be forwarded to the client. If you need the +# client to forward routes to the server, you may use the +# config-per-user/group or even connect and disconnect scripts. +# +# To set the server as the default gateway for the client just +# comment out all routes from the server. +route = 192.168.1.0/255.255.255.0 #route = 192.168.5.0/255.255.255.0 +#route = fef4:db8:1000:1001::/64 # Configuration files that will be applied per user connection or # per group. Each file name on these directories must match the username # or the groupname. # The options allowed in the configuration files are dns, nbns, -# ipv?-network, ipv4-netmask, ipv6-prefix, iroute and route. +# ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route, +# net-priority and cgroup. # # Note that the 'iroute' option allows to add routes on the server # based on a user or group. The syntax depends on the input accepted @@ -210,7 +262,7 @@ output-buffer = 100 # route/mask and %D with the (tun) device. # # The following example is from linux systems. %R should be something -# like 192.168.2.0/24 (so iroute in this system has different syntax than route) +# like 192.168.2.0/24 route-add-cmd = "ip route add %R dev %D" route-del-cmd = "ip route delete %R dev %D" @@ -221,12 +273,22 @@ route-del-cmd = "ip route delete %R dev %D" # Client profile xml. A sample file exists in doc/profile.xml. # This file must be accessible from inside the worker's chroot. -# The profile is ignored by the openconnect client. +# It is not used by the openconnect client. user-profile = profile.xml +# Binary files that may be downloaded by the CISCO client. Must +# be within any chroot environment. +#binary-files = /path/to/binaries + # Unless set to false it is required for clients to present their # certificate even if they are authenticating via a previously granted -# cookie. Legacy CISCO clients do not do that, and thus this option -# should be set for them. +# cookie and complete their authentication in the same TCP connection. +# Legacy CISCO clients do not do that, and thus this option should be +# set for them. cisco-client-compat = true +#Advanced options + +# Option to allow sending arbitrary custom headers to the client after +# authentication and prior to VPN tunnel establishment. +#custom-header = "X-My-Header: hi there" From 87ad88173a507c3f8e884c8e77042709988cf98d Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 9 May 2014 11:00:44 +0200 Subject: [PATCH 021/177] new upstream release --- .gitignore | 1 + ocserv.spec | 5 ++++- sources | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index ce73977..ba9312a 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,4 @@ /ocserv-0.3.2.tar.xz /ocserv-0.3.3.tar.xz /ocserv-0.3.4.tar.xz +/ocserv-0.3.5.tar.xz diff --git a/ocserv.spec b/ocserv.spec index 85580dc..79094fe 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ Name: ocserv -Version: 0.3.4 +Version: 0.3.5 Release: 1%{?dist} Summary: OpenConnect SSL VPN server @@ -158,6 +158,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Fri May 09 2014 Nikos Mavrogiannopoulos - 0.3.5-1 +- New upstream release + * Fri May 02 2014 Nikos Mavrogiannopoulos - 0.3.4-1 - New upstream release diff --git a/sources b/sources index 608a0ed..f768ad7 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -d60feddbb55a4a029284a3051d7f26e7 ocserv-0.3.4.tar.xz +7ba8ebe4eba08b6e1c9dabbc78da16e5 ocserv-0.3.5.tar.xz From 100c73194f53f0c62537dc8c1023baa5557357c6 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 26 May 2014 13:06:37 +0200 Subject: [PATCH 022/177] new upstream release --- .gitignore | 2 ++ ocserv.conf | 44 +++++++++++++++++++++++++++++++++++++++----- ocserv.spec | 10 ++++++++-- sources | 3 ++- 4 files changed, 51 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index ba9312a..26820b3 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,5 @@ /ocserv-0.3.3.tar.xz /ocserv-0.3.4.tar.xz /ocserv-0.3.5.tar.xz +/ocserv-0.8.0pre0.tar.xz +/ocserv-0.8.0pre0.tar.xz.sig diff --git a/ocserv.conf b/ocserv.conf index 0e638e5..b87ba46 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -5,6 +5,10 @@ #auth = "plain[./sample.passwd]" auth = "pam" +# The gid-min option is used by auto-select-group option, in order to +# select the minimum group ID. +#auth = "pam[gid-min=1000]" + # The plain option requires specifying a password file which contains # entries of the following format. # "username:groupname:encoded-password" @@ -128,7 +132,7 @@ auth-timeout = 40 # Once a client is authenticated he's provided a cookie with # which he can reconnect. This option sets the maximum lifetime # of that cookie. -cookie-validity = 86400 +cookie-validity = 10800 # ReKey time (in seconds) # ocserv will ask the client to refresh keys periodically once @@ -156,10 +160,13 @@ rekey-method = ssl # UTMP use-utmp = true -# D-BUS usage. If disabled occtl tool cannot be used. If enabled -# then ocserv must have access to register org.infradead.ocserv -# D-BUS service. See doc/dbus/org.infradead.ocserv.conf -use-dbus = true +# Whether to enable support for the occtl tool (i.e., either through D-BUS, +# or via a unix socket). +use-occtl = true + +# socket file used for IPC with occtl. You only need to set that, +# if you use more than a single servers. +#occtl-socket-file = /var/run/occtl.socket # PID file. It can be overriden in the command line. #pid-file = /var/run/ocserv.pid @@ -194,6 +201,10 @@ run-as-group = ocserv # The name of the tun device device = vpns +# Whether the generated IPs will be predictable, i.e., IP stays the +# same for the same user when possible. +predictable-ips = true + # The default domain to be advertised default-domain = example.com @@ -258,6 +269,29 @@ route = 192.168.1.0/255.255.255.0 #config-per-user = /etc/ocserv/config-per-user/ #config-per-group = /etc/ocserv/config-per-group/ +# When config-per-xxx is specified and there is no group or user that +# matches, then utilize the following configuration. + +#default-user-config = /etc/ocserv/defaults/user.conf +#default-group-config = /etc/ocserv/defaults/group.conf + +# Groups that a client is allowed to select from. +# A client may belong in multiple groups, and in certain use-cases +# it is needed to switch between them. For these cases the client can +# select prior to authentication. Add multiple entries for multiple groups. +#select-group = group1 +#select-group = group2[My group 2] +#select-group = tost[The tost group] + +# The name of the group that if selected it would allow to use +# the assigned by default group. +default-select-group = DEFAULT + +# Instead of specifying manually all the allowed groups, you may instruct +# ocserv to scan all available groups and include the full list. That +# option is only functional on plain authentication. +auto-select-group = true + # The system command to use to setup a route. %R will be replaced with the # route/mask and %D with the (tun) device. # diff --git a/ocserv.spec b/ocserv.spec index 79094fe..87a96ca 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ Name: ocserv -Version: 0.3.5 +Version: 0.8.0pre0 Release: 1%{?dist} Summary: OpenConnect SSL VPN server @@ -13,6 +13,7 @@ Source2: ocserv.service Source3: ocserv-pamd.conf Source4: PACKAGE-LICENSING Source5: org.infradead.ocserv.conf +Source6: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 @@ -26,13 +27,15 @@ BuildRequires: autogen-libopts-devel BuildRequires: protobuf-c-devel BuildRequires: libnl3-devel BuildRequires: readline-devel -BuildRequires: dbus-devel BuildRequires: autogen BuildRequires: pcllib-devel BuildRequires: http-parser-devel BuildRequires: tcp_wrappers-devel BuildRequires: automake, autoconf +# we don't build with dbus support +#BuildRequires: dbus-devel + Requires: gnutls-utils Requires: iproute Requires: pam @@ -158,6 +161,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Mon May 26 2014 Nikos Mavrogiannopoulos - 0.8.0pre0-1 +- New upstream release + * Fri May 09 2014 Nikos Mavrogiannopoulos - 0.3.5-1 - New upstream release diff --git a/sources b/sources index f768ad7..d20aea7 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ -7ba8ebe4eba08b6e1c9dabbc78da16e5 ocserv-0.3.5.tar.xz +de476b85be78be000f33c912a076657a ocserv-0.8.0pre0.tar.xz +0f2c49c121883cd189f28126d8ff718f ocserv-0.8.0pre0.tar.xz.sig From 67813f7c1f7959fbc7e8e05ee065a6e6935ecd47 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 26 May 2014 13:09:24 +0200 Subject: [PATCH 023/177] depend on talloc --- ocserv.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ocserv.spec b/ocserv.spec index 87a96ca..7db9d6b 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -29,6 +29,7 @@ BuildRequires: libnl3-devel BuildRequires: readline-devel BuildRequires: autogen BuildRequires: pcllib-devel +BuildRequires: libtalloc-devel BuildRequires: http-parser-devel BuildRequires: tcp_wrappers-devel BuildRequires: automake, autoconf @@ -62,6 +63,7 @@ to provide the secure VPN service. %setup -q rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h rm -rf src/protobuf/ +rm -rf src/ccan/talloc rm -f libopts/*.c libopts/*.h libopts/*/*.c libopts/*/*.h rm -f src/pcl/*.c src/pcl/*.h sed -i 's|/etc/ocserv.conf|/etc/ocserv/ocserv.conf|g' src/config.c From 04321eb1cb479a4af9e3926585211252fd8ea6b5 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 26 May 2014 13:23:01 +0200 Subject: [PATCH 024/177] depend on systemd-devel --- ocserv.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/ocserv.spec b/ocserv.spec index 7db9d6b..859a23a 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -23,6 +23,7 @@ BuildRequires: gnutls-devel BuildRequires: pam-devel BuildRequires: iproute BuildRequires: systemd +BuildRequires: systemd-devel BuildRequires: autogen-libopts-devel BuildRequires: protobuf-c-devel BuildRequires: libnl3-devel From aa81804b849fc02e6cb2c9995fe434dcf95294f3 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 27 May 2014 10:11:20 +0200 Subject: [PATCH 025/177] Updated license information --- ocserv.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ocserv.spec b/ocserv.spec index 859a23a..0c73e2d 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -4,8 +4,8 @@ Release: 1%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING -# To simplify licenses LGPLv2+ files have been promoted to GPLv2+. -License: GPLv2+ and BSD and MIT and CC0 +# To simplify licenses LGPLv2+ files have been promoted to GPLv3+. +License: GPLv3+ and BSD and MIT and CC0 URL: http://www.infradead.org/ocserv/ Source0: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz Source1: ocserv.conf From 86abe99de540d3c3735524071f646d84b365bfa8 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 2 Jun 2014 09:10:26 +0200 Subject: [PATCH 026/177] updated ocserv to 0.8.0 --- .gitignore | 2 + ocserv-0.8.0-cmp.patch | 13 +++++++ ocserv-0.8.0-endianness.patch | 70 +++++++++++++++++++++++++++++++++++ ocserv.conf | 7 +--- ocserv.spec | 10 ++++- sources | 4 +- 6 files changed, 98 insertions(+), 8 deletions(-) create mode 100644 ocserv-0.8.0-cmp.patch create mode 100644 ocserv-0.8.0-endianness.patch diff --git a/.gitignore b/.gitignore index 26820b3..11ec67a 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,5 @@ /ocserv-0.3.5.tar.xz /ocserv-0.8.0pre0.tar.xz /ocserv-0.8.0pre0.tar.xz.sig +/ocserv-0.8.0.tar.xz +/ocserv-0.8.0.tar.xz.sig diff --git a/ocserv-0.8.0-cmp.patch b/ocserv-0.8.0-cmp.patch new file mode 100644 index 0000000..1a00580 --- /dev/null +++ b/ocserv-0.8.0-cmp.patch @@ -0,0 +1,13 @@ +diff --git a/src/auth/plain.c b/src/auth/plain.c +index 1b66683..c8ed5bf 100644 +--- a/src/auth/plain.c ++++ b/src/auth/plain.c +@@ -266,7 +266,7 @@ static size_t rehash(const void *_e, void *unused) + + static bool str_cmp(const void* _c1, void* _c2) + { +- const char *c1 = _c1, *c2 = c2; ++ const char *c1 = _c1, *c2 = _c2; + + if (strcmp(c1, c2) == 0) + return 1; diff --git a/ocserv-0.8.0-endianness.patch b/ocserv-0.8.0-endianness.patch new file mode 100644 index 0000000..0afd8a3 --- /dev/null +++ b/ocserv-0.8.0-endianness.patch @@ -0,0 +1,70 @@ +diff --git a/src/main-ctl-unix.c b/src/main-ctl-unix.c +index b4da5eb..90d604f 100644 +--- a/src/main-ctl-unix.c ++++ b/src/main-ctl-unix.c +@@ -629,7 +629,7 @@ static void ctl_handle_commands(main_server_st * s) + } + goto cleanup; + } +- length = (buffer[2] << 8) | buffer[1]; ++ memcpy(&length, &buffer[1], 2); + buffer_size = ret - 3; + + if (length != buffer_size) { +diff --git a/src/occtl-unix.c b/src/occtl-unix.c +index 183825d..0c1b3e1 100644 +--- a/src/occtl-unix.c ++++ b/src/occtl-unix.c +@@ -83,15 +83,14 @@ int send_cmd(struct unix_ctx *ctx, unsigned cmd, const void *data, + struct iovec iov[2]; + unsigned iov_len = 1; + int e, ret; +- unsigned length = 0; ++ uint16_t length = 0; + void *packed = NULL; + + if (get_size) + length = get_size(data); + + header[0] = cmd; +- header[1] = length; +- header[2] = length >> 8; ++ memcpy(&header[1], &length, 2); + + iov[0].iov_base = header; + iov[0].iov_len = 3; +@@ -145,7 +144,7 @@ int send_cmd(struct unix_ctx *ctx, unsigned cmd, const void *data, + goto fail; + } + +- length = (header[2] << 8) | header[1]; ++ memcpy(&length, &header[1], 2); + + rep->data_size = length; + rep->data = talloc_size(ctx, length); +diff --git a/src/sec-mod.c b/src/sec-mod.c +index 15ee32a..c3d4bad 100644 +--- a/src/sec-mod.c ++++ b/src/sec-mod.c +@@ -354,6 +354,7 @@ void sec_mod_server(void *main_pool, struct cfg_st *config, const char *socket_f + unsigned cmd, length; + unsigned i, buffer_size; + uint8_t *buffer, *tpool; ++ uint16_t l16; + struct pin_st pins; + int sd; + sec_mod_st *sec; +@@ -538,10 +539,11 @@ void sec_mod_server(void *main_pool, struct cfg_st *config, const char *socket_f + } + + cmd = buffer[0]; +- length = buffer[1] | buffer[2] << 8; ++ memcpy(&l16, &buffer[1], 2); ++ length = l16; + + if (length > buffer_size - 4) { +- seclog(LOG_INFO, "too big message"); ++ seclog(LOG_INFO, "too big message (%d)", length); + goto cont; + } + diff --git a/ocserv.conf b/ocserv.conf index b87ba46..002dcee 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -128,11 +128,8 @@ auth-timeout = 40 # a failed authentication attempt. #min-reauth-time = 2 -# Cookie validity time (in seconds) -# Once a client is authenticated he's provided a cookie with -# which he can reconnect. This option sets the maximum lifetime -# of that cookie. -cookie-validity = 10800 +# Cookie timeout (in seconds) +cookie-timeout = 360 # ReKey time (in seconds) # ocserv will ask the client to refresh keys periodically once diff --git a/ocserv.spec b/ocserv.spec index 0c73e2d..27665b5 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ Name: ocserv -Version: 0.8.0pre0 +Version: 0.8.0 Release: 1%{?dist} Summary: OpenConnect SSL VPN server @@ -15,6 +15,9 @@ Source4: PACKAGE-LICENSING Source5: org.infradead.ocserv.conf Source6: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig +Patch1: ocserv-0.8.0-endianness.patch +Patch2: ocserv-0.8.0-cmp.patch + # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -72,6 +75,8 @@ sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/*.config # GPLv3 in headers is a gnulib bug: # http://lists.gnu.org/archive/html/bug-gnulib/2013-11/msg00062.html sed -i 's/either version 3 of the License/either version 2 of the License/g' build-aux/snippet/* +%patch1 -p1 -b .cmp +%patch2 -p1 -b .endianness %build @@ -164,6 +169,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Mon Jun 02 2014 Nikos Mavrogiannopoulos - 0.8.0-1 +- New upstream release + * Mon May 26 2014 Nikos Mavrogiannopoulos - 0.8.0pre0-1 - New upstream release diff --git a/sources b/sources index d20aea7..fb6cafa 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -de476b85be78be000f33c912a076657a ocserv-0.8.0pre0.tar.xz -0f2c49c121883cd189f28126d8ff718f ocserv-0.8.0pre0.tar.xz.sig +6383535a21f8eecfb1bbb7f7ac99c41f ocserv-0.8.0.tar.xz +1336250a0db4923e6a597b960209b42d ocserv-0.8.0.tar.xz.sig From 925686a46452fc4ec64b23048ddf38575ef151e7 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 6 Jun 2014 17:24:25 +0200 Subject: [PATCH 027/177] Generate the certificates and private keys before the first run --- ocserv.service | 1 + ocserv.spec | 36 ++++++++---------------------------- 2 files changed, 9 insertions(+), 28 deletions(-) diff --git a/ocserv.service b/ocserv.service index 86fca91..3f6a3e2 100644 --- a/ocserv.service +++ b/ocserv.service @@ -9,6 +9,7 @@ After=dbus.service PrivateTmp=true Type=forking PIDFile=/var/run/ocserv.pid +ExecStartPre=/usr/sbin/ocserv-genkey ExecStart=/usr/sbin/ocserv --pid-file /var/run/ocserv.pid --config /etc/ocserv/ocserv.conf ExecReload=/bin/kill -HUP $MAINPID diff --git a/ocserv.spec b/ocserv.spec index 27665b5..3b7d8f1 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ Name: ocserv Version: 0.8.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -14,6 +14,7 @@ Source3: ocserv-pamd.conf Source4: PACKAGE-LICENSING Source5: org.infradead.ocserv.conf Source6: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig +Source7: ocserv-genkey Patch1: ocserv-0.8.0-endianness.patch Patch2: ocserv-0.8.0-cmp.patch @@ -92,33 +93,6 @@ getent passwd ocserv &>/dev/null || \ mkdir -p %{_sysconfdir}/pki/ocserv/public mkdir -p -m 700 %{_sysconfdir}/pki/ocserv/private mkdir -p %{_sysconfdir}/pki/ocserv/cacerts -#generate CA certificate/key -if test ! -f %{_sysconfdir}/pki/ocserv/private/ca.key;then -certtool --generate-privkey --outfile %{_sysconfdir}/pki/ocserv/private/ca.key >/dev/null 2>&1 -echo "cn=`hostname -f` CA" >%{_sysconfdir}/pki/ocserv/ca.tmpl -echo "expiration_days=-1" >>%{_sysconfdir}/pki/ocserv/ca.tmpl -echo "serial=1" >>%{_sysconfdir}/pki/ocserv/ca.tmpl -echo "ca" >>%{_sysconfdir}/pki/ocserv/ca.tmpl -echo "cert_signing_key" >>%{_sysconfdir}/pki/ocserv/ca.tmpl -certtool --template %{_sysconfdir}/pki/ocserv/ca.tmpl \ - --generate-self-signed --load-privkey %{_sysconfdir}/pki/ocserv/private/ca.key \ - --outfile %{_sysconfdir}/pki/ocserv/cacerts/ca.crt >/dev/null 2>&1 -#rm -f %{_sysconfdir}/pki/ocserv/ca.tmpl -fi -#generate server certificate/key -if test ! -f %{_sysconfdir}/pki/ocserv/private/server.key;then -certtool --generate-privkey --outfile %{_sysconfdir}/pki/ocserv/private/server.key >/dev/null 2>&1 -echo "cn=`hostname -f`" >%{_sysconfdir}/pki/ocserv/server.tmpl -echo "serial=2" >>%{_sysconfdir}/pki/ocserv/server.tmpl -echo "expiration_days=-1" >>%{_sysconfdir}/pki/ocserv/server.tmpl -echo "signing_key" >>%{_sysconfdir}/pki/ocserv/server.tmpl -echo "encryption_key" >>%{_sysconfdir}/pki/ocserv/server.tmpl -certtool --template %{_sysconfdir}/pki/ocserv/server.tmpl \ - --generate-certificate --load-privkey %{_sysconfdir}/pki/ocserv/private/server.key \ - --load-ca-certificate %{_sysconfdir}/pki/ocserv/cacerts/ca.crt --load-ca-privkey \ - %{_sysconfdir}/pki/ocserv/private/ca.key --outfile %{_sysconfdir}/pki/ocserv/public/server.crt >/dev/null 2>&1 -#rm -f %{_sysconfdir}/pki/ocserv/server.tmpl -fi %post %systemd_post ocserv.service @@ -142,6 +116,8 @@ mkdir -p %{buildroot}/%{_unitdir} install -p -m 644 %{SOURCE2} %{buildroot}/%{_unitdir} mkdir -p %{buildroot}%{_localstatedir}/lib/ocserv/ install -p -m 644 doc/profile.xml %{buildroot}%{_localstatedir}/lib/ocserv/ +mkdir -p %{buildroot}/%{_sbindir} +install -p -m 755 %{SOURCE7} %{buildroot}/%{_sbindir} %make_install %clean @@ -165,10 +141,14 @@ rm -rf %{buildroot} %{_bindir}/ocpasswd %{_bindir}/occtl %{_sbindir}/ocserv +%{_sbindir}/ocserv-genkey %{_unitdir}/ocserv.service %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Mon Jun 02 2014 Nikos Mavrogiannopoulos - 0.8.0-2 +- Generate certificates and private keys before the first run + * Mon Jun 02 2014 Nikos Mavrogiannopoulos - 0.8.0-1 - New upstream release From ae2c0a022e451021ebea97ff1f15e81f277febf0 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 6 Jun 2014 17:37:26 +0200 Subject: [PATCH 028/177] corrected chroot path --- ocserv.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ocserv.conf b/ocserv.conf index 002dcee..835273c 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -169,7 +169,7 @@ use-occtl = true #pid-file = /var/run/ocserv.pid # The default server directory. Does not require any devices present. -chroot-dir = /path/to/chroot +chroot-dir = /var/lib/ocserv # socket file used for IPC, will be appended with .PID # It must be accessible within the chroot environment (if any) From eeb0dfaaa0bc82942e2b92004c26892566d3ceb2 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 6 Jun 2014 17:37:42 +0200 Subject: [PATCH 029/177] doc update --- ocserv.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/ocserv.spec b/ocserv.spec index 3b7d8f1..b9df5e2 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -148,6 +148,7 @@ rm -rf %{buildroot} %changelog * Mon Jun 02 2014 Nikos Mavrogiannopoulos - 0.8.0-2 - Generate certificates and private keys before the first run +- Corrected chroot path * Mon Jun 02 2014 Nikos Mavrogiannopoulos - 0.8.0-1 - New upstream release From 145e41b394f89c417c71af797a79b669068aad6b Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 6 Jun 2014 17:40:51 +0200 Subject: [PATCH 030/177] corrected date --- ocserv.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index b9df5e2..7594277 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -146,7 +146,7 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog -* Mon Jun 02 2014 Nikos Mavrogiannopoulos - 0.8.0-2 +* Fri Jun 06 2014 Nikos Mavrogiannopoulos - 0.8.0-2 - Generate certificates and private keys before the first run - Corrected chroot path From 18c47c83ef92dd3fbce6685808d91c7e3873b630 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 6 Jun 2014 17:49:59 +0200 Subject: [PATCH 031/177] Added ocserv-genkey --- ocserv-genkey | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100755 ocserv-genkey diff --git a/ocserv-genkey b/ocserv-genkey new file mode 100755 index 0000000..687d685 --- /dev/null +++ b/ocserv-genkey @@ -0,0 +1,32 @@ +#!/bin/sh + +#generate CA certificate/key +if test ! -f /etc/pki/ocserv/private/ca.key;then +certtool --generate-privkey --outfile /etc/pki/ocserv/private/ca.key >/dev/null 2>&1 +echo "cn=`hostname -f` CA" >/etc/pki/ocserv/ca.tmpl +echo "expiration_days=-1" >>/etc/pki/ocserv/ca.tmpl +echo "serial=1" >>/etc/pki/ocserv/ca.tmpl +echo "ca" >>/etc/pki/ocserv/ca.tmpl +echo "cert_signing_key" >>/etc/pki/ocserv/ca.tmpl +certtool --template /etc/pki/ocserv/ca.tmpl \ + --generate-self-signed --load-privkey /etc/pki/ocserv/private/ca.key \ + --outfile /etc/pki/ocserv/cacerts/ca.crt >/dev/null 2>&1 +#rm -f /etc/pki/ocserv/ca.tmpl +fi + +#generate server certificate/key +if test ! -f /etc/pki/ocserv/private/server.key;then +certtool --generate-privkey --outfile /etc/pki/ocserv/private/server.key >/dev/null 2>&1 +echo "cn=`hostname -f`" >/etc/pki/ocserv/server.tmpl +echo "serial=2" >>/etc/pki/ocserv/server.tmpl +echo "expiration_days=-1" >>/etc/pki/ocserv/server.tmpl +echo "signing_key" >>/etc/pki/ocserv/server.tmpl +echo "encryption_key" >>/etc/pki/ocserv/server.tmpl +certtool --template /etc/pki/ocserv/server.tmpl \ + --generate-certificate --load-privkey /etc/pki/ocserv/private/server.key \ + --load-ca-certificate /etc/pki/ocserv/cacerts/ca.crt --load-ca-privkey \ + /etc/pki/ocserv/private/ca.key --outfile /etc/pki/ocserv/public/server.crt >/dev/null 2>&1 +#rm -f /etc/pki/ocserv/server.tmpl +fi + +exit 0 From b821c127dbcac7c550b932db03ef5da93b6f3887 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 30 Jun 2014 10:29:57 +0200 Subject: [PATCH 032/177] Updated to 0.8.1 --- .gitignore | 2 + ocserv-0.8.0-cmp.patch | 13 ------- ocserv-0.8.0-endianness.patch | 70 ----------------------------------- ocserv.spec | 12 +++--- sources | 4 +- 5 files changed, 9 insertions(+), 92 deletions(-) delete mode 100644 ocserv-0.8.0-cmp.patch delete mode 100644 ocserv-0.8.0-endianness.patch diff --git a/.gitignore b/.gitignore index 11ec67a..fe72e6d 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,5 @@ /ocserv-0.8.0pre0.tar.xz.sig /ocserv-0.8.0.tar.xz /ocserv-0.8.0.tar.xz.sig +/ocserv-0.8.1.tar.xz +/ocserv-0.8.1.tar.xz.sig diff --git a/ocserv-0.8.0-cmp.patch b/ocserv-0.8.0-cmp.patch deleted file mode 100644 index 1a00580..0000000 --- a/ocserv-0.8.0-cmp.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/src/auth/plain.c b/src/auth/plain.c -index 1b66683..c8ed5bf 100644 ---- a/src/auth/plain.c -+++ b/src/auth/plain.c -@@ -266,7 +266,7 @@ static size_t rehash(const void *_e, void *unused) - - static bool str_cmp(const void* _c1, void* _c2) - { -- const char *c1 = _c1, *c2 = c2; -+ const char *c1 = _c1, *c2 = _c2; - - if (strcmp(c1, c2) == 0) - return 1; diff --git a/ocserv-0.8.0-endianness.patch b/ocserv-0.8.0-endianness.patch deleted file mode 100644 index 0afd8a3..0000000 --- a/ocserv-0.8.0-endianness.patch +++ /dev/null @@ -1,70 +0,0 @@ -diff --git a/src/main-ctl-unix.c b/src/main-ctl-unix.c -index b4da5eb..90d604f 100644 ---- a/src/main-ctl-unix.c -+++ b/src/main-ctl-unix.c -@@ -629,7 +629,7 @@ static void ctl_handle_commands(main_server_st * s) - } - goto cleanup; - } -- length = (buffer[2] << 8) | buffer[1]; -+ memcpy(&length, &buffer[1], 2); - buffer_size = ret - 3; - - if (length != buffer_size) { -diff --git a/src/occtl-unix.c b/src/occtl-unix.c -index 183825d..0c1b3e1 100644 ---- a/src/occtl-unix.c -+++ b/src/occtl-unix.c -@@ -83,15 +83,14 @@ int send_cmd(struct unix_ctx *ctx, unsigned cmd, const void *data, - struct iovec iov[2]; - unsigned iov_len = 1; - int e, ret; -- unsigned length = 0; -+ uint16_t length = 0; - void *packed = NULL; - - if (get_size) - length = get_size(data); - - header[0] = cmd; -- header[1] = length; -- header[2] = length >> 8; -+ memcpy(&header[1], &length, 2); - - iov[0].iov_base = header; - iov[0].iov_len = 3; -@@ -145,7 +144,7 @@ int send_cmd(struct unix_ctx *ctx, unsigned cmd, const void *data, - goto fail; - } - -- length = (header[2] << 8) | header[1]; -+ memcpy(&length, &header[1], 2); - - rep->data_size = length; - rep->data = talloc_size(ctx, length); -diff --git a/src/sec-mod.c b/src/sec-mod.c -index 15ee32a..c3d4bad 100644 ---- a/src/sec-mod.c -+++ b/src/sec-mod.c -@@ -354,6 +354,7 @@ void sec_mod_server(void *main_pool, struct cfg_st *config, const char *socket_f - unsigned cmd, length; - unsigned i, buffer_size; - uint8_t *buffer, *tpool; -+ uint16_t l16; - struct pin_st pins; - int sd; - sec_mod_st *sec; -@@ -538,10 +539,11 @@ void sec_mod_server(void *main_pool, struct cfg_st *config, const char *socket_f - } - - cmd = buffer[0]; -- length = buffer[1] | buffer[2] << 8; -+ memcpy(&l16, &buffer[1], 2); -+ length = l16; - - if (length > buffer_size - 4) { -- seclog(LOG_INFO, "too big message"); -+ seclog(LOG_INFO, "too big message (%d)", length); - goto cont; - } - diff --git a/ocserv.spec b/ocserv.spec index 7594277..2afb2f5 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ Name: ocserv -Version: 0.8.0 -Release: 2%{?dist} +Version: 0.8.1 +Release: 1%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -16,9 +16,6 @@ Source5: org.infradead.ocserv.conf Source6: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig Source7: ocserv-genkey -Patch1: ocserv-0.8.0-endianness.patch -Patch2: ocserv-0.8.0-cmp.patch - # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -76,8 +73,6 @@ sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/*.config # GPLv3 in headers is a gnulib bug: # http://lists.gnu.org/archive/html/bug-gnulib/2013-11/msg00062.html sed -i 's/either version 3 of the License/either version 2 of the License/g' build-aux/snippet/* -%patch1 -p1 -b .cmp -%patch2 -p1 -b .endianness %build @@ -146,6 +141,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Mon Jun 30 2014 Nikos Mavrogiannopoulos - 0.8.1-1 +- New upstream release + * Fri Jun 06 2014 Nikos Mavrogiannopoulos - 0.8.0-2 - Generate certificates and private keys before the first run - Corrected chroot path diff --git a/sources b/sources index fb6cafa..1f51640 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -6383535a21f8eecfb1bbb7f7ac99c41f ocserv-0.8.0.tar.xz -1336250a0db4923e6a597b960209b42d ocserv-0.8.0.tar.xz.sig +9a2eeafbe018128460df0729096b20c6 ocserv-0.8.1.tar.xz +f6def04b953baa3f2fe0eb23fd091ee2 ocserv-0.8.1.tar.xz.sig From b98703bb9a057a9260b7b638a5fe7e44e72b6538 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 28 Jul 2014 09:31:13 +0200 Subject: [PATCH 033/177] new upstream release --- .gitignore | 2 ++ ocserv.spec | 5 ++++- sources | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index fe72e6d..3d40924 100644 --- a/.gitignore +++ b/.gitignore @@ -12,3 +12,5 @@ /ocserv-0.8.0.tar.xz.sig /ocserv-0.8.1.tar.xz /ocserv-0.8.1.tar.xz.sig +/ocserv-0.8.2.tar.xz +/ocserv-0.8.2.tar.xz.sig diff --git a/ocserv.spec b/ocserv.spec index 2afb2f5..630abca 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ Name: ocserv -Version: 0.8.1 +Version: 0.8.2 Release: 1%{?dist} Summary: OpenConnect SSL VPN server @@ -141,6 +141,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Mon Jul 28 2014 Nikos Mavrogiannopoulos - 0.8.2-1 +- New upstream release + * Mon Jun 30 2014 Nikos Mavrogiannopoulos - 0.8.1-1 - New upstream release diff --git a/sources b/sources index 1f51640..e9ded37 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -9a2eeafbe018128460df0729096b20c6 ocserv-0.8.1.tar.xz -f6def04b953baa3f2fe0eb23fd091ee2 ocserv-0.8.1.tar.xz.sig +fd890e121445dfe8bb514da67c91c675 ocserv-0.8.2.tar.xz +d7fb256c6b4c9837ffc16c9844ded77f ocserv-0.8.2.tar.xz.sig From 182d817e02ee9a359d3bc588e53ddb9fa179a314 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 1 Aug 2014 15:32:51 +0200 Subject: [PATCH 034/177] disabled auto-select-group by default --- ocserv.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ocserv.conf b/ocserv.conf index 835273c..44872d5 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -282,12 +282,12 @@ route = 192.168.1.0/255.255.255.0 # The name of the group that if selected it would allow to use # the assigned by default group. -default-select-group = DEFAULT +#default-select-group = DEFAULT # Instead of specifying manually all the allowed groups, you may instruct # ocserv to scan all available groups and include the full list. That # option is only functional on plain authentication. -auto-select-group = true +#auto-select-group = true # The system command to use to setup a route. %R will be replaced with the # route/mask and %D with the (tun) device. From 948b6e77129cadee32cf20c26f7c1b9f15358aee Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 5 Aug 2014 09:53:54 +0200 Subject: [PATCH 035/177] rebuilt for new protobuf-c --- ocserv.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 630abca..ce36bfa 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ Name: ocserv Version: 0.8.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -73,6 +73,7 @@ sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/*.config # GPLv3 in headers is a gnulib bug: # http://lists.gnu.org/archive/html/bug-gnulib/2013-11/msg00062.html sed -i 's/either version 3 of the License/either version 2 of the License/g' build-aux/snippet/* +touch src/*.proto %build @@ -141,6 +142,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Tue Aug 05 2014 Nikos Mavrogiannopoulos - 0.8.2-2 +- Rebuilt for new protobuf-c + * Mon Jul 28 2014 Nikos Mavrogiannopoulos - 0.8.2-1 - New upstream release From 98a738a2c747ded7232520af4fd2b5d190ce3c4f Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 8 Aug 2014 13:32:42 +0200 Subject: [PATCH 036/177] rebuilt --- ocserv.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index ce36bfa..95a9f5e 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ Name: ocserv Version: 0.8.2 -Release: 2%{?dist} +Release: 3%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -142,6 +142,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Fri Aug 08 2014 Nikos Mavrogiannopoulos - 0.8.2-3 +- Rebuilt + * Tue Aug 05 2014 Nikos Mavrogiannopoulos - 0.8.2-2 - Rebuilt for new protobuf-c From 320435c8641252703c1cd61ceeb772caaf37f163 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Sun, 17 Aug 2014 13:16:13 +0000 Subject: [PATCH 037/177] - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild --- ocserv.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 95a9f5e..e4f34a4 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ Name: ocserv Version: 0.8.2 -Release: 3%{?dist} +Release: 4%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -142,6 +142,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Sun Aug 17 2014 Fedora Release Engineering - 0.8.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + * Fri Aug 08 2014 Nikos Mavrogiannopoulos - 0.8.2-3 - Rebuilt From a6425598dcc825a47ad8cd0e2f236ef93d78d3d5 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 28 Aug 2014 11:14:20 +0200 Subject: [PATCH 038/177] updated to 0.8.4 and removed unused file --- .gitignore | 2 ++ ocserv.spec | 10 +++++----- org.infradead.ocserv.conf | 14 -------------- sources | 4 ++-- 4 files changed, 9 insertions(+), 21 deletions(-) delete mode 100644 org.infradead.ocserv.conf diff --git a/.gitignore b/.gitignore index 3d40924..c4b2660 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,5 @@ /ocserv-0.8.1.tar.xz.sig /ocserv-0.8.2.tar.xz /ocserv-0.8.2.tar.xz.sig +/ocserv-0.8.4.tar.xz +/ocserv-0.8.4.tar.xz.sig diff --git a/ocserv.spec b/ocserv.spec index e4f34a4..50e23d4 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ Name: ocserv -Version: 0.8.2 -Release: 4%{?dist} +Version: 0.8.4 +Release: 1%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -12,7 +12,6 @@ Source1: ocserv.conf Source2: ocserv.service Source3: ocserv-pamd.conf Source4: PACKAGE-LICENSING -Source5: org.infradead.ocserv.conf Source6: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig Source7: ocserv-genkey @@ -106,8 +105,6 @@ mkdir -p %{buildroot}/%{_sysconfdir}/pam.d/ mkdir -p %{buildroot}/%{_sysconfdir}/ocserv/ install -p -m 644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/pam.d/ocserv install -p -m 644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/ocserv/ -mkdir -p %{buildroot}/%{_sysconfdir}/dbus-1/system.d/ -install -p -m 644 %{SOURCE5} %{buildroot}/%{_sysconfdir}/dbus-1/system.d/ mkdir -p %{buildroot}/%{_unitdir} install -p -m 644 %{SOURCE2} %{buildroot}/%{_unitdir} mkdir -p %{buildroot}%{_localstatedir}/lib/ocserv/ @@ -142,6 +139,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Thu Aug 28 2014 Nikos Mavrogiannopoulos - 0.8.4-1 +- New upstream release + * Sun Aug 17 2014 Fedora Release Engineering - 0.8.2-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild diff --git a/org.infradead.ocserv.conf b/org.infradead.ocserv.conf deleted file mode 100644 index 8c69f93..0000000 --- a/org.infradead.ocserv.conf +++ /dev/null @@ -1,14 +0,0 @@ - - - - - - - - - - - - diff --git a/sources b/sources index e9ded37..a00d33a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -fd890e121445dfe8bb514da67c91c675 ocserv-0.8.2.tar.xz -d7fb256c6b4c9837ffc16c9844ded77f ocserv-0.8.2.tar.xz.sig +3eb452fddebda887eaa5f6412dab634c ocserv-0.8.4.tar.xz +bd84f29bc6fb278c37275d1eca420145 ocserv-0.8.4.tar.xz.sig From 7152f9c08c4bf0d0f2ec7e074e290dd92fb0c94f Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 28 Aug 2014 11:30:22 +0200 Subject: [PATCH 039/177] removed unused config file --- ocserv.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 50e23d4..b3341b5 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -123,7 +123,6 @@ rm -rf %{buildroot} %dir %{_sysconfdir}/ocserv %config(noreplace) %{_sysconfdir}/ocserv/ocserv.conf -%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.infradead.ocserv.conf %config(noreplace) %{_sysconfdir}/pam.d/ocserv %doc AUTHORS ChangeLog NEWS COPYING LICENSE README TODO PACKAGE-LICENSING From fcf19fcfacb2615df2ee4657d755b9d408e30d14 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 9 Sep 2014 16:18:55 +0200 Subject: [PATCH 040/177] Ship a default ocserv-script, which will put connecting clients into the internal firewall zone. --- ocserv-script | 10 ++++++++++ ocserv.conf | 7 +++---- ocserv.spec | 10 +++++++++- 3 files changed, 22 insertions(+), 5 deletions(-) create mode 100755 ocserv-script diff --git a/ocserv-script b/ocserv-script new file mode 100755 index 0000000..b3e2061 --- /dev/null +++ b/ocserv-script @@ -0,0 +1,10 @@ +#!/bin/sh + +if [ "$REASON" = "connect" ];then + # add the user's interface into the internal zone + firewall-cmd --zone=internal --add-interface=$DEVICE +else + firewall-cmd --zone=internal --remove-interface=$DEVICE +fi + +exit 0 diff --git a/ocserv.conf b/ocserv.conf index 44872d5..b554b1d 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -151,8 +151,8 @@ rekey-method = ssl # DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP # in the P-t-P connection), IP_REMOTE (the VPN IP of the client), # ID (a unique numeric ID); REASON may be "connect" or "disconnect". -#connect-script = /usr/bin/myscript -#disconnect-script = /usr/bin/myscript +#connect-script = /usr/bin/ocserv-script +#disconnect-script = /usr/bin/ocserv-script # UTMP use-utmp = true @@ -285,8 +285,7 @@ route = 192.168.1.0/255.255.255.0 #default-select-group = DEFAULT # Instead of specifying manually all the allowed groups, you may instruct -# ocserv to scan all available groups and include the full list. That -# option is only functional on plain authentication. +# ocserv to scan all available groups and include the full list. #auto-select-group = true # The system command to use to setup a route. %R will be replaced with the diff --git a/ocserv.spec b/ocserv.spec index b3341b5..5474956 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ Name: ocserv Version: 0.8.4 -Release: 1%{?dist} +Release: 2%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -14,6 +14,7 @@ Source3: ocserv-pamd.conf Source4: PACKAGE-LICENSING Source6: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig Source7: ocserv-genkey +Source8: ocserv-script # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 @@ -111,6 +112,8 @@ mkdir -p %{buildroot}%{_localstatedir}/lib/ocserv/ install -p -m 644 doc/profile.xml %{buildroot}%{_localstatedir}/lib/ocserv/ mkdir -p %{buildroot}/%{_sbindir} install -p -m 755 %{SOURCE7} %{buildroot}/%{_sbindir} +mkdir -p %{buildroot}/%{_bindir} +install -p -m 755 %{SOURCE8} %{buildroot}/%{_bindir} %make_install %clean @@ -132,12 +135,17 @@ rm -rf %{buildroot} %{_mandir}/man8/ocpasswd.8* %{_bindir}/ocpasswd %{_bindir}/occtl +%{_bindir}/ocserv-script %{_sbindir}/ocserv %{_sbindir}/ocserv-genkey %{_unitdir}/ocserv.service %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Thu Sep 09 2014 Nikos Mavrogiannopoulos - 0.8.4-2 +- Ship a default ocserv-script, which will put connecting clients + into the internal firewall zone. + * Thu Aug 28 2014 Nikos Mavrogiannopoulos - 0.8.4-1 - New upstream release From 35c982245e0be7e98ad70c428f3918200bd8290a Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 27 Oct 2014 09:38:31 +0100 Subject: [PATCH 041/177] updated to 0.8.7 --- .gitignore | 2 ++ ocserv.spec | 7 +++++-- sources | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index c4b2660..665d3e8 100644 --- a/.gitignore +++ b/.gitignore @@ -16,3 +16,5 @@ /ocserv-0.8.2.tar.xz.sig /ocserv-0.8.4.tar.xz /ocserv-0.8.4.tar.xz.sig +/ocserv-0.8.7.tar.xz.sig +/ocserv-0.8.7.tar.xz diff --git a/ocserv.spec b/ocserv.spec index 5474956..b763626 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ Name: ocserv -Version: 0.8.4 -Release: 2%{?dist} +Version: 0.8.7 +Release: 1%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -142,6 +142,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Mon Oct 27 2014 Nikos Mavrogiannopoulos - 0.8.7-1 +- New upstream release + * Thu Sep 09 2014 Nikos Mavrogiannopoulos - 0.8.4-2 - Ship a default ocserv-script, which will put connecting clients into the internal firewall zone. diff --git a/sources b/sources index a00d33a..dee4776 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -3eb452fddebda887eaa5f6412dab634c ocserv-0.8.4.tar.xz -bd84f29bc6fb278c37275d1eca420145 ocserv-0.8.4.tar.xz.sig +b807339aed1d713a096d2533ae6da232 ocserv-0.8.7.tar.xz.sig +79c00132c3366bb60546f256068211eb ocserv-0.8.7.tar.xz From d6e127e82c763b6fadf6f28ed123c2f1af809c20 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 27 Oct 2014 10:06:28 +0100 Subject: [PATCH 042/177] corrected bogus date --- ocserv.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index b763626..3ce7760 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -145,7 +145,7 @@ rm -rf %{buildroot} * Mon Oct 27 2014 Nikos Mavrogiannopoulos - 0.8.7-1 - New upstream release -* Thu Sep 09 2014 Nikos Mavrogiannopoulos - 0.8.4-2 +* Tue Sep 09 2014 Nikos Mavrogiannopoulos - 0.8.4-2 - Ship a default ocserv-script, which will put connecting clients into the internal firewall zone. From a13678e2eab657775cde28706066cf573bc72cc0 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 26 Nov 2014 17:10:29 +0100 Subject: [PATCH 043/177] new upstream release Resolves: #1167692 --- .gitignore | 2 ++ ocserv.conf | 12 +++++++++--- ocserv.spec | 5 ++++- sources | 4 ++-- 4 files changed, 17 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index 665d3e8..5d57c42 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,5 @@ /ocserv-0.8.4.tar.xz.sig /ocserv-0.8.7.tar.xz.sig /ocserv-0.8.7.tar.xz +/ocserv-0.8.8.tar.xz.sig +/ocserv-0.8.8.tar.xz diff --git a/ocserv.conf b/ocserv.conf index b554b1d..6871a25 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -1,10 +1,16 @@ -# User authentication method. Could be set multiple times and in that case -# all should succeed. -# Options: certificate, pam. +# User authentication method. Could be set multiple times and in +# that case all should succeed. To enable multiple methods use +# multiple auth directives. Available options: certificate, certificate[optional], +# plain, pam. #auth = "certificate" #auth = "plain[./sample.passwd]" auth = "pam" +# This indicates that a user may present a certificate. When that option +# is set, individual users or user groups can be forced to present a valid +# certificate by using "require-cert=true". +#auth = "certificate[optional]" + # The gid-min option is used by auto-select-group option, in order to # select the minimum group ID. #auth = "pam[gid-min=1000]" diff --git a/ocserv.spec b/ocserv.spec index 3ce7760..e2aa87d 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ Name: ocserv -Version: 0.8.7 +Version: 0.8.8 Release: 1%{?dist} Summary: OpenConnect SSL VPN server @@ -142,6 +142,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Wed Nov 26 2014 Nikos Mavrogiannopoulos - 0.8.8-1 +- New upstream release + * Mon Oct 27 2014 Nikos Mavrogiannopoulos - 0.8.7-1 - New upstream release diff --git a/sources b/sources index dee4776..63a85e1 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -b807339aed1d713a096d2533ae6da232 ocserv-0.8.7.tar.xz.sig -79c00132c3366bb60546f256068211eb ocserv-0.8.7.tar.xz +de7faa9e1658dfea0f409fcc83fcb7ff ocserv-0.8.8.tar.xz.sig +d9b12a3fa976dfda3e4c0238173744e6 ocserv-0.8.8.tar.xz From 87a8dc624ef7819156303d653850ab59dfd2379e Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 11 Dec 2014 13:34:08 +0100 Subject: [PATCH 044/177] new upstream release --- .gitignore | 2 ++ ocserv.conf | 70 ++++++++++++++++++++++++++++++++++++++++------------- ocserv.spec | 5 +++- sources | 4 +-- 4 files changed, 61 insertions(+), 20 deletions(-) diff --git a/.gitignore b/.gitignore index 5d57c42..099ada9 100644 --- a/.gitignore +++ b/.gitignore @@ -20,3 +20,5 @@ /ocserv-0.8.7.tar.xz /ocserv-0.8.8.tar.xz.sig /ocserv-0.8.8.tar.xz +/ocserv-0.8.9.tar.xz.sig +/ocserv-0.8.9.tar.xz diff --git a/ocserv.conf b/ocserv.conf index 6871a25..2d6f6f9 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -22,13 +22,19 @@ auth = "pam" # to generate password entries. #auth = "plain[/etc/ocserv/ocpasswd]" +# Whether to enable seccomp worker isolation. That restricts the number of +# system calls allowed to a worker process, in order to reduce damage from a +# bug in the worker process. It is available on Linux systems at a performance cost. +#use-seccomp = true + +# Whether to enable the authentication method's session control (i.e., PAM). +# That requires more resources on the server, and makes cookies one-time-use; +# thus don't enable unless you need it. +#session-control = true + # A banner to be displayed on clients #banner = "Welcome" -# Use listen-host to limit to specific IPs or to the IPs of a provided -# hostname. -#listen-host = [IP|HOSTNAME] - # Limit the number of clients. Unset or set to zero for unlimited. #max-clients = 1024 max-clients = 16 @@ -41,10 +47,23 @@ max-clients = 16 # multiple times). Unset or set to zero for unlimited. max-same-clients = 2 +# Use listen-host to limit to specific IPs or to the IPs of a provided +# hostname. +#listen-host = [IP|HOSTNAME] + +# When the server has a dynamic DNS address (that may change), +# should set that to true to ask the client to resolve again on +# reconnects. +#listen-host-is-dyndns = true + # TCP and UDP port number tcp-port = 443 udp-port = 443 +# Accept connections using a socket file. The connections are +# forwarded without SSL/TLS. +listen-clear-file = /var/run/ocserv-conn.socket + # Keepalive in seconds keepalive = 32400 @@ -94,7 +113,6 @@ server-key = /etc/pki/ocserv/private/server.key # The Certificate Authority that will be used to verify # client certificates (public keys) if certificate authentication # is set. -#ca-cert = /path/to/ca.pem ca-cert = /etc/pki/ocserv/cacerts/ca.crt # The object identifier that will be used to read the user ID in the client @@ -113,10 +131,10 @@ ca-cert = /etc/pki/ocserv/cacerts/ca.crt #crl = /path/to/crl.pem # GnuTLS priority string -tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT" +tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-ARCFOUR-128" # To enforce perfect forward secrecy (PFS) on the main channel. -#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA" +#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" # The time (in seconds) that a client is allowed to stay connected prior # to authentication @@ -135,7 +153,18 @@ auth-timeout = 40 #min-reauth-time = 2 # Cookie timeout (in seconds) -cookie-timeout = 360 +# Once a client is authenticated he's provided a cookie with +# which he can reconnect. That cookie will be invalided if not +# used within this timeout value. On a user disconnection, that +# cookie will also be active for this time amount prior to be +# invalid. That should allow a reasonable amount of time for roaming +# between different networks. +cookie-timeout = 300 + +# Whether roaming is allowed, i.e., if true a cookie is +# restricted to a single IP address and cannot be re-used +# from a different IP. +deny-roaming = false # ReKey time (in seconds) # ocserv will ask the client to refresh keys periodically once @@ -157,8 +186,8 @@ rekey-method = ssl # DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP # in the P-t-P connection), IP_REMOTE (the VPN IP of the client), # ID (a unique numeric ID); REASON may be "connect" or "disconnect". -#connect-script = /usr/bin/ocserv-script -#disconnect-script = /usr/bin/ocserv-script +#connect-script = /scripts/ocserv-script +#disconnect-script = /scripts/ocserv-script # UTMP use-utmp = true @@ -171,6 +200,7 @@ use-occtl = true # if you use more than a single servers. #occtl-socket-file = /var/run/occtl.socket + # PID file. It can be overriden in the command line. #pid-file = /var/run/ocserv.pid @@ -254,7 +284,7 @@ ping-leases = false # # To set the server as the default gateway for the client just # comment out all routes from the server. -route = 192.168.1.0/255.255.255.0 +#route = 192.168.1.0/255.255.255.0 #route = 192.168.5.0/255.255.255.0 #route = fef4:db8:1000:1001::/64 @@ -291,17 +321,23 @@ route = 192.168.1.0/255.255.255.0 #default-select-group = DEFAULT # Instead of specifying manually all the allowed groups, you may instruct -# ocserv to scan all available groups and include the full list. +# ocserv to scan all available groups and include the full list. That +# option is only functional on plain authentication. #auto-select-group = true -# The system command to use to setup a route. %R will be replaced with the -# route/mask and %D with the (tun) device. +# The system command to use to setup a route. %{R} will be replaced with the +# route/mask and %{D} with the (tun) device. # -# The following example is from linux systems. %R should be something +# The following example is from linux systems. %{R} should be something # like 192.168.2.0/24 -route-add-cmd = "ip route add %R dev %D" -route-del-cmd = "ip route delete %R dev %D" +route-add-cmd = "ip route add %{R} dev %{D}" +route-del-cmd = "ip route delete %{R} dev %{D}" + +# This option allows to forward a proxy. The special strings '%{U}' +# and '%{G}', if present will be replaced by the username and group name. +#proxy-url = http://example.com/ +#proxy-url = http://example.com/%{U}/%{G}/hello # # The following options are for (experimental) AnyConnect client diff --git a/ocserv.spec b/ocserv.spec index e2aa87d..8dc9f4d 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ Name: ocserv -Version: 0.8.8 +Version: 0.8.9 Release: 1%{?dist} Summary: OpenConnect SSL VPN server @@ -142,6 +142,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Thu Dec 11 2014 Nikos Mavrogiannopoulos - 0.8.9-1 +- New upstream release + * Wed Nov 26 2014 Nikos Mavrogiannopoulos - 0.8.8-1 - New upstream release diff --git a/sources b/sources index 63a85e1..3900854 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -de7faa9e1658dfea0f409fcc83fcb7ff ocserv-0.8.8.tar.xz.sig -d9b12a3fa976dfda3e4c0238173744e6 ocserv-0.8.8.tar.xz +5ea9824e39ca125260b67a1379f42036 ocserv-0.8.9.tar.xz.sig +cd935cc89bffac75c825e66ef71f6a73 ocserv-0.8.9.tar.xz From e46482a0cf259e9e55ecd58d5153afdb31fc71be Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 11 Dec 2014 13:40:49 +0100 Subject: [PATCH 045/177] updated for bundled script --- ocserv.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ocserv.conf b/ocserv.conf index 2d6f6f9..b754103 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -186,8 +186,8 @@ rekey-method = ssl # DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP # in the P-t-P connection), IP_REMOTE (the VPN IP of the client), # ID (a unique numeric ID); REASON may be "connect" or "disconnect". -#connect-script = /scripts/ocserv-script -#disconnect-script = /scripts/ocserv-script +#connect-script = /usr/bin/ocserv-script +#disconnect-script = /usr/bin/ocserv-script # UTMP use-utmp = true From a6a5de2d906c89b130eeb0f73786c1dc7efbcbe4 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 29 Dec 2014 13:02:34 +0200 Subject: [PATCH 046/177] Added seccomp dependency --- ocserv.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/ocserv.spec b/ocserv.spec index 8dc9f4d..c1a22a8 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -30,6 +30,7 @@ BuildRequires: protobuf-c-devel BuildRequires: libnl3-devel BuildRequires: readline-devel BuildRequires: autogen +BuildRequires: libseccomp-devel BuildRequires: pcllib-devel BuildRequires: libtalloc-devel BuildRequires: http-parser-devel From 14a5206c7191fe705f4af4a17058baa44e8b0c8b Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 5 Jan 2015 13:55:20 +0100 Subject: [PATCH 047/177] ocserv.service: depend on network-online.target (#1178760) --- ocserv.service | 2 +- ocserv.spec | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ocserv.service b/ocserv.service index 3f6a3e2..4fe4813 100644 --- a/ocserv.service +++ b/ocserv.service @@ -2,7 +2,7 @@ Description=OpenConnect SSL VPN server Documentation=man:ocserv(8) After=syslog.target -After=network.target +After=network-online.target After=dbus.service [Service] diff --git a/ocserv.spec b/ocserv.spec index c1a22a8..daee557 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ Name: ocserv Version: 0.8.9 -Release: 1%{?dist} +Release: 2%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -143,6 +143,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Mon Jan 5 2015 Nikos Mavrogiannopoulos - 0.8.9-2 +- ocserv.service: depend on network-online.target (#1178760) + * Thu Dec 11 2014 Nikos Mavrogiannopoulos - 0.8.9-1 - New upstream release From 8ab678bc477d4a3e56befe798c80920e015ae24e Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 6 Jan 2015 10:40:15 +0100 Subject: [PATCH 048/177] disable seccomp on arm --- ocserv.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index daee557..eee476d 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -78,7 +78,11 @@ touch src/*.proto %build -%configure +%configure \ +%ifarch %{arm} + --disable-seccomp \ +%endif + --enable-systemd make %{?_smp_mflags} From cbda7da2bc8e6e7ed18bd03c400932019e70e2c4 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 6 Jan 2015 11:08:22 +0100 Subject: [PATCH 049/177] mention the enabling of seccomp --- ocserv.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/ocserv.spec b/ocserv.spec index eee476d..1a88255 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -149,6 +149,7 @@ rm -rf %{buildroot} %changelog * Mon Jan 5 2015 Nikos Mavrogiannopoulos - 0.8.9-2 - ocserv.service: depend on network-online.target (#1178760) +- enable seccomp * Thu Dec 11 2014 Nikos Mavrogiannopoulos - 0.8.9-1 - New upstream release From 0696cb0ce8a15c6948a11cc968400c5298e42bd2 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 6 Jan 2015 11:54:39 +0100 Subject: [PATCH 050/177] enable seccomp on x86 platforms only --- ocserv.spec | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/ocserv.spec b/ocserv.spec index 1a88255..2e3431f 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -30,7 +30,9 @@ BuildRequires: protobuf-c-devel BuildRequires: libnl3-devel BuildRequires: readline-devel BuildRequires: autogen +%ifarch %{ix86} x86_64 BuildRequires: libseccomp-devel +%endif BuildRequires: pcllib-devel BuildRequires: libtalloc-devel BuildRequires: http-parser-devel @@ -79,9 +81,6 @@ touch src/*.proto %build %configure \ -%ifarch %{arm} - --disable-seccomp \ -%endif --enable-systemd make %{?_smp_mflags} @@ -149,7 +148,7 @@ rm -rf %{buildroot} %changelog * Mon Jan 5 2015 Nikos Mavrogiannopoulos - 0.8.9-2 - ocserv.service: depend on network-online.target (#1178760) -- enable seccomp +- enable seccomp (on platforms it is available) * Thu Dec 11 2014 Nikos Mavrogiannopoulos - 0.8.9-1 - New upstream release From a7f82c575368a44e9aaa01a9e24d89c966935f82 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 6 Jan 2015 16:38:41 +0100 Subject: [PATCH 051/177] Comply with system-wide crypto policies Resolves: rhbz#1179332 --- ocserv.conf | 3 ++- ocserv.spec | 5 ++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ocserv.conf b/ocserv.conf index b754103..04e5b0e 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -131,7 +131,8 @@ ca-cert = /etc/pki/ocserv/cacerts/ca.crt #crl = /path/to/crl.pem # GnuTLS priority string -tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-ARCFOUR-128" +#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-ARCFOUR-128" +tls-priorities = "@SYSTEM" # To enforce perfect forward secrecy (PFS) on the main channel. #tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" diff --git a/ocserv.spec b/ocserv.spec index 2e3431f..e428c08 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ Name: ocserv Version: 0.8.9 -Release: 2%{?dist} +Release: 3%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -146,6 +146,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Tue Jan 6 2015 Nikos Mavrogiannopoulos - 0.8.9-3 +- Comply with system-wide crypto policies (#1179332) + * Mon Jan 5 2015 Nikos Mavrogiannopoulos - 0.8.9-2 - ocserv.service: depend on network-online.target (#1178760) - enable seccomp (on platforms it is available) From 9a2398b5eb24cd268da6b47ff6b59687186bd0cd Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 9 Jan 2015 13:13:33 +0100 Subject: [PATCH 052/177] enable PIE --- ocserv.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index e428c08..313ea6d 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,8 @@ +%global _hardened_build 1 + Name: ocserv Version: 0.8.9 -Release: 3%{?dist} +Release: 4%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -146,6 +148,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Fri Jan 9 2015 Nikos Mavrogiannopoulos - 0.8.9-4 +- enable PIE + * Tue Jan 6 2015 Nikos Mavrogiannopoulos - 0.8.9-3 - Comply with system-wide crypto policies (#1179332) From ed496f82a18c3c918d4233881be60934e44fa360 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 13 Jan 2015 09:50:05 +0100 Subject: [PATCH 053/177] compile without support for smp to prevent issues with autogen --- ocserv.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 313ea6d..3e8ed6a 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -85,7 +85,7 @@ touch src/*.proto %configure \ --enable-systemd -make %{?_smp_mflags} +make #%{?_smp_mflags} %pre getent group ocserv &>/dev/null || groupadd -r ocserv From d2cb3ed97fa26118ea203109b57485e30ff5b027 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 22 Jan 2015 11:41:49 +0100 Subject: [PATCH 054/177] new upstream release --- .gitignore | 2 + ocserv.conf | 231 ++++++++++++++++++++++++++++++++++------------------ ocserv.spec | 8 +- sources | 4 +- 4 files changed, 160 insertions(+), 85 deletions(-) diff --git a/.gitignore b/.gitignore index 099ada9..0ef6c80 100644 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,5 @@ /ocserv-0.8.8.tar.xz /ocserv-0.8.9.tar.xz.sig /ocserv-0.8.9.tar.xz +/ocserv-0.9.0.tar.xz +/ocserv-0.9.0.tar.xz.sig diff --git a/ocserv.conf b/ocserv.conf index 04e5b0e..aa5dbaf 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -1,36 +1,47 @@ # User authentication method. Could be set multiple times and in # that case all should succeed. To enable multiple methods use # multiple auth directives. Available options: certificate, certificate[optional], -# plain, pam. -#auth = "certificate" -#auth = "plain[./sample.passwd]" -auth = "pam" +# plain, pam, radius[configfile,groupconfig]. -# This indicates that a user may present a certificate. When that option +# certificate: +# This indicates that all connecting users must present a certificate. +# +# certificate[optional]: +# This indicates that a user may present a certificate. When that option # is set, individual users or user groups can be forced to present a valid -# certificate by using "require-cert=true". -#auth = "certificate[optional]" - -# The gid-min option is used by auto-select-group option, in order to -# select the minimum group ID. -#auth = "pam[gid-min=1000]" - -# The plain option requires specifying a password file which contains +# certificate by adding "require-cert=true" in the per-user configuration file. +# +# pam[gid-min=1000]: +# The gid-min option is used by auto-select-group option, in order to +# select the minimum valid group ID. +# +# plain[/etc/ocserv/ocpasswd] +# The plain option requires specifying a password file which contains # entries of the following format. -# "username:groupname:encoded-password" -# One entry must be listed per line, and 'ocpasswd' can be used +# "username:groupname1,groupname2:encoded-password" +# One entry must be listed per line, and 'ocpasswd' should be used # to generate password entries. +# +# radius[/etc/radiusclient/radiusclient.conf,groupconfig]: +# The radius option requires specifying freeradius-client configuration +# file. If the groupconfig option is set, then config-per-user will be overriden, +# and all configuration will be read from radius. The supported atributes for +# radius configuration are: +# Group-Name, Framed-IPv6-Address, Framed-IPv6-Prefix, DNS-Server-IPv6-Address, +# Framed-IP-Address, Framed-IP-Netmask, MS-Primary-DNS-Server, MS-Secondary-DNS-Server + +#auth = "certificate" +#auth = "certificate[optional]" +auth = "pam" +#auth = "pam[gid-min=1000]" #auth = "plain[/etc/ocserv/ocpasswd]" +#auth = "radius[/etc/radiusclient/radiusclient.conf,groupconfig]" -# Whether to enable seccomp worker isolation. That restricts the number of +# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of # system calls allowed to a worker process, in order to reduce damage from a # bug in the worker process. It is available on Linux systems at a performance cost. -#use-seccomp = true - -# Whether to enable the authentication method's session control (i.e., PAM). -# That requires more resources on the server, and makes cookies one-time-use; -# thus don't enable unless you need it. -#session-control = true +# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8). +isolate-workers = true # A banner to be displayed on clients #banner = "Welcome" @@ -60,21 +71,34 @@ max-same-clients = 2 tcp-port = 443 udp-port = 443 -# Accept connections using a socket file. The connections are -# forwarded without SSL/TLS. -listen-clear-file = /var/run/ocserv-conn.socket +# Accept connections using a socket file. It accepts HTTP +# connections (i.e., without SSL/TLS unlike its TCP counterpart), +# and uses it as the primary channel. That option cannot be +# combined with certificate authentication. +#listen-clear-file = /var/run/ocserv-conn.socket + +# Stats report time. The number of seconds after which each +# worker process will report its usage statistics (number of +# bytes transferred etc). This is useful when accounting like +# radius is in use. +#stats-report-time = 360 # Keepalive in seconds keepalive = 32400 # Dead peer detection in seconds. +# Note that when the client is behind a NAT this value +# needs to be short enough to prevent the NAT disassociating +# his UDP session from the port number. Otherwise the client +# could have his UDP connection stalled, for several minutes. dpd = 90 -# Dead peer detection for mobile clients. The needs to -# be much higher to prevent such clients being awaken too +# Dead peer detection for mobile clients. That needs to +# be higher to prevent such clients being awaken too # often by the DPD messages, and save battery. -# (clients that send the X-AnyConnect-Identifier-DeviceType) -#mobile-dpd = 1800 +# The mobile clients are distinguished from the header +# 'X-AnyConnect-Identifier-DeviceType'. +mobile-dpd = 1800 # MTU discovery (DPD must be enabled) try-mtu-discovery = false @@ -84,8 +108,11 @@ try-mtu-discovery = false # tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user # or pkcs11:object=my-vpn-key;object-type=private) # -# There may be multiple certificate and key pairs and each key -# should correspond to the preceding certificate. +# The server-cert file may contain a single certificate, or +# a sorted certificate chain. +# +# There may be multiple server-cert and server-key directives, +# but each key should correspond to the preceding certificate. server-cert = /etc/pki/ocserv/public/server.crt server-key = /etc/pki/ocserv/private/server.key @@ -128,13 +155,29 @@ ca-cert = /etc/pki/ocserv/cacerts/ca.crt #cert-group-oid = 2.5.4.11 # The revocation list of the certificates issued by the 'ca-cert' above. +# See the manual to generate an empty CRL initially. #crl = /path/to/crl.pem -# GnuTLS priority string -#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-ARCFOUR-128" +# Uncomment this to enable compression negotiation (LZS, LZ4). +#compression = true + +# Set the minimum size under which a packet will not be compressed. +# That is to allow low-latency for VoIP packets. The default size +# is 256 bytes. Modify it if the clients typically use compression +# as well of VoIP with codecs that exceed the default value. +#no-compress-limit = 256 + +# GnuTLS priority string; note that SSL 3.0 is disabled by default +# as there are no openconnect (and possibly anyconnect clients) using +# that protocol. The string below does not enforce perfect forward +# secrecy, in order to be compatible with legacy clients. +#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0" tls-priorities = "@SYSTEM" -# To enforce perfect forward secrecy (PFS) on the main channel. +# More combinations in priority strings are available, check +# http://gnutls.org/manual/html_node/Priority-Strings.html +# E.g., the string below enforces perfect forward secrecy (PFS) +# on the main channel. #tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" # The time (in seconds) that a client is allowed to stay connected prior @@ -181,16 +224,25 @@ rekey-time = 172800 # option. rekey-method = ssl -# Script to call when a client connects and obtains an IP -# Parameters are passed on the environment. +# Script to call when a client connects and obtains an IP. +# The following parameters are passed on the environment. # REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), # DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP # in the P-t-P connection), IP_REMOTE (the VPN IP of the client), +# IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6 +# assigned), IPV6_REMOVE (the IPv6 remote address), and # ID (a unique numeric ID); REASON may be "connect" or "disconnect". + +# The disconnect script will receive the additional values: STATS_BYTES_IN, +# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes +# output from the tun device, and the duration of the session in seconds. + #connect-script = /usr/bin/ocserv-script #disconnect-script = /usr/bin/ocserv-script # UTMP +# Register the connected clients to utmp. This will allow viewing +# the connected clients using the command 'who'. use-utmp = true # Whether to enable support for the occtl tool (i.e., either through D-BUS, @@ -201,14 +253,13 @@ use-occtl = true # if you use more than a single servers. #occtl-socket-file = /var/run/occtl.socket - # PID file. It can be overriden in the command line. #pid-file = /var/run/ocserv.pid # The default server directory. Does not require any devices present. chroot-dir = /var/lib/ocserv -# socket file used for IPC, will be appended with .PID +# socket file used for server IPC (worker-main), will be appended with .PID # It must be accessible within the chroot environment (if any) socket-file = ocserv.sock @@ -232,7 +283,7 @@ run-as-group = ocserv # Network settings # -# The name of the tun device +# The name to use for the tun device device = vpns # Whether the generated IPs will be predictable, i.e., IP stays the @@ -243,20 +294,22 @@ predictable-ips = true default-domain = example.com # The pool of addresses that leases will be given from. -ipv4-network = 192.168.1.0 -ipv4-netmask = 255.255.255.0 +#ipv4-network = 192.168.1.0 +#ipv4-netmask = 255.255.255.0 + +# An alternative way of specifying the network: +#ipv4-network = 192.168.1.0/24 # The advertized DNS server. Use multiple lines for # multiple servers. # dns = fc00::4be0 -dns = 192.168.1.2 +#dns = 192.168.1.2 # The NBNS server (if any) #nbns = 192.168.1.3 # The IPv6 subnet that leases will be given from. -#ipv6-network = fc00:: -#ipv6-prefix = 16 +#ipv6-network = fda9:4efe:7e3b:03ea::/64 # The domains over which the provided DNS should be used. Use # multiple lines for multiple domains. @@ -264,10 +317,13 @@ dns = 192.168.1.2 # Prior to leasing any IP from the pool ping it to verify that # it is not in use by another (unrelated to this server) host. +# Only set to true, if there can be occupied addresses in the +# IP range for leases. ping-leases = false -# Unset to assign the default MTU of the device -# mtu = +# Use this option to enforce an MTU value to the incoming +# connections. Unset to use the default MTU of the TUN device. +#mtu = 1420 # Unset to enable bandwidth restrictions (in bytes/sec). The # setting here is global, but can also be set per user or per group. @@ -284,84 +340,97 @@ ping-leases = false # config-per-user/group or even connect and disconnect scripts. # # To set the server as the default gateway for the client just -# comment out all routes from the server. +# comment out all routes from the server, or use the special keyword +# 'default'. + #route = 192.168.1.0/255.255.255.0 #route = 192.168.5.0/255.255.255.0 #route = fef4:db8:1000:1001::/64 +# Groups that a client is allowed to select from. +# A client may belong in multiple groups, and in certain use-cases +# it is needed to switch between them. For these cases the client can +# select prior to authentication. Add multiple entries for multiple groups. +# The group may be followed by a user-friendly name in brackets. +#select-group = group1 +#select-group = group2[My special group] + +# The name of the (virtual) group that if selected it would assign the user +# to its default group. +#default-select-group = DEFAULT + +# Instead of specifying manually all the allowed groups, you may instruct +# ocserv to scan all available groups and include the full list. +#auto-select-group = true + # Configuration files that will be applied per user connection or # per group. Each file name on these directories must match the username # or the groupname. # The options allowed in the configuration files are dns, nbns, -# ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route, -# net-priority and cgroup. +# ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, +# net-priority, deny-roaming, no-udp, user-profile, require-cert, and cgroup. # # Note that the 'iroute' option allows to add routes on the server # based on a user or group. The syntax depends on the input accepted -# by the commands route-add-cmd and route-del-cmd (see below). +# by the commands route-add-cmd and route-del-cmd (see below). The no-udp +# is a boolean option (e.g., no-udp = true), and will prevent a UDP session +# for that specific user or group. #config-per-user = /etc/ocserv/config-per-user/ #config-per-group = /etc/ocserv/config-per-group/ # When config-per-xxx is specified and there is no group or user that # matches, then utilize the following configuration. - #default-user-config = /etc/ocserv/defaults/user.conf #default-group-config = /etc/ocserv/defaults/group.conf -# Groups that a client is allowed to select from. -# A client may belong in multiple groups, and in certain use-cases -# it is needed to switch between them. For these cases the client can -# select prior to authentication. Add multiple entries for multiple groups. -#select-group = group1 -#select-group = group2[My group 2] -#select-group = tost[The tost group] - -# The name of the group that if selected it would allow to use -# the assigned by default group. -#default-select-group = DEFAULT - -# Instead of specifying manually all the allowed groups, you may instruct -# ocserv to scan all available groups and include the full list. That -# option is only functional on plain authentication. -#auto-select-group = true +# This option is only valid in a user/group configuration file. If the +# auth mode is certificate[optional], it requires a certificate for this +# particular user or group. +#require-cert = true # The system command to use to setup a route. %{R} will be replaced with the # route/mask and %{D} with the (tun) device. # -# The following example is from linux systems. %{R} should be something -# like 192.168.2.0/24 +# The following example is from linux systems. %R should be something +# like 192.168.2.0/24 (the argument of iroute). route-add-cmd = "ip route add %{R} dev %{D}" route-del-cmd = "ip route delete %{R} dev %{D}" -# This option allows to forward a proxy. The special strings '%{U}' +# This option allows to forward a proxy. The special keywords '%{U}' # and '%{G}', if present will be replaced by the username and group name. #proxy-url = http://example.com/ -#proxy-url = http://example.com/%{U}/%{G}/hello +#proxy-url = http://example.com/%{U}/ # # The following options are for (experimental) AnyConnect client # compatibility. +# This option must be set to true to support legacy CISCO clients. +# A side effect of this option is that it will no longer be required +# for clients to present their certificate on every connection. +# That is they may resume a cookie without presenting a certificate +# (when certificate authentication is used). +cisco-client-compat = true + # Client profile xml. A sample file exists in doc/profile.xml. +# It is required by some of the CISCO clients. # This file must be accessible from inside the worker's chroot. -# It is not used by the openconnect client. user-profile = profile.xml # Binary files that may be downloaded by the CISCO client. Must -# be within any chroot environment. +# be within any chroot environment. Normally you don't need +# to use this option. #binary-files = /path/to/binaries -# Unless set to false it is required for clients to present their -# certificate even if they are authenticating via a previously granted -# cookie and complete their authentication in the same TCP connection. -# Legacy CISCO clients do not do that, and thus this option should be -# set for them. -cisco-client-compat = true - #Advanced options # Option to allow sending arbitrary custom headers to the client after -# authentication and prior to VPN tunnel establishment. +# authentication and prior to VPN tunnel establishment. You shouldn't +# need to use this option normally; if you do and you think that +# this may help others, please send your settings and reason to +# the openconnect mailing list. The special keywords '%{U}' +# and '%{G}', if present will be replaced by the username and group name. #custom-header = "X-My-Header: hi there" + diff --git a/ocserv.spec b/ocserv.spec index 3e8ed6a..6908137 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,8 +1,8 @@ %global _hardened_build 1 Name: ocserv -Version: 0.8.9 -Release: 4%{?dist} +Version: 0.9.0 +Release: 1%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -32,6 +32,7 @@ BuildRequires: protobuf-c-devel BuildRequires: libnl3-devel BuildRequires: readline-devel BuildRequires: autogen +BuildRequires: gperf %ifarch %{ix86} x86_64 BuildRequires: libseccomp-devel %endif @@ -148,6 +149,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Thu Jan 22 2015 Nikos Mavrogiannopoulos - 0.9.0-1 +- new upstream release + * Fri Jan 9 2015 Nikos Mavrogiannopoulos - 0.8.9-4 - enable PIE diff --git a/sources b/sources index 3900854..cb7074e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -5ea9824e39ca125260b67a1379f42036 ocserv-0.8.9.tar.xz.sig -cd935cc89bffac75c825e66ef71f6a73 ocserv-0.8.9.tar.xz +50994bf7e40fd6bedda33bb2f99b1f11 ocserv-0.9.0.tar.xz +62942bdda7e101c0049622c68fd13dd4 ocserv-0.9.0.tar.xz.sig From 612fa73824993c929805b221624cab2922295266 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 29 Jan 2015 14:08:58 +0100 Subject: [PATCH 055/177] Do not enable seccomp in x86. It is broken. --- ocserv.spec | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ocserv.spec b/ocserv.spec index 6908137..8b22302 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -2,7 +2,7 @@ Name: ocserv Version: 0.9.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -33,7 +33,7 @@ BuildRequires: libnl3-devel BuildRequires: readline-devel BuildRequires: autogen BuildRequires: gperf -%ifarch %{ix86} x86_64 +%ifarch x86_64 #%{ix86} BuildRequires: libseccomp-devel %endif BuildRequires: pcllib-devel @@ -149,6 +149,10 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Thu Jan 29 2015 Nikos Mavrogiannopoulos - 0.9.0-2 +- only enable seccomp in x86-64. It seems to be broken in x86: + http://sourceforge.net/p/libseccomp/mailman/message/33275762/ + * Thu Jan 22 2015 Nikos Mavrogiannopoulos - 0.9.0-1 - new upstream release From 4fdbcb2406340261fc7e76c3f774de2fbac93cab Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 29 Jan 2015 14:09:41 +0100 Subject: [PATCH 056/177] run make check --- ocserv.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ocserv.spec b/ocserv.spec index 8b22302..18362fa 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -97,6 +97,9 @@ mkdir -p %{_sysconfdir}/pki/ocserv/public mkdir -p -m 700 %{_sysconfdir}/pki/ocserv/private mkdir -p %{_sysconfdir}/pki/ocserv/cacerts +%check +make check %{?_smp_mflags} + %post %systemd_post ocserv.service From e4fe6e80bfa43aed425551071cf3fb9a5dbf85db Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 16 Feb 2015 10:45:16 +0100 Subject: [PATCH 057/177] updated to 0.9.1 --- .gitignore | 2 ++ ocserv.conf | 25 +++++++++---------------- ocserv.spec | 9 ++++++--- sources | 4 ++-- 4 files changed, 19 insertions(+), 21 deletions(-) diff --git a/.gitignore b/.gitignore index 0ef6c80..291a6a8 100644 --- a/.gitignore +++ b/.gitignore @@ -24,3 +24,5 @@ /ocserv-0.8.9.tar.xz /ocserv-0.9.0.tar.xz /ocserv-0.9.0.tar.xz.sig +/ocserv-0.9.1.tar.xz.sig +/ocserv-0.9.1.tar.xz diff --git a/ocserv.conf b/ocserv.conf index aa5dbaf..20da17f 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -1,16 +1,11 @@ # User authentication method. Could be set multiple times and in # that case all should succeed. To enable multiple methods use -# multiple auth directives. Available options: certificate, certificate[optional], +# multiple auth directives. Available options: certificate, # plain, pam, radius[configfile,groupconfig]. # certificate: # This indicates that all connecting users must present a certificate. # -# certificate[optional]: -# This indicates that a user may present a certificate. When that option -# is set, individual users or user groups can be forced to present a valid -# certificate by adding "require-cert=true" in the per-user configuration file. -# # pam[gid-min=1000]: # The gid-min option is used by auto-select-group option, in order to # select the minimum valid group ID. @@ -31,7 +26,6 @@ # Framed-IP-Address, Framed-IP-Netmask, MS-Primary-DNS-Server, MS-Secondary-DNS-Server #auth = "certificate" -#auth = "certificate[optional]" auth = "pam" #auth = "pam[gid-min=1000]" #auth = "plain[/etc/ocserv/ocpasswd]" @@ -293,13 +287,20 @@ predictable-ips = true # The default domain to be advertised default-domain = example.com -# The pool of addresses that leases will be given from. +# The pool of addresses that leases will be given from. If the leases +# are given via Radius, or via explicit-ip? per-user config option then +# these network values should contain a network with at least a single +# address that will remain under the full control of ocserv (that is +# to be able to assign the local part of the tun device address). #ipv4-network = 192.168.1.0 #ipv4-netmask = 255.255.255.0 # An alternative way of specifying the network: #ipv4-network = 192.168.1.0/24 +# The IPv6 subnet that leases will be given from. +#ipv6-network = fda9:4efe:7e3b:03ea::/64 + # The advertized DNS server. Use multiple lines for # multiple servers. # dns = fc00::4be0 @@ -308,9 +309,6 @@ default-domain = example.com # The NBNS server (if any) #nbns = 192.168.1.3 -# The IPv6 subnet that leases will be given from. -#ipv6-network = fda9:4efe:7e3b:03ea::/64 - # The domains over which the provided DNS should be used. Use # multiple lines for multiple domains. #split-dns = example.com @@ -384,11 +382,6 @@ ping-leases = false #default-user-config = /etc/ocserv/defaults/user.conf #default-group-config = /etc/ocserv/defaults/group.conf -# This option is only valid in a user/group configuration file. If the -# auth mode is certificate[optional], it requires a certificate for this -# particular user or group. -#require-cert = true - # The system command to use to setup a route. %{R} will be replaced with the # route/mask and %{D} with the (tun) device. # diff --git a/ocserv.spec b/ocserv.spec index 18362fa..c8bf84c 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,8 +1,8 @@ %global _hardened_build 1 Name: ocserv -Version: 0.9.0 -Release: 2%{?dist} +Version: 0.9.1 +Release: 1%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -33,7 +33,7 @@ BuildRequires: libnl3-devel BuildRequires: readline-devel BuildRequires: autogen BuildRequires: gperf -%ifarch x86_64 #%{ix86} +%ifarch x86_64 %{ix86} BuildRequires: libseccomp-devel %endif BuildRequires: pcllib-devel @@ -152,6 +152,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Mon Feb 16 2015 Nikos Mavrogiannopoulos - 0.9.1-1 +- new upstream release + * Thu Jan 29 2015 Nikos Mavrogiannopoulos - 0.9.0-2 - only enable seccomp in x86-64. It seems to be broken in x86: http://sourceforge.net/p/libseccomp/mailman/message/33275762/ diff --git a/sources b/sources index cb7074e..7c25dd1 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -50994bf7e40fd6bedda33bb2f99b1f11 ocserv-0.9.0.tar.xz -62942bdda7e101c0049622c68fd13dd4 ocserv-0.9.0.tar.xz.sig +c7e0d60139372b9fbb866cd271ded8c4 ocserv-0.9.1.tar.xz.sig +5dee08e1386258a32a73caf2cb47749c ocserv-0.9.1.tar.xz From 79f0b3bec8588320d56633dc8bdf67d4c1595165 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 16 Feb 2015 10:56:29 +0100 Subject: [PATCH 058/177] depend on freeradius-client --- ocserv.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/ocserv.spec b/ocserv.spec index c8bf84c..561d586 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -41,6 +41,7 @@ BuildRequires: libtalloc-devel BuildRequires: http-parser-devel BuildRequires: tcp_wrappers-devel BuildRequires: automake, autoconf +BuildRequires: freeradius-client-devel # we don't build with dbus support #BuildRequires: dbus-devel From 8a7554ecc8a9bef1fb924a25c020cec4bd2a1f28 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Mon, 16 Feb 2015 15:46:32 +0000 Subject: [PATCH 059/177] aarch64 (and ARMv7) now has seccomp support --- ocserv.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/ocserv.spec b/ocserv.spec index 561d586..57f5142 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -2,7 +2,7 @@ Name: ocserv Version: 0.9.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -33,7 +33,7 @@ BuildRequires: libnl3-devel BuildRequires: readline-devel BuildRequires: autogen BuildRequires: gperf -%ifarch x86_64 %{ix86} +%ifarch x86_64 %{ix86} %{arm} aarch64 BuildRequires: libseccomp-devel %endif BuildRequires: pcllib-devel @@ -153,6 +153,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Mon Feb 16 2015 Peter Robinson 0.9.1-2 +- aarch64 (and ARMv7) now has seccomp support + * Mon Feb 16 2015 Nikos Mavrogiannopoulos - 0.9.1-1 - new upstream release From e4b15cba33f52ce988571ea64014117cda037371 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 18 Feb 2015 10:29:58 +0100 Subject: [PATCH 060/177] new upstream release --- .gitignore | 2 ++ ocserv.spec | 9 +++++++-- sources | 4 ++-- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 291a6a8..d3675b5 100644 --- a/.gitignore +++ b/.gitignore @@ -26,3 +26,5 @@ /ocserv-0.9.0.tar.xz.sig /ocserv-0.9.1.tar.xz.sig /ocserv-0.9.1.tar.xz +/ocserv-0.9.2.tar.xz.sig +/ocserv-0.9.2.tar.xz diff --git a/ocserv.spec b/ocserv.spec index 57f5142..e7b76a7 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,8 +1,8 @@ %global _hardened_build 1 Name: ocserv -Version: 0.9.1 -Release: 2%{?dist} +Version: 0.9.2 +Release: 1%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -42,6 +42,7 @@ BuildRequires: http-parser-devel BuildRequires: tcp_wrappers-devel BuildRequires: automake, autoconf BuildRequires: freeradius-client-devel +BuildRequires: lz4-devel # we don't build with dbus support #BuildRequires: dbus-devel @@ -153,6 +154,10 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Wed Feb 18 2015 Nikos Mavrogiannopoulos - 0.9.2-1 +- new upstream release +- enabled lz4 compression + * Mon Feb 16 2015 Peter Robinson 0.9.1-2 - aarch64 (and ARMv7) now has seccomp support diff --git a/sources b/sources index 7c25dd1..4eb3751 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -c7e0d60139372b9fbb866cd271ded8c4 ocserv-0.9.1.tar.xz.sig -5dee08e1386258a32a73caf2cb47749c ocserv-0.9.1.tar.xz +141166419dc5845530fe40415eee1cab ocserv-0.9.2.tar.xz.sig +9697c37cc81b30be2b178258ee595d97 ocserv-0.9.2.tar.xz From cf5f1ccc88b20905878ed27b317649fc04df1f93 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 11 Mar 2015 09:55:21 +0100 Subject: [PATCH 061/177] updated to 0.10.0 --- .gitignore | 2 ++ ocserv.spec | 5 ++++- sources | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index d3675b5..ae69654 100644 --- a/.gitignore +++ b/.gitignore @@ -28,3 +28,5 @@ /ocserv-0.9.1.tar.xz /ocserv-0.9.2.tar.xz.sig /ocserv-0.9.2.tar.xz +/ocserv-0.10.0.tar.xz.sig +/ocserv-0.10.0.tar.xz diff --git a/ocserv.spec b/ocserv.spec index e7b76a7..ac9b730 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,7 +1,7 @@ %global _hardened_build 1 Name: ocserv -Version: 0.9.2 +Version: 0.10.0 Release: 1%{?dist} Summary: OpenConnect SSL VPN server @@ -154,6 +154,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Wed Mar 11 2015 Nikos Mavrogiannopoulos - 0.10.0-1 +- new upstream release + * Wed Feb 18 2015 Nikos Mavrogiannopoulos - 0.9.2-1 - new upstream release - enabled lz4 compression diff --git a/sources b/sources index 4eb3751..900e27f 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -141166419dc5845530fe40415eee1cab ocserv-0.9.2.tar.xz.sig -9697c37cc81b30be2b178258ee595d97 ocserv-0.9.2.tar.xz +be821b0428ce05634727c5823227f88f ocserv-0.10.0.tar.xz.sig +7ad50983a75c88da4c2fddd8f670584e ocserv-0.10.0.tar.xz From aa24be214d6505210234880a93cf50bda191c2ad Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 11 Mar 2015 10:12:51 +0100 Subject: [PATCH 062/177] updated dependencies and files for 0.10.0 --- ocserv.conf | 193 +++++++++++++++++++++++++++++++++++++--------------- ocserv.spec | 2 + 2 files changed, 142 insertions(+), 53 deletions(-) diff --git a/ocserv.conf b/ocserv.conf index 20da17f..b0982e6 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -1,35 +1,102 @@ # User authentication method. Could be set multiple times and in # that case all should succeed. To enable multiple methods use -# multiple auth directives. Available options: certificate, -# plain, pam, radius[configfile,groupconfig]. +# multiple auth directives. Available options: certificate, +# plain, pam, radius, gssapi. +# +# Note that authentication methods cannot be changed with reload. # certificate: # This indicates that all connecting users must present a certificate. # # pam[gid-min=1000]: -# The gid-min option is used by auto-select-group option, in order to -# select the minimum valid group ID. +# This enabled PAM authentication of the user. The gid-min option is used +# by auto-select-group option, in order to select the minimum valid group ID. # -# plain[/etc/ocserv/ocpasswd] +# plain[passwd=/etc/ocserv/ocpasswd] # The plain option requires specifying a password file which contains # entries of the following format. # "username:groupname1,groupname2:encoded-password" # One entry must be listed per line, and 'ocpasswd' should be used # to generate password entries. # -# radius[/etc/radiusclient/radiusclient.conf,groupconfig]: +# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]: # The radius option requires specifying freeradius-client configuration # file. If the groupconfig option is set, then config-per-user will be overriden, # and all configuration will be read from radius. The supported atributes for # radius configuration are: # Group-Name, Framed-IPv6-Address, Framed-IPv6-Prefix, DNS-Server-IPv6-Address, # Framed-IP-Address, Framed-IP-Netmask, MS-Primary-DNS-Server, MS-Secondary-DNS-Server +# +# gssapi[keytab=/etc/key.tab,require-local-user-map=false] +# The gssapi option allows to use authentication methods supported by GSSAPI, +# such as Kerberos tickets with ocserv. It should be best used as an alternative +# to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with +# tickets and without tickets to login. The default value for require-local-user-map +# is true. -#auth = "certificate" auth = "pam" #auth = "pam[gid-min=1000]" -#auth = "plain[/etc/ocserv/ocpasswd]" -#auth = "radius[/etc/radiusclient/radiusclient.conf,groupconfig]" +#auth = "plain[passwd=./sample.passwd]" +#auth = "certificate" +#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]" + +# Specify alternative authentication methods that are sufficient +# for authentication. That is, if set, any of the methods enabled +# will be sufficient to login. +#enable-auth = certificate +#enable-auth = gssapi +#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true]" + +# Accounting methods available: +# pam: can only be combined with PAM authentication method, it provides +# a session opened using PAM. +# +# radius: can be combined with any authentication method, it provides +# radius accounting to available users (see also stats-report-time). +# +# Only one accounting method can be specified. +#acct = "pam" +#acct = "radius[config=/etc/radiusclient/radiusclient.conf]" + +# Use listen-host to limit to specific IPs or to the IPs of a provided +# hostname. +#listen-host = [IP|HOSTNAME] + +# When the server has a dynamic DNS address (that may change), +# should set that to true to ask the client to resolve again on +# reconnects. +#listen-host-is-dyndns = true + +# TCP and UDP port number +tcp-port = 443 +udp-port = 443 + +# Accept connections using a socket file. It accepts HTTP +# connections (i.e., without SSL/TLS unlike its TCP counterpart), +# and uses it as the primary channel. That option cannot be +# combined with certificate authentication. +#listen-clear-file = /var/run/ocserv-conn.socket + +# The user the worker processes will be run as. It should be +# unique (no other services run as this user). +run-as-user = ocserv +run-as-group = ocserv + +# socket file used for IPC with occtl. You only need to set that, +# if you use more than a single servers. +#occtl-socket-file = /var/run/occtl.socket + +# socket file used for server IPC (worker-main), will be appended with .PID +# It must be accessible within the chroot environment (if any), so it is best +# specified relatively to the chroot directory. +socket-file = ocserv.sock + +# The default server directory. Does not require any devices present. +chroot-dir = /var/lib/ocserv + + +### All configuration options below this line are reloaded on a SIGHUP. +### The options above, will remain unchanged. # Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of # system calls allowed to a worker process, in order to reduce damage from a @@ -44,32 +111,18 @@ isolate-workers = true #max-clients = 1024 max-clients = 16 -# Limit the number of client connections to one every X milliseconds -# (X is the provided value). Set to zero for no limit. -#rate-limit-ms = 100 - # Limit the number of identical clients (i.e., users connecting # multiple times). Unset or set to zero for unlimited. max-same-clients = 2 -# Use listen-host to limit to specific IPs or to the IPs of a provided -# hostname. -#listen-host = [IP|HOSTNAME] - # When the server has a dynamic DNS address (that may change), # should set that to true to ask the client to resolve again on # reconnects. #listen-host-is-dyndns = true -# TCP and UDP port number -tcp-port = 443 -udp-port = 443 - -# Accept connections using a socket file. It accepts HTTP -# connections (i.e., without SSL/TLS unlike its TCP counterpart), -# and uses it as the primary channel. That option cannot be -# combined with certificate authentication. -#listen-clear-file = /var/run/ocserv-conn.socket +# Limit the number of client connections to one every X milliseconds +# (X is the provided value). Set to zero for no limit. +#rate-limit-ms = 100 # Stats report time. The number of seconds after which each # worker process will report its usage statistics (number of @@ -140,7 +193,7 @@ ca-cert = /etc/pki/ocserv/cacerts/ca.crt # certificate. The object identifier should be part of the certificate's DN # Useful OIDs are: # CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1 -#cert-user-oid = 0.9.2342.19200300.100.1.1 +cert-user-oid = 0.9.2342.19200300.100.1.1 # The object identifier that will be used to read the user group in the # client certificate. The object identifier should be part of the certificate's @@ -165,7 +218,17 @@ ca-cert = /etc/pki/ocserv/cacerts/ca.crt # as there are no openconnect (and possibly anyconnect clients) using # that protocol. The string below does not enforce perfect forward # secrecy, in order to be compatible with legacy clients. -#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0" +# +# Note that the most performant ciphersuites are the moment are the ones +# involving AES-GCM. These are very fast in x86 and x86-64 hardware, and +# in addition require no padding, thus taking full advantage of the MTU. +# For that to be taken advantage of, the openconnect client must be +# used, and the server must be compiled against GnuTLS 3.2.7 or later. +# Use "gnutls-cli --benchmark-tls-ciphers", to see the performance +# difference with AES_128_CBC_SHA1 (the default for anyconnect clients) +# in your system. + +#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" tls-priorities = "@SYSTEM" # More combinations in priority strings are available, check @@ -188,7 +251,28 @@ auth-timeout = 40 # The time (in seconds) that a client is not allowed to reconnect after # a failed authentication attempt. -#min-reauth-time = 2 +min-reauth-time = 300 + +# Banning clients in ocserv works with a point system. IP addresses +# that get a score over that configured number are banned for +# min-reauth-time seconds. By default a wrong password attempt is 10 points, +# a KKDCP POST is 1 point, and a connection is 1 point. Note that +# due to difference processes being involved the count of points +# will not be real-time precise. +# +# Score banning cannot be reliably used when receiving proxied connections +# locally from an HTTP server (i.e., when listen-clear-file is used). +# +# Set to zero to disable. +max-ban-score = 50 + +# The time (in seconds) that all score kept for a client is reset. +ban-reset-time = 300 + +# In case you'd like to change the default points. +#ban-points-wrong-password = 10 +#ban-points-connection = 1 +#ban-points-kkdcp = 1 # Cookie timeout (in seconds) # Once a client is authenticated he's provided a cookie with @@ -237,30 +321,14 @@ rekey-method = ssl # UTMP # Register the connected clients to utmp. This will allow viewing # the connected clients using the command 'who'. -use-utmp = true +#use-utmp = true # Whether to enable support for the occtl tool (i.e., either through D-BUS, # or via a unix socket). use-occtl = true -# socket file used for IPC with occtl. You only need to set that, -# if you use more than a single servers. -#occtl-socket-file = /var/run/occtl.socket - # PID file. It can be overriden in the command line. -#pid-file = /var/run/ocserv.pid - -# The default server directory. Does not require any devices present. -chroot-dir = /var/lib/ocserv - -# socket file used for server IPC (worker-main), will be appended with .PID -# It must be accessible within the chroot environment (if any) -socket-file = ocserv.sock - -# The user the worker processes will be run as. It should be -# unique (no other services run as this user). -run-as-user = ocserv -run-as-group = ocserv +pid-file = /var/run/ocserv.pid # Set the protocol-defined priority (SO_PRIORITY) for packets to # be sent. That is a number from 0 to 6 with 0 being the lowest @@ -288,7 +356,7 @@ predictable-ips = true default-domain = example.com # The pool of addresses that leases will be given from. If the leases -# are given via Radius, or via explicit-ip? per-user config option then +# are given via Radius, or via the explicit-ip? per-user config option then # these network values should contain a network with at least a single # address that will remain under the full control of ocserv (that is # to be able to assign the local part of the tun device address). @@ -341,10 +409,15 @@ ping-leases = false # comment out all routes from the server, or use the special keyword # 'default'. -#route = 192.168.1.0/255.255.255.0 -#route = 192.168.5.0/255.255.255.0 +#route = 10.10.10.0/255.255.255.0 +#route = 192.168.0.0/255.255.0.0 #route = fef4:db8:1000:1001::/64 +# Subsets of the routes above that will not be routed by +# the server. + +#no-route = 192.168.5.0/255.255.255.0 + # Groups that a client is allowed to select from. # A client may belong in multiple groups, and in certain use-cases # it is needed to switch between them. For these cases the client can @@ -366,7 +439,7 @@ ping-leases = false # or the groupname. # The options allowed in the configuration files are dns, nbns, # ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, -# net-priority, deny-roaming, no-udp, user-profile, require-cert, and cgroup. +# net-priority, deny-roaming, no-udp, user-profile, and cgroup. # # Note that the 'iroute' option allows to add routes on the server # based on a user or group. The syntax depends on the input accepted @@ -388,14 +461,28 @@ ping-leases = false # The following example is from linux systems. %R should be something # like 192.168.2.0/24 (the argument of iroute). -route-add-cmd = "ip route add %{R} dev %{D}" -route-del-cmd = "ip route delete %{R} dev %{D}" +#route-add-cmd = "ip route add %{R} dev %{D}" +#route-del-cmd = "ip route delete %{R} dev %{D}" # This option allows to forward a proxy. The special keywords '%{U}' # and '%{G}', if present will be replaced by the username and group name. #proxy-url = http://example.com/ #proxy-url = http://example.com/%{U}/ +# This option allows you to specify a URL location where a client can +# post using MS-KKDCP, and the message will be forwarded to the provided +# KDC server. That is a translation URL between HTTP and Kerberos. +# In MIT kerberos you'll need to add in realms: +# EXAMPLE.COM = { +# kdc = https://ocserv.example.com/kerberos +# http_anchors = FILE:/etc/ocserv-ca.pem +# } +# This option is available if ocserv is compiled with GSSAPI support. + +#kkdcp = SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT +#kkdcp = /kerberos EXAMPLE.COM udp@127.0.0.1:88 +#kkdcp = /kerberos-tcp EXAMPLE.COM tcp@127.0.0.1:88 + # # The following options are for (experimental) AnyConnect client # compatibility. diff --git a/ocserv.spec b/ocserv.spec index ac9b730..8552839 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -30,6 +30,8 @@ BuildRequires: systemd-devel BuildRequires: autogen-libopts-devel BuildRequires: protobuf-c-devel BuildRequires: libnl3-devel +BuildRequires: krb5-devel +BuildRequires: libtasn1-devel BuildRequires: readline-devel BuildRequires: autogen BuildRequires: gperf From be4d4a16a6e0f67728e1fe0e38fc1c3b6368cc89 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 16 Mar 2015 10:08:13 +0100 Subject: [PATCH 063/177] updated to 0.10.1 --- .gitignore | 2 ++ ocserv.spec | 5 ++++- sources | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index ae69654..bb93f8a 100644 --- a/.gitignore +++ b/.gitignore @@ -30,3 +30,5 @@ /ocserv-0.9.2.tar.xz /ocserv-0.10.0.tar.xz.sig /ocserv-0.10.0.tar.xz +/ocserv-0.10.1.tar.xz.sig +/ocserv-0.10.1.tar.xz diff --git a/ocserv.spec b/ocserv.spec index 8552839..6f15685 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,7 +1,7 @@ %global _hardened_build 1 Name: ocserv -Version: 0.10.0 +Version: 0.10.1 Release: 1%{?dist} Summary: OpenConnect SSL VPN server @@ -156,6 +156,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Mon Mar 16 2015 Nikos Mavrogiannopoulos - 0.10.1-1 +- new upstream release + * Wed Mar 11 2015 Nikos Mavrogiannopoulos - 0.10.0-1 - new upstream release diff --git a/sources b/sources index 900e27f..042fd93 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -be821b0428ce05634727c5823227f88f ocserv-0.10.0.tar.xz.sig -7ad50983a75c88da4c2fddd8f670584e ocserv-0.10.0.tar.xz +bea711b4ed8784cd503de4f654a65f1f ocserv-0.10.1.tar.xz.sig +d39c3101f73fdc785a7c2cbdb00c40fd ocserv-0.10.1.tar.xz From a87bbc763a566430db3a0ab022d3268576d79d8f Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 30 Mar 2015 10:12:18 +0200 Subject: [PATCH 064/177] new upstream release --- .gitignore | 2 ++ ocserv.spec | 5 ++++- sources | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index bb93f8a..2da4313 100644 --- a/.gitignore +++ b/.gitignore @@ -32,3 +32,5 @@ /ocserv-0.10.0.tar.xz /ocserv-0.10.1.tar.xz.sig /ocserv-0.10.1.tar.xz +/ocserv-0.10.2.tar.xz.sig +/ocserv-0.10.2.tar.xz diff --git a/ocserv.spec b/ocserv.spec index 6f15685..06034dc 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,7 +1,7 @@ %global _hardened_build 1 Name: ocserv -Version: 0.10.1 +Version: 0.10.2 Release: 1%{?dist} Summary: OpenConnect SSL VPN server @@ -156,6 +156,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Mon Mar 30 2015 Nikos Mavrogiannopoulos - 0.10.2-1 +- new upstream release + * Mon Mar 16 2015 Nikos Mavrogiannopoulos - 0.10.1-1 - new upstream release diff --git a/sources b/sources index 042fd93..ca1ec98 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -bea711b4ed8784cd503de4f654a65f1f ocserv-0.10.1.tar.xz.sig -d39c3101f73fdc785a7c2cbdb00c40fd ocserv-0.10.1.tar.xz +5caf016f3d2362ec567bef4861d65d1b ocserv-0.10.2.tar.xz.sig +32ce2c2a00a97ab7c27e571aae207b2d ocserv-0.10.2.tar.xz From d20bd2e9105997abc7fd36daaa65d41afa79330c Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 27 Apr 2015 10:11:00 +0200 Subject: [PATCH 065/177] new upstream release Resolves: rhbz#1215326 --- .gitignore | 2 ++ ocserv.spec | 5 ++++- sources | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 2da4313..d392fba 100644 --- a/.gitignore +++ b/.gitignore @@ -34,3 +34,5 @@ /ocserv-0.10.1.tar.xz /ocserv-0.10.2.tar.xz.sig /ocserv-0.10.2.tar.xz +/ocserv-0.10.4.tar.xz.sig +/ocserv-0.10.4.tar.xz diff --git a/ocserv.spec b/ocserv.spec index 06034dc..d5a267d 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,7 +1,7 @@ %global _hardened_build 1 Name: ocserv -Version: 0.10.2 +Version: 0.10.4 Release: 1%{?dist} Summary: OpenConnect SSL VPN server @@ -156,6 +156,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Mon Apr 27 2015 Nikos Mavrogiannopoulos - 0.10.4-1 +- new upstream release + * Mon Mar 30 2015 Nikos Mavrogiannopoulos - 0.10.2-1 - new upstream release diff --git a/sources b/sources index ca1ec98..60962f6 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -5caf016f3d2362ec567bef4861d65d1b ocserv-0.10.2.tar.xz.sig -32ce2c2a00a97ab7c27e571aae207b2d ocserv-0.10.2.tar.xz +6605003c40a206698f90475f9aa2a548 ocserv-0.10.4.tar.xz.sig +6df31778642320ea7b90f314c4c9a897 ocserv-0.10.4.tar.xz From ccd9d004a3d91f4314f8252b1bcd7ce73ee7a982 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 25 May 2015 10:18:24 +0200 Subject: [PATCH 066/177] updated to 0.10.5 Resolves: rhbz#1215326 --- .gitignore | 2 ++ ocserv.conf | 38 ++++++++++++++++++++++---------------- ocserv.spec | 5 ++++- sources | 4 ++-- 4 files changed, 30 insertions(+), 19 deletions(-) diff --git a/.gitignore b/.gitignore index d392fba..183bef7 100644 --- a/.gitignore +++ b/.gitignore @@ -36,3 +36,5 @@ /ocserv-0.10.2.tar.xz /ocserv-0.10.4.tar.xz.sig /ocserv-0.10.4.tar.xz +/ocserv-0.10.5.tar.xz.sig +/ocserv-0.10.5.tar.xz diff --git a/ocserv.conf b/ocserv.conf index b0982e6..035d9ba 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -19,20 +19,20 @@ # One entry must be listed per line, and 'ocpasswd' should be used # to generate password entries. # -# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]: +# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name,override-interim-updates=false]: # The radius option requires specifying freeradius-client configuration # file. If the groupconfig option is set, then config-per-user will be overriden, -# and all configuration will be read from radius. The supported atributes for -# radius configuration are: -# Group-Name, Framed-IPv6-Address, Framed-IPv6-Prefix, DNS-Server-IPv6-Address, -# Framed-IP-Address, Framed-IP-Netmask, MS-Primary-DNS-Server, MS-Secondary-DNS-Server +# and all configuration will be read from radius. The 'override-interim-updates' if set to +# true will ignore Acct-Interim-Interval from the server and 'stats-report-time' will be considered. # -# gssapi[keytab=/etc/key.tab,require-local-user-map=false] +# gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900] # The gssapi option allows to use authentication methods supported by GSSAPI, # such as Kerberos tickets with ocserv. It should be best used as an alternative # to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with # tickets and without tickets to login. The default value for require-local-user-map -# is true. +# is true. The 'tgt-freshness-time' if set, it would require the TGT tickets presented +# to have been issued within the provided number of seconds. That option is used to +# restrict logins even if the KDC provides long time TGT tickets. auth = "pam" #auth = "pam[gid-min=1000]" @@ -45,7 +45,7 @@ auth = "pam" # will be sufficient to login. #enable-auth = certificate #enable-auth = gssapi -#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true]" +#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]" # Accounting methods available: # pam: can only be combined with PAM authentication method, it provides @@ -245,6 +245,10 @@ auth-timeout = 40 # before being disconnected. Unset to disable. #idle-timeout = 1200 +# The time (in seconds) that a client is allowed to stay connected +# Unset to disable. +#session-timeout = 86400 + # The time (in seconds) that a mobile client is allowed to stay idle (no # traffic) before being disconnected. Unset to disable. #mobile-idle-timeout = 2400 @@ -283,6 +287,11 @@ ban-reset-time = 300 # between different networks. cookie-timeout = 300 +# If this is enabled (not recommended) the cookies will stay +# valid even after a user manually disconnects, and until they +# expire. This may improve roaming with some broken clients. +#persistent-cookies = true + # Whether roaming is allowed, i.e., if true a cookie is # restricted to a single IP address and cannot be re-used # from a different IP. @@ -290,7 +299,8 @@ deny-roaming = false # ReKey time (in seconds) # ocserv will ask the client to refresh keys periodically once -# this amount of seconds is elapsed. Set to zero to disable. +# this amount of seconds is elapsed. Set to zero to disable (note +# that, some clients fail if rekey is disabled). rekey-time = 172800 # ReKey method @@ -438,8 +448,9 @@ ping-leases = false # per group. Each file name on these directories must match the username # or the groupname. # The options allowed in the configuration files are dns, nbns, -# ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, -# net-priority, deny-roaming, no-udp, user-profile, and cgroup. +# ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, no-route, +# explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp, +# user-profile, cgroup, stats-report-time, and session-timeout. # # Note that the 'iroute' option allows to add routes on the server # based on a user or group. The syntax depends on the input accepted @@ -499,11 +510,6 @@ cisco-client-compat = true # This file must be accessible from inside the worker's chroot. user-profile = profile.xml -# Binary files that may be downloaded by the CISCO client. Must -# be within any chroot environment. Normally you don't need -# to use this option. -#binary-files = /path/to/binaries - #Advanced options # Option to allow sending arbitrary custom headers to the client after diff --git a/ocserv.spec b/ocserv.spec index d5a267d..56a3e82 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,7 +1,7 @@ %global _hardened_build 1 Name: ocserv -Version: 0.10.4 +Version: 0.10.5 Release: 1%{?dist} Summary: OpenConnect SSL VPN server @@ -156,6 +156,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Mon May 25 2015 Nikos Mavrogiannopoulos - 0.10.5-1 +- new upstream release (#1215326) + * Mon Apr 27 2015 Nikos Mavrogiannopoulos - 0.10.4-1 - new upstream release diff --git a/sources b/sources index 60962f6..30c22ea 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -6605003c40a206698f90475f9aa2a548 ocserv-0.10.4.tar.xz.sig -6df31778642320ea7b90f314c4c9a897 ocserv-0.10.4.tar.xz +7396cedfa7071a4c6d5d243435ce663c ocserv-0.10.5.tar.xz.sig +17ee861f352d6ef7cd33114819b215ba ocserv-0.10.5.tar.xz From a1e5ef5b4c4b8105257e68164cf903e0f9b26aa0 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Wed, 17 Jun 2015 23:38:25 +0000 Subject: [PATCH 067/177] - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild --- ocserv.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 56a3e82..855317d 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -2,7 +2,7 @@ Name: ocserv Version: 0.10.5 -Release: 1%{?dist} +Release: 2%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -156,6 +156,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Wed Jun 17 2015 Fedora Release Engineering - 0.10.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + * Mon May 25 2015 Nikos Mavrogiannopoulos - 0.10.5-1 - new upstream release (#1215326) From f9e76556f8a0f6f6c424ea5f07d3e854e5857714 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 2 Jul 2015 09:34:01 +0200 Subject: [PATCH 068/177] updated to 0.10.6 Resolves: rhbz#1238499 --- .gitignore | 18 +++--------------- ocserv.conf | 15 ++++++++++++--- ocserv.spec | 7 +++++-- sources | 4 ++-- 4 files changed, 22 insertions(+), 22 deletions(-) diff --git a/.gitignore b/.gitignore index 183bef7..4842a17 100644 --- a/.gitignore +++ b/.gitignore @@ -22,19 +22,7 @@ /ocserv-0.8.8.tar.xz /ocserv-0.8.9.tar.xz.sig /ocserv-0.8.9.tar.xz -/ocserv-0.9.0.tar.xz -/ocserv-0.9.0.tar.xz.sig -/ocserv-0.9.1.tar.xz.sig -/ocserv-0.9.1.tar.xz -/ocserv-0.9.2.tar.xz.sig -/ocserv-0.9.2.tar.xz -/ocserv-0.10.0.tar.xz.sig -/ocserv-0.10.0.tar.xz -/ocserv-0.10.1.tar.xz.sig -/ocserv-0.10.1.tar.xz -/ocserv-0.10.2.tar.xz.sig /ocserv-0.10.2.tar.xz -/ocserv-0.10.4.tar.xz.sig -/ocserv-0.10.4.tar.xz -/ocserv-0.10.5.tar.xz.sig -/ocserv-0.10.5.tar.xz +/ocserv-0.10.2.tar.xz.sig +/ocserv-0.10.6.tar.xz +/ocserv-0.10.6.tar.xz.sig diff --git a/ocserv.conf b/ocserv.conf index 035d9ba..6f64efa 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -43,8 +43,8 @@ auth = "pam" # Specify alternative authentication methods that are sufficient # for authentication. That is, if set, any of the methods enabled # will be sufficient to login. -#enable-auth = certificate -#enable-auth = gssapi +#enable-auth = "certificate" +#enable-auth = "gssapi" #enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]" # Accounting methods available: @@ -178,12 +178,21 @@ server-key = /etc/pki/ocserv/private/server.key # Make sure that you replace the following file in an atomic way. #ocsp-response = /path/to/ocsp.der -# In case PKCS #11 or TPM keys are used the PINs should be available +# In case PKCS #11, TPM or encrypted keys are used the PINs should be available # in files. The srk-pin-file is applicable to TPM keys only, and is the # storage root key. #pin-file = /path/to/pin.txt #srk-pin-file = /path/to/srkpin.txt +# The password or PIN needed to unlock the key in server-key file. +# Only needed if the file is encrypted or a PKCS #11 object. This +# is an alternative method to pin-file. +#key-pin = 1234 + +# The SRK PIN for TPM. +# This is an alternative method to srk-pin-file. +#srk-pin = 1234 + # The Certificate Authority that will be used to verify # client certificates (public keys) if certificate authentication # is set. diff --git a/ocserv.spec b/ocserv.spec index 855317d..8364436 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,8 +1,8 @@ %global _hardened_build 1 Name: ocserv -Version: 0.10.5 -Release: 2%{?dist} +Version: 0.10.6 +Release: 1%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -156,6 +156,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Thu Jul 2 2015 Nikos Mavrogiannopoulos - 0.10.6-1 +- new upstream release (#1238499) + * Wed Jun 17 2015 Fedora Release Engineering - 0.10.5-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild diff --git a/sources b/sources index 30c22ea..1496e43 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -7396cedfa7071a4c6d5d243435ce663c ocserv-0.10.5.tar.xz.sig -17ee861f352d6ef7cd33114819b215ba ocserv-0.10.5.tar.xz +b99c74b781a180348f3a3240940fc838 ocserv-0.10.6.tar.xz +1cc410cd9ccaa796f36180d10bdeb3a7 ocserv-0.10.6.tar.xz.sig From 3e1272dcfa7d28358b3fd4d64678bbe0e46ae8a9 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 9 Jul 2015 12:13:38 +0200 Subject: [PATCH 069/177] corrected JSON output in occtl --- ocserv-0.10.6-json.patch | 29 +++++++++++++++++++++++++++++ ocserv.spec | 8 +++++++- 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 ocserv-0.10.6-json.patch diff --git a/ocserv-0.10.6-json.patch b/ocserv-0.10.6-json.patch new file mode 100644 index 0000000..4afb8ea --- /dev/null +++ b/ocserv-0.10.6-json.patch @@ -0,0 +1,29 @@ +diff --git a/src/occtl-print.c b/src/occtl-print.c +index 1441cd6..8ff297e 100644 +--- a/src/occtl-print.c ++++ b/src/occtl-print.c +@@ -47,9 +47,9 @@ int print_list_entries(FILE* out, cmd_params_st *params, const char* name, char + tmp = val[i]; + if (tmp != NULL) { + if (i==0) +- fprintf(out, "%s", tmp); ++ fprintf(out, "\"%s\"", tmp); + else +- fprintf(out, ", %s", tmp); ++ fprintf(out, ", \"%s\"", tmp); + } + } + fprintf(out, "]%s\n", have_more?",":""); +diff --git a/src/occtl-unix.c b/src/occtl-unix.c +index 6df5a1e..d6b28f3 100644 +--- a/src/occtl-unix.c ++++ b/src/occtl-unix.c +@@ -254,7 +254,7 @@ int handle_status_cmd(struct unix_ctx *ctx, const char *arg, cmd_params_st *para + print_single_value_int(stdout, params, "TLS DB entries", rep->stored_tls_sessions, 1); + print_separator(stdout, params); + print_single_value_int(stdout, params, "Server PID", rep->pid, 1); +- print_single_value_int(stdout, params, "Sec-mod PID", rep->sec_mod_pid, 1); ++ print_single_value_int(stdout, params, "Sec-mod PID", rep->sec_mod_pid, 0); + print_end_block(stdout, params, 0); + + status_rep__free_unpacked(rep, &pa); diff --git a/ocserv.spec b/ocserv.spec index 8364436..65f76d2 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -2,7 +2,7 @@ Name: ocserv Version: 0.10.6 -Release: 1%{?dist} +Release: 2%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -17,6 +17,7 @@ Source4: PACKAGE-LICENSING Source6: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig Source7: ocserv-genkey Source8: ocserv-script +Patch0: ocserv-0.10.6-json.patch # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 @@ -73,6 +74,8 @@ to provide the secure VPN service. %prep %setup -q +%patch0 -p1 -b .json + rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h rm -rf src/protobuf/ rm -rf src/ccan/talloc @@ -156,6 +159,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Thu Jul 9 2015 Nikos Mavrogiannopoulos - 0.10.6-2 +- corrected JSON output + * Thu Jul 2 2015 Nikos Mavrogiannopoulos - 0.10.6-1 - new upstream release (#1238499) From 9d24b69707ee291dfa0a7ad6394ee4d486d7dc12 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 7 Aug 2015 10:28:34 +0200 Subject: [PATCH 070/177] updated to 0.10.7 --- .gitignore | 2 ++ ocserv-0.10.6-json.patch | 29 ----------------------------- ocserv.spec | 9 +++++---- sources | 4 ++-- 4 files changed, 9 insertions(+), 35 deletions(-) delete mode 100644 ocserv-0.10.6-json.patch diff --git a/.gitignore b/.gitignore index 4842a17..70e0dce 100644 --- a/.gitignore +++ b/.gitignore @@ -26,3 +26,5 @@ /ocserv-0.10.2.tar.xz.sig /ocserv-0.10.6.tar.xz /ocserv-0.10.6.tar.xz.sig +/ocserv-0.10.7.tar.xz.sig +/ocserv-0.10.7.tar.xz diff --git a/ocserv-0.10.6-json.patch b/ocserv-0.10.6-json.patch deleted file mode 100644 index 4afb8ea..0000000 --- a/ocserv-0.10.6-json.patch +++ /dev/null @@ -1,29 +0,0 @@ -diff --git a/src/occtl-print.c b/src/occtl-print.c -index 1441cd6..8ff297e 100644 ---- a/src/occtl-print.c -+++ b/src/occtl-print.c -@@ -47,9 +47,9 @@ int print_list_entries(FILE* out, cmd_params_st *params, const char* name, char - tmp = val[i]; - if (tmp != NULL) { - if (i==0) -- fprintf(out, "%s", tmp); -+ fprintf(out, "\"%s\"", tmp); - else -- fprintf(out, ", %s", tmp); -+ fprintf(out, ", \"%s\"", tmp); - } - } - fprintf(out, "]%s\n", have_more?",":""); -diff --git a/src/occtl-unix.c b/src/occtl-unix.c -index 6df5a1e..d6b28f3 100644 ---- a/src/occtl-unix.c -+++ b/src/occtl-unix.c -@@ -254,7 +254,7 @@ int handle_status_cmd(struct unix_ctx *ctx, const char *arg, cmd_params_st *para - print_single_value_int(stdout, params, "TLS DB entries", rep->stored_tls_sessions, 1); - print_separator(stdout, params); - print_single_value_int(stdout, params, "Server PID", rep->pid, 1); -- print_single_value_int(stdout, params, "Sec-mod PID", rep->sec_mod_pid, 1); -+ print_single_value_int(stdout, params, "Sec-mod PID", rep->sec_mod_pid, 0); - print_end_block(stdout, params, 0); - - status_rep__free_unpacked(rep, &pa); diff --git a/ocserv.spec b/ocserv.spec index 65f76d2..d38de34 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,8 +1,8 @@ %global _hardened_build 1 Name: ocserv -Version: 0.10.6 -Release: 2%{?dist} +Version: 0.10.7 +Release: 1%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -17,7 +17,6 @@ Source4: PACKAGE-LICENSING Source6: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig Source7: ocserv-genkey Source8: ocserv-script -Patch0: ocserv-0.10.6-json.patch # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 @@ -74,7 +73,6 @@ to provide the secure VPN service. %prep %setup -q -%patch0 -p1 -b .json rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h rm -rf src/protobuf/ @@ -159,6 +157,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Fri Aug 7 2015 Nikos Mavrogiannopoulos - 0.10.7-1 +- new upstream release (#1251305) + * Thu Jul 9 2015 Nikos Mavrogiannopoulos - 0.10.6-2 - corrected JSON output diff --git a/sources b/sources index 1496e43..402b382 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -b99c74b781a180348f3a3240940fc838 ocserv-0.10.6.tar.xz -1cc410cd9ccaa796f36180d10bdeb3a7 ocserv-0.10.6.tar.xz.sig +b828a7f3e7672f09f9908f30aa21b242 ocserv-0.10.7.tar.xz.sig +328469feb7505c2289f2f07720dc7777 ocserv-0.10.7.tar.xz From 46e3bdf2df6ec4547ae82705c42c9caadc2fb7c0 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 7 Sep 2015 17:36:05 +0200 Subject: [PATCH 071/177] updated to 0.10.8 --- .gitignore | 2 ++ ocserv.conf | 4 ---- ocserv.spec | 5 ++++- sources | 4 ++-- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/.gitignore b/.gitignore index 70e0dce..292c2e8 100644 --- a/.gitignore +++ b/.gitignore @@ -28,3 +28,5 @@ /ocserv-0.10.6.tar.xz.sig /ocserv-0.10.7.tar.xz.sig /ocserv-0.10.7.tar.xz +/ocserv-0.10.8.tar.xz.sig +/ocserv-0.10.8.tar.xz diff --git a/ocserv.conf b/ocserv.conf index 6f64efa..3dba4d5 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -48,14 +48,10 @@ auth = "pam" #enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]" # Accounting methods available: -# pam: can only be combined with PAM authentication method, it provides -# a session opened using PAM. -# # radius: can be combined with any authentication method, it provides # radius accounting to available users (see also stats-report-time). # # Only one accounting method can be specified. -#acct = "pam" #acct = "radius[config=/etc/radiusclient/radiusclient.conf]" # Use listen-host to limit to specific IPs or to the IPs of a provided diff --git a/ocserv.spec b/ocserv.spec index d38de34..301ca6a 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,7 +1,7 @@ %global _hardened_build 1 Name: ocserv -Version: 0.10.7 +Version: 0.10.8 Release: 1%{?dist} Summary: OpenConnect SSL VPN server @@ -157,6 +157,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Mon Sep 7 2015 Nikos Mavrogiannopoulos - 0.10.8-1 +- new upstream release (#1260327) + * Fri Aug 7 2015 Nikos Mavrogiannopoulos - 0.10.7-1 - new upstream release (#1251305) diff --git a/sources b/sources index 402b382..e8a8158 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -b828a7f3e7672f09f9908f30aa21b242 ocserv-0.10.7.tar.xz.sig -328469feb7505c2289f2f07720dc7777 ocserv-0.10.7.tar.xz +ffc602ecfb35df216874248eec5ddb85 ocserv-0.10.8.tar.xz.sig +665b854377850db535271098a37213f1 ocserv-0.10.8.tar.xz From bb0b202d105327fb17fb7385deb1dbda1aa0d01b Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 17 Sep 2015 11:47:52 +0200 Subject: [PATCH 072/177] compile ocserv using radcli --- ocserv.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/ocserv.spec b/ocserv.spec index 301ca6a..fe0f70e 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -2,7 +2,7 @@ Name: ocserv Version: 0.10.8 -Release: 1%{?dist} +Release: 2%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -43,7 +43,7 @@ BuildRequires: libtalloc-devel BuildRequires: http-parser-devel BuildRequires: tcp_wrappers-devel BuildRequires: automake, autoconf -BuildRequires: freeradius-client-devel +BuildRequires: radcli-devel BuildRequires: lz4-devel # we don't build with dbus support @@ -157,6 +157,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Thu Sep 17 2015 Nikos Mavrogiannopoulos - 0.10.8-2 +- compile ocserv using radcli + * Mon Sep 7 2015 Nikos Mavrogiannopoulos - 0.10.8-1 - new upstream release (#1260327) From e5f5c63e8d2b2a0adb9152765e91470e23b83d99 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 8 Oct 2015 13:23:49 +0200 Subject: [PATCH 073/177] updated to 0.10.9 --- .gitignore | 2 ++ ocserv.conf | 13 ++++++++++--- ocserv.spec | 9 ++++++--- sources | 4 ++-- 4 files changed, 20 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index 292c2e8..d2dab91 100644 --- a/.gitignore +++ b/.gitignore @@ -30,3 +30,5 @@ /ocserv-0.10.7.tar.xz /ocserv-0.10.8.tar.xz.sig /ocserv-0.10.8.tar.xz +/ocserv-0.10.9.tar.xz.sig +/ocserv-0.10.9.tar.xz diff --git a/ocserv.conf b/ocserv.conf index 3dba4d5..df18a8a 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -12,12 +12,14 @@ # This enabled PAM authentication of the user. The gid-min option is used # by auto-select-group option, in order to select the minimum valid group ID. # -# plain[passwd=/etc/ocserv/ocpasswd] +# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] # The plain option requires specifying a password file which contains # entries of the following format. # "username:groupname1,groupname2:encoded-password" # One entry must be listed per line, and 'ocpasswd' should be used -# to generate password entries. +# to generate password entries. The 'otp' suboption allows to specify +# an oath password file to be used for one time passwords; the format of +# the file is described in https://code.google.com/p/mod-authn-otp/wiki/UsersFile # # radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name,override-interim-updates=false]: # The radius option requires specifying freeradius-client configuration @@ -36,7 +38,7 @@ auth = "pam" #auth = "pam[gid-min=1000]" -#auth = "plain[passwd=./sample.passwd]" +#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]" #auth = "certificate" #auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]" @@ -51,6 +53,11 @@ auth = "pam" # radius: can be combined with any authentication method, it provides # radius accounting to available users (see also stats-report-time). # +# pam: can be combined with any authentication method, it provides +# a validation of the connecting user's name using PAM. It is +# superfluous to use this method when authentication is already +# PAM. +# # Only one accounting method can be specified. #acct = "radius[config=/etc/radiusclient/radiusclient.conf]" diff --git a/ocserv.spec b/ocserv.spec index fe0f70e..8cfee07 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,8 +1,8 @@ %global _hardened_build 1 Name: ocserv -Version: 0.10.8 -Release: 2%{?dist} +Version: 0.10.9 +Release: 1%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -143,7 +143,7 @@ rm -rf %{buildroot} %config(noreplace) %{_sysconfdir}/ocserv/ocserv.conf %config(noreplace) %{_sysconfdir}/pam.d/ocserv -%doc AUTHORS ChangeLog NEWS COPYING LICENSE README TODO PACKAGE-LICENSING +%doc AUTHORS ChangeLog NEWS COPYING LICENSE README.md TODO PACKAGE-LICENSING %doc src/ccan/licenses/CC0 src/ccan/licenses/LGPL-2.1 src/ccan/licenses/BSD-MIT %{_mandir}/man8/ocserv.8* %{_mandir}/man8/occtl.8* @@ -157,6 +157,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Thu Oct 8 2015 Nikos Mavrogiannopoulos - 0.10.9-1 +- new upstream release (#1269479) + * Thu Sep 17 2015 Nikos Mavrogiannopoulos - 0.10.8-2 - compile ocserv using radcli diff --git a/sources b/sources index e8a8158..34833c2 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -ffc602ecfb35df216874248eec5ddb85 ocserv-0.10.8.tar.xz.sig -665b854377850db535271098a37213f1 ocserv-0.10.8.tar.xz +650c80e96ef429f34787347a59476d07 ocserv-0.10.9.tar.xz.sig +74834c59aa96beaa222c21ee6521adb2 ocserv-0.10.9.tar.xz From 36bf63761d168e5e01125b406422e88fc8a7c3c2 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 30 Nov 2015 16:59:06 +0100 Subject: [PATCH 074/177] updated to 0.10.10 --- .gitignore | 2 ++ ocserv.conf | 19 +++++++++++++++++++ ocserv.spec | 6 +++++- sources | 4 ++-- 4 files changed, 28 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index d2dab91..0c9a132 100644 --- a/.gitignore +++ b/.gitignore @@ -32,3 +32,5 @@ /ocserv-0.10.8.tar.xz /ocserv-0.10.9.tar.xz.sig /ocserv-0.10.9.tar.xz +/ocserv-0.10.10.tar.xz.sig +/ocserv-0.10.10.tar.xz diff --git a/ocserv.conf b/ocserv.conf index df18a8a..62ea00b 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -391,6 +391,13 @@ default-domain = example.com # The IPv6 subnet that leases will be given from. #ipv6-network = fda9:4efe:7e3b:03ea::/64 +# Specify the size of the network to provide to clients. It is +# generally recommended to provide clients with a /64 network in +# IPv6, but any subnet may be specified. To provide clients only +# with a single IP use the prefix 128. +#ipv6-subnet-prefix = 128 +#ipv6-subnet-prefix = 64 + # The advertized DNS server. Use multiple lines for # multiple servers. # dns = fc00::4be0 @@ -440,6 +447,18 @@ ping-leases = false #no-route = 192.168.5.0/255.255.255.0 +# If set, the script /usr/bin/ocserv-fw will be called to restrict +# the user to its allowed routes and prevent him from accessing +# any other routes. In case of defaultroute, the no-routes are restricted. +# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw +# --removeall. This option can be set globally or in the per-user configuration. +#restrict-user-to-routes = true + +# When set to true, all client's iroutes are made visible to all +# connecting clients except for the ones offering them. This option +# only makes sense if config-per-user is set. +#expose-iroutes = true + # Groups that a client is allowed to select from. # A client may belong in multiple groups, and in certain use-cases # it is needed to switch between them. For these cases the client can diff --git a/ocserv.spec b/ocserv.spec index 8cfee07..ec51bf9 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,7 +1,7 @@ %global _hardened_build 1 Name: ocserv -Version: 0.10.9 +Version: 0.10.10 Release: 1%{?dist} Summary: OpenConnect SSL VPN server @@ -150,6 +150,7 @@ rm -rf %{buildroot} %{_mandir}/man8/ocpasswd.8* %{_bindir}/ocpasswd %{_bindir}/occtl +%{_bindir}/ocserv-fw %{_bindir}/ocserv-script %{_sbindir}/ocserv %{_sbindir}/ocserv-genkey @@ -157,6 +158,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Mon Nov 30 2015 Nikos Mavrogiannopoulos - 0.10.10-1 +- new upstream release + * Thu Oct 8 2015 Nikos Mavrogiannopoulos - 0.10.9-1 - new upstream release (#1269479) diff --git a/sources b/sources index 34833c2..3c0611b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -650c80e96ef429f34787347a59476d07 ocserv-0.10.9.tar.xz.sig -74834c59aa96beaa222c21ee6521adb2 ocserv-0.10.9.tar.xz +1de2ff2dfdb1b3a9e06b5a884438c8db ocserv-0.10.10.tar.xz.sig +1f73ccb66d36cd51279323e95ae99e68 ocserv-0.10.10.tar.xz From 2f212bda6f0f4804a8fc196538881347d7c19f67 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 11 Jan 2016 09:58:19 +0100 Subject: [PATCH 075/177] updated to 0.10.11 --- .gitignore | 2 ++ ocserv.spec | 5 ++++- sources | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 0c9a132..b7c327e 100644 --- a/.gitignore +++ b/.gitignore @@ -34,3 +34,5 @@ /ocserv-0.10.9.tar.xz /ocserv-0.10.10.tar.xz.sig /ocserv-0.10.10.tar.xz +/ocserv-0.10.11.tar.xz.sig +/ocserv-0.10.11.tar.xz diff --git a/ocserv.spec b/ocserv.spec index ec51bf9..c1bd189 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,7 +1,7 @@ %global _hardened_build 1 Name: ocserv -Version: 0.10.10 +Version: 0.10.11 Release: 1%{?dist} Summary: OpenConnect SSL VPN server @@ -158,6 +158,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Mon Jan 11 2016 Nikos Mavrogiannopoulos - 0.10.11-1 +- new upstream release + * Mon Nov 30 2015 Nikos Mavrogiannopoulos - 0.10.10-1 - new upstream release diff --git a/sources b/sources index 3c0611b..f10d358 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -1de2ff2dfdb1b3a9e06b5a884438c8db ocserv-0.10.10.tar.xz.sig -1f73ccb66d36cd51279323e95ae99e68 ocserv-0.10.10.tar.xz +7be01cd70cf9e8df2210531429a7aa10 ocserv-0.10.11.tar.xz.sig +7daf9f105b115cd6611a2ac016a29d24 ocserv-0.10.11.tar.xz From 417cae3c2cec6d88f4211918885f3a32e076eaa9 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 2 Feb 2016 10:18:58 +0100 Subject: [PATCH 076/177] corrected license to apply to the real one --- ocserv.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ocserv.spec b/ocserv.spec index c1bd189..c12e764 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -6,8 +6,8 @@ Release: 1%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING -# To simplify licenses LGPLv2+ files have been promoted to GPLv3+. -License: GPLv3+ and BSD and MIT and CC0 +# To simplify licenses LGPLv2+ files have been promoted to GPLv2+. +License: GPLv2+ and BSD and MIT and CC0 URL: http://www.infradead.org/ocserv/ Source0: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz Source1: ocserv.conf From 402e65ae3f2ceb5d33334add949e9fc5baa6465b Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 4 Feb 2016 11:12:42 +0000 Subject: [PATCH 077/177] - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild --- ocserv.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index c12e764..3a3f8e0 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -2,7 +2,7 @@ Name: ocserv Version: 0.10.11 -Release: 1%{?dist} +Release: 2%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -158,6 +158,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Thu Feb 04 2016 Fedora Release Engineering - 0.10.11-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + * Mon Jan 11 2016 Nikos Mavrogiannopoulos - 0.10.11-1 - new upstream release From 9a47bd4bafc5aae777575b5e964fd56d1205c56f Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 19 Feb 2016 11:23:57 +0100 Subject: [PATCH 078/177] updated to 0.11.0 --- .gitignore | 2 ++ ocserv.conf | 44 ++++++++++++++++++++++++++++++++++---------- ocserv.spec | 11 ++++++++--- sources | 4 ++-- 4 files changed, 46 insertions(+), 15 deletions(-) diff --git a/.gitignore b/.gitignore index b7c327e..af95b9d 100644 --- a/.gitignore +++ b/.gitignore @@ -36,3 +36,5 @@ /ocserv-0.10.10.tar.xz /ocserv-0.10.11.tar.xz.sig /ocserv-0.10.11.tar.xz +/ocserv-0.11.0.tar.xz +/ocserv-0.11.0.tar.xz.sig diff --git a/ocserv.conf b/ocserv.conf index 62ea00b..b62dfdb 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -99,12 +99,22 @@ chroot-dir = /var/lib/ocserv ### All configuration options below this line are reloaded on a SIGHUP. -### The options above, will remain unchanged. +### The options above, will remain unchanged. Note however, that the +### server-cert, server-key, dh-params and ca-cert options will be reloaded +### if the provided file changes, on server reload. That allows certificate +### rotation, but requires the server key to remain the same for seamless +### operation. If the server key changes on reload, there may be connection +### failures during the reloading time. + # Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of # system calls allowed to a worker process, in order to reduce damage from a # bug in the worker process. It is available on Linux systems at a performance cost. # The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8). +# Note however, that process isolation is restricted to the specific libc versions +# the isolation was tested at. If you get random failures on worker processes, try +# disabling that option and report the failures you, along with system and debugging +# information at: https://gitlab.com/ocserv/ocserv/issues isolate-workers = true # A banner to be displayed on clients @@ -118,11 +128,6 @@ max-clients = 16 # multiple times). Unset or set to zero for unlimited. max-same-clients = 2 -# When the server has a dynamic DNS address (that may change), -# should set that to true to ask the client to resolve again on -# reconnects. -#listen-host-is-dyndns = true - # Limit the number of client connections to one every X milliseconds # (X is the provided value). Set to zero for no limit. #rate-limit-ms = 100 @@ -214,7 +219,9 @@ cert-user-oid = 0.9.2342.19200300.100.1.1 #cert-group-oid = 2.5.4.11 # The revocation list of the certificates issued by the 'ca-cert' above. -# See the manual to generate an empty CRL initially. +# See the manual to generate an empty CRL initially. The CRL will be reloaded +# periodically when ocserv detects a change in the file. To force a reload use +# SIGHUP. #crl = /path/to/crl.pem # Uncomment this to enable compression negotiation (LZS, LZ4). @@ -251,7 +258,7 @@ tls-priorities = "@SYSTEM" # The time (in seconds) that a client is allowed to stay connected prior # to authentication -auth-timeout = 40 +auth-timeout = 240 # The time (in seconds) that a client is allowed to stay idle (no traffic) # before being disconnected. Unset to disable. @@ -299,6 +306,13 @@ ban-reset-time = 300 # between different networks. cookie-timeout = 300 +# Cookie rekey time (in seconds) +# The time after which the key used to encrypt cookies will be +# refreshed. After this time the previous key will also be valid +# for verification. It is recommended not to modify the default +# value. +cookie-rekey-time = 14400 + # If this is enabled (not recommended) the cookies will stay # valid even after a user manually disconnects, and until they # expire. This may improve roaming with some broken clients. @@ -327,11 +341,17 @@ rekey-method = ssl # Script to call when a client connects and obtains an IP. # The following parameters are passed on the environment. # REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), -# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP +# DEVICE, IP_REAL (the real IP of the client), IP_REAL_LOCAL (the local +# interface IP the client connected), IP_LOCAL (the local IP # in the P-t-P connection), IP_REMOTE (the VPN IP of the client), # IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6 -# assigned), IPV6_REMOVE (the IPv6 remote address), and +# assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and # ID (a unique numeric ID); REASON may be "connect" or "disconnect". +# In addition the following variables OCSERV_ROUTES (the applied routes for this +# client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client), +# will contain a space separated list of routes or DNS servers. A version +# of these variables with the 4 or 6 suffix will contain only the IPv4 or +# IPv6 values. # The disconnect script will receive the additional values: STATS_BYTES_IN, # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes @@ -398,6 +418,10 @@ default-domain = example.com #ipv6-subnet-prefix = 128 #ipv6-subnet-prefix = 64 +# Whether to tunnel all DNS queries via the VPN. This is the default +# when a default route is set. +#tunnel-all-dns = true + # The advertized DNS server. Use multiple lines for # multiple servers. # dns = fc00::4be0 diff --git a/ocserv.spec b/ocserv.spec index 3a3f8e0..316b66c 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,8 +1,8 @@ %global _hardened_build 1 Name: ocserv -Version: 0.10.11 -Release: 2%{?dist} +Version: 0.11.0 +Release: 1%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -32,6 +32,7 @@ BuildRequires: protobuf-c-devel BuildRequires: libnl3-devel BuildRequires: krb5-devel BuildRequires: libtasn1-devel +BuildRequires: liboath-devel BuildRequires: readline-devel BuildRequires: autogen BuildRequires: gperf @@ -40,6 +41,7 @@ BuildRequires: libseccomp-devel %endif BuildRequires: pcllib-devel BuildRequires: libtalloc-devel +BuildRequires: libev-devel BuildRequires: http-parser-devel BuildRequires: tcp_wrappers-devel BuildRequires: automake, autoconf @@ -75,7 +77,7 @@ to provide the secure VPN service. %setup -q rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h -rm -rf src/protobuf/ +rm -rf src/protobuf/protobuf-c/ rm -rf src/ccan/talloc rm -f libopts/*.c libopts/*.h libopts/*/*.c libopts/*/*.h rm -f src/pcl/*.c src/pcl/*.h @@ -158,6 +160,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Fri Feb 19 2016 Nikos Mavrogiannopoulos - 0.11.0-1 +- new upstream release + * Thu Feb 04 2016 Fedora Release Engineering - 0.10.11-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild diff --git a/sources b/sources index f10d358..9b1194f 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -7be01cd70cf9e8df2210531429a7aa10 ocserv-0.10.11.tar.xz.sig -7daf9f105b115cd6611a2ac016a29d24 ocserv-0.10.11.tar.xz +9161b506142232957ccf786c251b5b42 ocserv-0.11.0.tar.xz +441bb6e47fa642de92e3adfa4a46ae1b ocserv-0.11.0.tar.xz.sig From 00c8edca9a26f2703408bbedc4848d7be9249557 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 21 Mar 2016 08:58:53 +0100 Subject: [PATCH 079/177] updated to 0.11.1 --- .gitignore | 2 ++ ocserv.spec | 5 ++++- sources | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index af95b9d..b0317c8 100644 --- a/.gitignore +++ b/.gitignore @@ -38,3 +38,5 @@ /ocserv-0.10.11.tar.xz /ocserv-0.11.0.tar.xz /ocserv-0.11.0.tar.xz.sig +/ocserv-0.11.1.tar.xz.sig +/ocserv-0.11.1.tar.xz diff --git a/ocserv.spec b/ocserv.spec index 316b66c..b4120ae 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,7 +1,7 @@ %global _hardened_build 1 Name: ocserv -Version: 0.11.0 +Version: 0.11.1 Release: 1%{?dist} Summary: OpenConnect SSL VPN server @@ -160,6 +160,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Mon Mar 21 2016 Nikos Mavrogiannopoulos - 0.11.1-1 +- new upstream release + * Fri Feb 19 2016 Nikos Mavrogiannopoulos - 0.11.0-1 - new upstream release diff --git a/sources b/sources index 9b1194f..3e9f901 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -9161b506142232957ccf786c251b5b42 ocserv-0.11.0.tar.xz -441bb6e47fa642de92e3adfa4a46ae1b ocserv-0.11.0.tar.xz.sig +12ef887f9796735083207e255c94f40c ocserv-0.11.1.tar.xz.sig +a581b8669f5d16639773ef81f25a1317 ocserv-0.11.1.tar.xz From 26a4b6858742a06e7b03d0fc6872850e22643ab9 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 26 Apr 2016 09:47:18 +0200 Subject: [PATCH 080/177] updated to 0.11.2 and added auto sig verification --- .gitignore | 3 +++ ocserv.spec | 39 ++++++++++++++++++++++----------------- sources | 5 +++-- 3 files changed, 28 insertions(+), 19 deletions(-) diff --git a/.gitignore b/.gitignore index b0317c8..de309fb 100644 --- a/.gitignore +++ b/.gitignore @@ -40,3 +40,6 @@ /ocserv-0.11.0.tar.xz.sig /ocserv-0.11.1.tar.xz.sig /ocserv-0.11.1.tar.xz +/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +/ocserv-0.11.2.tar.xz +/ocserv-0.11.2.tar.xz.sig diff --git a/ocserv.spec b/ocserv.spec index b4120ae..917af4e 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,7 +1,7 @@ %global _hardened_build 1 Name: ocserv -Version: 0.11.1 +Version: 0.11.2 Release: 1%{?dist} Summary: OpenConnect SSL VPN server @@ -10,13 +10,14 @@ Summary: OpenConnect SSL VPN server License: GPLv2+ and BSD and MIT and CC0 URL: http://www.infradead.org/ocserv/ Source0: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz -Source1: ocserv.conf -Source2: ocserv.service -Source3: ocserv-pamd.conf -Source4: PACKAGE-LICENSING -Source6: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig -Source7: ocserv-genkey -Source8: ocserv-script +Source1: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig +Source2: gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +Source3: ocserv.conf +Source4: ocserv.service +Source5: ocserv-pamd.conf +Source6: PACKAGE-LICENSING +Source8: ocserv-genkey +Source9: ocserv-script # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 @@ -47,9 +48,8 @@ BuildRequires: tcp_wrappers-devel BuildRequires: automake, autoconf BuildRequires: radcli-devel BuildRequires: lz4-devel - -# we don't build with dbus support -#BuildRequires: dbus-devel +BuildRequires: uid_wrapper +BuildRequires: socket_wrapper Requires: gnutls-utils Requires: iproute @@ -74,6 +74,7 @@ uses the standard IETF security protocols such as TLS 1.2, and Datagram TLS to provide the secure VPN service. %prep +gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} %setup -q rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h @@ -118,19 +119,19 @@ make check %{?_smp_mflags} %install rm -rf %{buildroot} -cp -a %{SOURCE4} PACKAGE-LICENSING +cp -a %{SOURCE6} PACKAGE-LICENSING mkdir -p %{buildroot}/%{_sysconfdir}/pam.d/ mkdir -p %{buildroot}/%{_sysconfdir}/ocserv/ -install -p -m 644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/pam.d/ocserv -install -p -m 644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/ocserv/ +install -p -m 644 %{SOURCE5} %{buildroot}/%{_sysconfdir}/pam.d/ocserv +install -p -m 644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/ocserv/ mkdir -p %{buildroot}/%{_unitdir} -install -p -m 644 %{SOURCE2} %{buildroot}/%{_unitdir} +install -p -m 644 %{SOURCE4} %{buildroot}/%{_unitdir} mkdir -p %{buildroot}%{_localstatedir}/lib/ocserv/ install -p -m 644 doc/profile.xml %{buildroot}%{_localstatedir}/lib/ocserv/ mkdir -p %{buildroot}/%{_sbindir} -install -p -m 755 %{SOURCE7} %{buildroot}/%{_sbindir} +install -p -m 755 %{SOURCE8} %{buildroot}/%{_sbindir} mkdir -p %{buildroot}/%{_bindir} -install -p -m 755 %{SOURCE8} %{buildroot}/%{_bindir} +install -p -m 755 %{SOURCE9} %{buildroot}/%{_bindir} %make_install %clean @@ -160,6 +161,10 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Mon Mar 21 2016 Nikos Mavrogiannopoulos - 0.11.2-1 +- New upstream release +- Added automatic verification of signature during build + * Mon Mar 21 2016 Nikos Mavrogiannopoulos - 0.11.1-1 - new upstream release diff --git a/sources b/sources index 3e9f901..bff4cce 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ -12ef887f9796735083207e255c94f40c ocserv-0.11.1.tar.xz.sig -a581b8669f5d16639773ef81f25a1317 ocserv-0.11.1.tar.xz +310168e221d6e810022b270e32bf9662 gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +6731f4d9a85ff0476ae37fa7a4d57ee2 ocserv-0.11.2.tar.xz +4e8b8291fee4b3da8c6f43b08819dd1f ocserv-0.11.2.tar.xz.sig From df1c1dc6a304cc2760acccf6d5a8ca163dc89e22 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 26 Apr 2016 10:29:29 +0200 Subject: [PATCH 081/177] fixed date and removed legacy config options --- ocserv.conf | 7 ------- ocserv.spec | 2 +- 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/ocserv.conf b/ocserv.conf index b62dfdb..c7f9ad1 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -306,13 +306,6 @@ ban-reset-time = 300 # between different networks. cookie-timeout = 300 -# Cookie rekey time (in seconds) -# The time after which the key used to encrypt cookies will be -# refreshed. After this time the previous key will also be valid -# for verification. It is recommended not to modify the default -# value. -cookie-rekey-time = 14400 - # If this is enabled (not recommended) the cookies will stay # valid even after a user manually disconnects, and until they # expire. This may improve roaming with some broken clients. diff --git a/ocserv.spec b/ocserv.spec index 917af4e..556a074 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -161,7 +161,7 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog -* Mon Mar 21 2016 Nikos Mavrogiannopoulos - 0.11.2-1 +* Tue Apr 26 2016 Nikos Mavrogiannopoulos - 0.11.2-1 - New upstream release - Added automatic verification of signature during build From 2d1dc3442903f58d5f4735cea5cad66d6a53be8c Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 16 Jun 2016 09:37:34 +0200 Subject: [PATCH 082/177] updated to 0.11.3 --- .gitignore | 2 ++ ocserv.spec | 5 ++++- sources | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index de309fb..3119d48 100644 --- a/.gitignore +++ b/.gitignore @@ -43,3 +43,5 @@ /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg /ocserv-0.11.2.tar.xz /ocserv-0.11.2.tar.xz.sig +/ocserv-0.11.3.tar.xz +/ocserv-0.11.3.tar.xz.sig diff --git a/ocserv.spec b/ocserv.spec index 556a074..f057a5b 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,7 +1,7 @@ %global _hardened_build 1 Name: ocserv -Version: 0.11.2 +Version: 0.11.3 Release: 1%{?dist} Summary: OpenConnect SSL VPN server @@ -161,6 +161,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Thu Jun 16 2016 Nikos Mavrogiannopoulos - 0.11.3-1 +- New upstream release + * Tue Apr 26 2016 Nikos Mavrogiannopoulos - 0.11.2-1 - New upstream release - Added automatic verification of signature during build diff --git a/sources b/sources index bff4cce..71e8e5b 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ 310168e221d6e810022b270e32bf9662 gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg -6731f4d9a85ff0476ae37fa7a4d57ee2 ocserv-0.11.2.tar.xz -4e8b8291fee4b3da8c6f43b08819dd1f ocserv-0.11.2.tar.xz.sig +ffe3d79662e939bb55dfe7c9e490b4f2 ocserv-0.11.3.tar.xz +4bf5d98c6ededa172aa04460386bb0e6 ocserv-0.11.3.tar.xz.sig From 0070a879b3d684701e0e4def2a96bdb7b2a5c641 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 5 Aug 2016 13:01:40 +0200 Subject: [PATCH 083/177] updated to 0.11.4 --- .gitignore | 3 +++ ocserv.spec | 10 +++++++--- sources | 5 +++-- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 3119d48..fa6eaeb 100644 --- a/.gitignore +++ b/.gitignore @@ -45,3 +45,6 @@ /ocserv-0.11.2.tar.xz.sig /ocserv-0.11.3.tar.xz /ocserv-0.11.3.tar.xz.sig +/ocserv-0.11.4.tar.xz +/ocserv-0.11.4.tar.xz.sig +/gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg diff --git a/ocserv.spec b/ocserv.spec index f057a5b..43ac23c 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,7 +1,7 @@ %global _hardened_build 1 Name: ocserv -Version: 0.11.3 +Version: 0.11.4 Release: 1%{?dist} Summary: OpenConnect SSL VPN server @@ -18,6 +18,7 @@ Source5: ocserv-pamd.conf Source6: PACKAGE-LICENSING Source8: ocserv-genkey Source9: ocserv-script +Source10: gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 @@ -74,7 +75,7 @@ uses the standard IETF security protocols such as TLS 1.2, and Datagram TLS to provide the secure VPN service. %prep -gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} +gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} || gpgv2 --keyring %{SOURCE10} %{SOURCE1} %{SOURCE0} %setup -q rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h @@ -83,7 +84,7 @@ rm -rf src/ccan/talloc rm -f libopts/*.c libopts/*.h libopts/*/*.c libopts/*/*.h rm -f src/pcl/*.c src/pcl/*.h sed -i 's|/etc/ocserv.conf|/etc/ocserv/ocserv.conf|g' src/config.c -sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/*.config +sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/data/*.config # GPLv3 in headers is a gnulib bug: # http://lists.gnu.org/archive/html/bug-gnulib/2013-11/msg00062.html sed -i 's/either version 3 of the License/either version 2 of the License/g' build-aux/snippet/* @@ -161,6 +162,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Fri Aug 5 2016 Nikos Mavrogiannopoulos - 0.11.4-1 +- New upstream release + * Thu Jun 16 2016 Nikos Mavrogiannopoulos - 0.11.3-1 - New upstream release diff --git a/sources b/sources index 71e8e5b..44d23cb 100644 --- a/sources +++ b/sources @@ -1,3 +1,4 @@ 310168e221d6e810022b270e32bf9662 gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg -ffe3d79662e939bb55dfe7c9e490b4f2 ocserv-0.11.3.tar.xz -4bf5d98c6ededa172aa04460386bb0e6 ocserv-0.11.3.tar.xz.sig +c144d7522377a701cb9e63a20098e122 gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg +645b8f26d2aa40bfe4c32c8de7c8c87e ocserv-0.11.4.tar.xz +a036652f70660c5041adbea14aabf934 ocserv-0.11.4.tar.xz.sig From dc4fb1af307312b7ff07d1ea184fa9dc073e1d2d Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 8 Sep 2016 09:03:15 +0200 Subject: [PATCH 084/177] Rebuild to address http-parser breakage (#1374081) --- ocserv.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 43ac23c..7b89dbe 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -2,7 +2,7 @@ Name: ocserv Version: 0.11.4 -Release: 1%{?dist} +Release: 2%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -162,6 +162,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Thu Sep 8 2016 Nikos Mavrogiannopoulos - 0.11.4-2 +- Rebuild to address http-parser breakage (#1374081) + * Fri Aug 5 2016 Nikos Mavrogiannopoulos - 0.11.4-1 - New upstream release From d0dbbc1a1988c995771c0bbb85894e723049b5ef Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 14 Sep 2016 10:26:06 +0200 Subject: [PATCH 085/177] Added getrandom to the list of allowed syscalls (#1375851) --- ocserv-0.11.4-getrandom.patch | 24 ++++++++++++++++++++++++ ocserv.spec | 8 +++++++- 2 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 ocserv-0.11.4-getrandom.patch diff --git a/ocserv-0.11.4-getrandom.patch b/ocserv-0.11.4-getrandom.patch new file mode 100644 index 0000000..ffe15ea --- /dev/null +++ b/ocserv-0.11.4-getrandom.patch @@ -0,0 +1,24 @@ +From cc1dbf1c246375c175b4392e3c6ca2139b0c355a Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Wed, 14 Sep 2016 10:20:41 +0200 +Subject: [PATCH] seccomp: added getrandom() to the accepted list of calls + +--- + src/worker-privs.c | 1 + + 1 file changed, 1 insertion(+), 0 deletions(-) + +diff --git a/src/worker-privs.c b/src/worker-privs.c +index 1557c59..33dc46c 100644 +--- a/src/worker-privs.c ++++ b/src/worker-privs.c +@@ -61,6 +61,7 @@ int disable_system_calls(struct worker_st *ws) + ADD_SYSCALL(alarm, 0); + ADD_SYSCALL(getpid, 0); + ADD_SYSCALL(brk, 0); ++ ADD_SYSCALL(getrandom, 0); /* used by gnutls 3.5.x */ + + ADD_SYSCALL(recvmsg, 0); + ADD_SYSCALL(sendmsg, 0); +-- +libgit2 0.24.0 + diff --git a/ocserv.spec b/ocserv.spec index 7b89dbe..8bf3700 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -2,7 +2,7 @@ Name: ocserv Version: 0.11.4 -Release: 2%{?dist} +Release: 3%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -19,6 +19,7 @@ Source6: PACKAGE-LICENSING Source8: ocserv-genkey Source9: ocserv-script Source10: gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg +Patch0: ocserv-0.11.4-getrandom.patch # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 @@ -78,6 +79,8 @@ to provide the secure VPN service. gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} || gpgv2 --keyring %{SOURCE10} %{SOURCE1} %{SOURCE0} %setup -q +%patch0 -p1 -b .getrandom + rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h rm -rf src/protobuf/protobuf-c/ rm -rf src/ccan/talloc @@ -162,6 +165,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Wed Sep 14 2016 Nikos Mavrogiannopoulos - 0.11.4-3 +- Added getrandom to the list of allowed syscalls (#1375851) + * Thu Sep 8 2016 Nikos Mavrogiannopoulos - 0.11.4-2 - Rebuild to address http-parser breakage (#1374081) From 4cfe8c0e027fa9b6d65a0c4ae7e9fa437486c32d Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 23 Sep 2016 10:54:38 +0200 Subject: [PATCH 086/177] updated to 0.11.5 --- .gitignore | 2 ++ ocserv-0.11.4-getrandom.patch | 24 ------------------------ ocserv.conf | 30 +++++++++++++++++++++++++----- ocserv.spec | 7 ++----- sources | 4 ++-- 5 files changed, 31 insertions(+), 36 deletions(-) delete mode 100644 ocserv-0.11.4-getrandom.patch diff --git a/.gitignore b/.gitignore index fa6eaeb..30d44e6 100644 --- a/.gitignore +++ b/.gitignore @@ -48,3 +48,5 @@ /ocserv-0.11.4.tar.xz /ocserv-0.11.4.tar.xz.sig /gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg +/ocserv-0.11.5.tar.xz +/ocserv-0.11.5.tar.xz.sig diff --git a/ocserv-0.11.4-getrandom.patch b/ocserv-0.11.4-getrandom.patch deleted file mode 100644 index ffe15ea..0000000 --- a/ocserv-0.11.4-getrandom.patch +++ /dev/null @@ -1,24 +0,0 @@ -From cc1dbf1c246375c175b4392e3c6ca2139b0c355a Mon Sep 17 00:00:00 2001 -From: Nikos Mavrogiannopoulos -Date: Wed, 14 Sep 2016 10:20:41 +0200 -Subject: [PATCH] seccomp: added getrandom() to the accepted list of calls - ---- - src/worker-privs.c | 1 + - 1 file changed, 1 insertion(+), 0 deletions(-) - -diff --git a/src/worker-privs.c b/src/worker-privs.c -index 1557c59..33dc46c 100644 ---- a/src/worker-privs.c -+++ b/src/worker-privs.c -@@ -61,6 +61,7 @@ int disable_system_calls(struct worker_st *ws) - ADD_SYSCALL(alarm, 0); - ADD_SYSCALL(getpid, 0); - ADD_SYSCALL(brk, 0); -+ ADD_SYSCALL(getrandom, 0); /* used by gnutls 3.5.x */ - - ADD_SYSCALL(recvmsg, 0); - ADD_SYSCALL(sendmsg, 0); --- -libgit2 0.24.0 - diff --git a/ocserv.conf b/ocserv.conf index c7f9ad1..53c626e 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -256,6 +256,14 @@ tls-priorities = "@SYSTEM" # on the main channel. #tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" +# That option requires the established DTLS channel to use the same +# cipher as the primary TLS channel. This cannot be combined with +# listen-clear-file since the ciphersuite information is not available +# in that configuration. Note also, that this option implies that +# dtls-legacy option is false; this option cannot be enforced +# in the legacy/compat protocol. +#match-tls-dtls-ciphers = true + # The time (in seconds) that a client is allowed to stay connected prior # to authentication auth-timeout = 240 @@ -546,13 +554,25 @@ ping-leases = false # The following options are for (experimental) AnyConnect client # compatibility. -# This option must be set to true to support legacy CISCO clients. -# A side effect of this option is that it will no longer be required -# for clients to present their certificate on every connection. -# That is they may resume a cookie without presenting a certificate -# (when certificate authentication is used). +# This option will enable the pre-draft-DTLS version of DTLS, and +# will not require clients to present their certificate on every TLS +# connection. It must be set to true to support legacy CISCO clients +# and openconnect clients < 7.08. When set to true, it implies dtls-legacy = true. cisco-client-compat = true +# This option allows to disable the DTLS-PSK negotiation (enabled by default). +# The DTLS-PSK negotiation was introduced in ocserv 0.11.5 to deprecate +# the pre-draft-DTLS negotiation inherited from AnyConnect. It allows the +# DTLS channel to negotiate its ciphers and the DTLS protocol version. +#dtls-psk = false + +# This option allows to disable the legacy DTLS negotiation (enabled by default, +# but that may change in the future). +# The legacy DTLS uses a pre-draft version of the DTLS protocol and was +# from AnyConnect protocol. It has several limitations, that are addressed +# by the dtls-psk protocol supported by openconnect 7.08+. +dtls-legacy = true + # Client profile xml. A sample file exists in doc/profile.xml. # It is required by some of the CISCO clients. # This file must be accessible from inside the worker's chroot. diff --git a/ocserv.spec b/ocserv.spec index 8bf3700..8640f7e 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,8 +1,8 @@ %global _hardened_build 1 Name: ocserv -Version: 0.11.4 -Release: 3%{?dist} +Version: 0.11.5 +Release: 1%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -19,7 +19,6 @@ Source6: PACKAGE-LICENSING Source8: ocserv-genkey Source9: ocserv-script Source10: gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg -Patch0: ocserv-0.11.4-getrandom.patch # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 @@ -79,8 +78,6 @@ to provide the secure VPN service. gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} || gpgv2 --keyring %{SOURCE10} %{SOURCE1} %{SOURCE0} %setup -q -%patch0 -p1 -b .getrandom - rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h rm -rf src/protobuf/protobuf-c/ rm -rf src/ccan/talloc diff --git a/sources b/sources index 44d23cb..197a6c2 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ 310168e221d6e810022b270e32bf9662 gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg c144d7522377a701cb9e63a20098e122 gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg -645b8f26d2aa40bfe4c32c8de7c8c87e ocserv-0.11.4.tar.xz -a036652f70660c5041adbea14aabf934 ocserv-0.11.4.tar.xz.sig +fbda999ce0b528d001bb46b3db6f5d49 ocserv-0.11.5.tar.xz +f008f957a95feb8ef675ff1af09e3b53 ocserv-0.11.5.tar.xz.sig From bb91f26d9d5039d4d43e5d35d558e0fc200f4ef6 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 15 Nov 2016 14:51:31 +0100 Subject: [PATCH 087/177] updated to 0.11.6 --- .gitignore | 2 ++ ocserv.spec | 5 ++++- sources | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 30d44e6..6fcad36 100644 --- a/.gitignore +++ b/.gitignore @@ -50,3 +50,5 @@ /gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg /ocserv-0.11.5.tar.xz /ocserv-0.11.5.tar.xz.sig +/ocserv-0.11.6.tar.xz +/ocserv-0.11.6.tar.xz.sig diff --git a/ocserv.spec b/ocserv.spec index 8640f7e..8cf0cec 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,7 +1,7 @@ %global _hardened_build 1 Name: ocserv -Version: 0.11.5 +Version: 0.11.6 Release: 1%{?dist} Summary: OpenConnect SSL VPN server @@ -162,6 +162,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Tue Nov 15 2016 Nikos Mavrogiannopoulos - 0.11.6-1 +- New upstream release + * Wed Sep 14 2016 Nikos Mavrogiannopoulos - 0.11.4-3 - Added getrandom to the list of allowed syscalls (#1375851) diff --git a/sources b/sources index 197a6c2..6dd3e56 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ 310168e221d6e810022b270e32bf9662 gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg c144d7522377a701cb9e63a20098e122 gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg -fbda999ce0b528d001bb46b3db6f5d49 ocserv-0.11.5.tar.xz -f008f957a95feb8ef675ff1af09e3b53 ocserv-0.11.5.tar.xz.sig +0e4f82d267d27f2f9d3fcba58ac6cf5a ocserv-0.11.6.tar.xz +12a026b472daa54373f38538773673d8 ocserv-0.11.6.tar.xz.sig From 77b3f227f7f49a02d9660107624e1f907a7e75ee Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 15 Nov 2016 14:57:30 +0100 Subject: [PATCH 088/177] ocserv.conf: include switch-to-tcp-timeout --- ocserv.conf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ocserv.conf b/ocserv.conf index 53c626e..96082b7 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -155,6 +155,14 @@ dpd = 90 # 'X-AnyConnect-Identifier-DeviceType'. mobile-dpd = 1800 +# If using DTLS, and no UDP traffic is received for this +# many seconds, attempt to send future traffic over the TCP +# connection instead, in an attempt to wake up the client +# in the case that there is a NAT and the UDP translation +# was deleted. If this is unset, do not attempt to use this +# recovery mechanism. +switch-to-tcp-timeout = 25 + # MTU discovery (DPD must be enabled) try-mtu-discovery = false From 0cab039273b47c78f1706211f2e7432da912fe0e Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 15 Nov 2016 15:23:40 +0100 Subject: [PATCH 089/177] Removed gpg keys from sources --- .gitignore | 2 -- ...1F42418905D8206AA754CCDC29EE58B996865171.gpg | Bin 0 -> 56226 bytes ...56EE7FA9E8173B19FE86268D763712747F343FA7.gpg | Bin 0 -> 2135 bytes ocserv.spec | 5 ++++- sources | 2 -- 5 files changed, 4 insertions(+), 5 deletions(-) create mode 100644 gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg create mode 100644 gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg diff --git a/.gitignore b/.gitignore index 6fcad36..683b9bb 100644 --- a/.gitignore +++ b/.gitignore @@ -40,14 +40,12 @@ /ocserv-0.11.0.tar.xz.sig /ocserv-0.11.1.tar.xz.sig /ocserv-0.11.1.tar.xz -/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg /ocserv-0.11.2.tar.xz /ocserv-0.11.2.tar.xz.sig /ocserv-0.11.3.tar.xz /ocserv-0.11.3.tar.xz.sig /ocserv-0.11.4.tar.xz /ocserv-0.11.4.tar.xz.sig -/gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg /ocserv-0.11.5.tar.xz /ocserv-0.11.5.tar.xz.sig /ocserv-0.11.6.tar.xz diff --git a/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg b/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg new file mode 100644 index 0000000000000000000000000000000000000000..1f9a40cc96ea43f54ea9dc0f1873971a85535c2f GIT binary patch literal 56226 zcmb5VV{~W1x3Kw(ZQHhO+qP|+9jDWA(y@(>I<{@6W7|&N&i~$b-o9&Qt(p0HK0I~y z-cRkSb5>P4P&}w4-hKlREaCcf_VzM+@sQiWiwKx*Z+Mv+9`8wwqw1ZDCWXlCRG+hP zJxq`5#4H&40|SmIu-o}GF0Ur~I;4T^T$=A7V*)K#P!F6as6=9ih}$(MK1+pX<@^eJ zt!gX+pkr?3~<7lyA%+Ooj*(7RM={K#6Z+3hnMYhegtr=_&c~I{e79V z9vk(d2BYih6hED0O?N<{vJ9+&)l%`~+A+$u2$9*5YRz;T1l-2W0Co>)M4=)Kau#@> z#I_|*`tr?RG%h^i$n%F&I0j1@0D^TxD`sGj)Ck%c~n&xOPC zHPHEYQKPZAM1ST%-cOXAhK^5=R94>Oi4Z)*vYH7E4eyYKrP3B48Q56Ug!on=b`BZS zI3`KEYXhi3?4XI}MRVgYrFTiGVD^$3>qaNf%8rmWRTw^?=-y&%<>x`DASc983%Efd zPyKo>8Oy$`Hf`t;N61@NJ*tK3*$Q>ZEv@rk@5CEuwO5V!G z!G%!H$lck&!pg|r-oeqq&GzpTUVA$ucR>q#H&=b@+=T4UIFrclUYlQ3S}%J{ZL!#^cIx%=fMh|DyIFOJoovAe=RwrErgAUDk2^y+CE;s^s@M)MjJ^mNv& z+8U6X2@j$`qv4-qQCwEo$9Hpq*&Yt}4@Y5j<%=W54#R`@nrF(s49GF}1}w{O)9a?* z++c2OfL%Fzc5wr8hx<+CLwv@291!+Dd%aKIF0~-N|K;qzeR1}g(Ds}2GOfgF09n{r zpSt$ry(F|;$Xm~ua^m`>`hV#vqoUM>i{ab}b~QeWX;qmxO&3xBa1=p5zc{h&ho@~= zM<9n~fE?ej5^n+{=g83Qu}gUI{#USk<|#lHL8kccJhxsiZi#8D`4%AN1ibT}e>pz1 zUmQl@SW-!p#*aR9K#m@7wI!JnQ~t+TDi7B)9Qz#C^C%z_J^*+gs@Z(WOIgADxonHD z5b5lny2~kF6n$}AaBJpNdI}i4#{juo_x4q!)eUO$I4@o#_^$ZnRW|v6+(}*vrlGi8 z>mMR=oM*~@&ava?#Q(gH3QG4E#|~zQTTl~|!&MZJP0^jD1~kDwZ+Ertr@m-V!RkRR z2FS5~s{L5~!Hjd37Pp^agg__0lvnsKhv4Xo^L;CW?f`c)C$kxlH&>7{16r&~p2SR*@)5YHLf5>h~Jow~A(}hH5~Lv&H0@InSdxuq8K9JW>e($N5?#Ae+J42kTSV zZ2PCe(}=s%-Aw4fRsR3rwEibQM=a+zUFn0_JU1;D-!A zHd9*s^rqDLvJT@XUoAGT_~UuX_CFl$>w+&%#6c_m$K3`9*fk)VlYZm9Aw0KW2wjvi z@HiAVH+>TgkXw3~0-Wz#7atzmhWiXRVf3J_uLE_fq44~N6Q0oW#Th`Y`7Tok z)W`cbqbV`-m_*muh{7{Q(N{^Q+;q2;wSe3M10EeR7`CWk@|Hg>Te;3_RZFD*a1NO> zzc{~@P@&$?*3Kx10Xg1YC>N7c82Qxodr|!u6lqRF-){oRuZHI;fu}Y;H|5{ zWlpA#|HD!EMjiUaQ9t~Qq7)p0besU>Xy>Gz%@A$px{lLMnb#4-U0y)U|Mdsn<`J;b zq-Y*qC?@7}8y6fe*!6$sm)bz<0S@ZwSul*0t zE!_!;QJQ*rd*x4qi3d`(|8O9``n;T?zuMRP%mi(C+X@Fe`&$34Ft)EIIyx))iK5Sy z=;dq4rfgsmAV;6}r~|x+SyPn5s5|dXO#}-|Xyh*k>A%(sIfcu*FV4@6a3SpiVs(%O zK#r(Vbj*#R<7LE72J!FZ_$4P5%EG_11&SP+ob&XEbj>kKj`4300R_lwy>y_BRA!bwgKn}=+%=kumz;axH^<)lanT%TAnng+W z*K+NN1{Cd#uJ5DAOCuDM!9e?F3x7E%{~ed2h3OZEAsG#_`~aB#1Qn1QQ)l%|Z2fI4 zB`b5vN%pCa*ZN@_kcAgVf?Pi^T?pk;X+015=Y~XE0p}l%mQ2ML=OQSfcu!<;`Sk;k zTO55zJ;P?|fE~;uas(>4ovSfo3dln4?eeyZ6;U;bLkA1ROuc3&2yy#|qgM|2;{0Ii z3veWbc%;Ms+i7;qi=gwH8Hoit+@C_!ThfewJ_$-fMKdyN3u6ph-%ImT`V(M2H=Jm8cpNC@X6By7WoUgN)9* z>T+W50tisQ#R~AB&EJAYm=`uY7}gx-(SGh+^*h4|bfYC-_}=^vU-eb_i+>Tz&W9eJ z$~o!>_#gzO#r?bp|C}wPI(lD54RC8|=D&pWp|kdGYiXB?3gveNz~JHGL2u#UYH8u% z;9^E^Z|2J2XyM54HGG5H4n%8XFjZqUQB(Nf3s-YLf0v=AOdI{c z+qO{vr(3Z8jYeTckM7@SjF>&?O)MEq%@}MP z>|Kp){u2?Mql2xLi5I=4tDWsva87ojD10%*bn<`KZegYdPw&qk?j=wO11%p31_ttO zQh*%!s7>zK4{&D2))8;u&bJo&``woRF{;D=|54Q!sQ5>`!Br0@0Xe$Z%dYd01mbm% z^7DJXA2qAf+HHUw^(O22l55CW>;^*H#%-1pO%G$82*3Yy5Wc^$8qVu8{~N2ll?k1_ zkqMonvxBvniR;$}p26SP*2u__;h%s(z<@lzf_9$Ye46jOPCXa;yWlirrZn>wxkfsg zp3tb}Ft?g|HUqLy&M?$LK~i2adYIfndZj#k+6GG_fp9?)f&TMFAg3t$pB=AXANlHp zbMgBcDI_3+Au(Sjmvv8h$AxRt3B8)Z(MP5#io>*?5HQHnK|SK1OynyM8f`EO{>;O( zvLgLF3+&xOo*lGwn2MfA!^=qVI`%k(>FgkpceYv}Ahxf-fO7Wy`;ZwMm3bwf_xxlV zso;Ws!Ux-d^Gr8@kR5I%1wk2``k8~#W<@2TRM`<2c zY6{dto?<$jHcv8{Y)Pq>vW*K}BH^b)UbuRFRslD?p})n6u|{d(GU%t-O>hrKZFvGN z?B;68Z5iQYjbzAZmwM(jBIf0p_6=`?zLsH4x1U6GWMT=gIYe6q{Nk`*2A9Y8f+L&M zm}uR9)1!nG`<3U+nkgi8SBK>8U5HmO4`HPeaAZ`N@ATEx!KtdZ{LO?rCcY4goO;-( z<`#Mc89urT$;W}|#o|Vf1tb0pWbX7mMKDPCDdPvj7}_WlICuGmFzuG9MLioWW%CP+ zNzyKjkW(8ZOFkZxfcrc4k{6PYsjNd5@HCtX3{)Gdx7SJ)2j>GT7B18xBMK=Z)jZBe z)XZ?FM|>w5)f`n(NG36DHJYX{@t)9g$wu|!*!57uR?%RkIL?|}{O!%4HhOfUx9<|g zdRJFa;0F@U8(Kx3+~`Odf$UU+zD8V6+ej<88>j9szUQ+F6)7(4@=6R*e)R29iS1_m zi2Oo68mhE+@SYK?j!tAOA@}e9r00L{dn^u}uR@fzYOr)5J_P!2Tb1W%9D(G{j+vlI zTLu}LbA@`S;$Wje;;ZS4H@;u{^*+)`Hn4~^gwofVkIj3d)%4Oga*pk&w|8yB)E4^Hg}#n9@GH!OxKOgwjHB&tJkBN%U;6dJ2mCGu zlJ9%}URx#~h=0V&{S8=`81_;!;wp?y1_>=Y&S$9IQ?p;e$TZ2+G|rwk4Ss{km#dk9 zdGE#uMS%dDQ>YY3O`W>1pw%FaEp(=PD7bb(nYSFYGv9&Re& zY^of!YKxb1+8%xSrm6QeRa1dt&L4h#Co*<->^>tgSp5GXJ*AVB#XxWl+<(*aX;|yD ztSSl?<<21q)nUmlS4)fx5Pmml8`W_P#XhRw_MtR z;kijKxC*MkUQ9{^nLIwf>?+zrn@osS%>5p zjzaIG*rX?T#`)}I*Q>=TId>yRsnR*HGq@=i=}>|YgTGU+s!(cf?iDG+l}rymRen>y zM5%00+6mUJDgLF804H^2%jT|`QQk{Musng)`%>MrMq`f zRtA80$=RS{T`Q{uP#db~Au^dTD}(PzQ#V@1^8K{=$<00))+9-%S|0?i+vk42q-8O& zbRdQg&nll=(_uN1AAndw@J5v~NQMhz-$U4=8)=wE+k}_psyJKnSn(Y(ZBebVc*HVt zDMcUqDs7tb1x&nXac*Ui0o{Uu!p0QEiJ2$bgnQQA6JXgCvr(f+&lE9P38-~`v%0O% zQPzlB53ztz<`6<8$iId2&h+>0?43YEl?&rL6AHt=F%o2dh5U4Py>{g+s%r4KOPGwg z*q)b!LdlDXJ!btOPg0YzDB+kD{oxu}-TK{(&WusV4WvClz zMavGV`9S~CJSuYH--a3(Xn0e$>*elhXYdr)*^3^}bH#`aMB;F3VjS>l7?UJO@)J`X zr(W$Ax(s4rcKP~4}Qy)f9g0wFw#MmXIgDgQYPYKU@q%DH-l8hw08cz z+;qLj<^ETB{tn51zu@mX|`Ay}CHiCrdEjaq=JP6keU?ghWk%vuUOPQRR5v(RHqUCcYN0OM3%&(InH>$`MFa4=G9M6U?9UnEgIZaWEPQ_&k4nGeT;i zc@kx+4SpjSh;CeAn@QZ2UbxnY#19t(Eft;eaEdvpwSEZXg-^eG%I>=(=L%JTw>#SK zsD57}vu~}?csFIUw2*u*y2&nn_M|`x$DGFG^)mL3*oCjjdJEBnk$ne2*P}0sY<(cI zGFh0r%8lBZBaW^Mu=qid|A?Vwv-9BZeO+Qm_=)L%$lR|>3VPEPcYy&tu>v{0b)^*5}Q?Iezll2xp98YIp#y0cJWM(Ah87D^;g_kYSm{`ISK zzX2Er1PqES4IBUt0|f~I0t|`<3<&~?4h#YWj1L5i5%^U;ste7QlrSYH!ZcU{^*^lg z*%P;p?2Txp*Y>kJ_N2G42j6o`A|h0~-PtuVfJwpNoJmdG{!AA`%S_Z`kV5!R53cqZn={5Oz3UBMWyKtT}K=(n`&X(L>V$#5EMKR25K#ZQ4Y7~ffis8XTqIE6e@aO8|5m)eC7!H>0LB9Pw~EiiusC20tS?UF z#@~cKv!9L%*QuwE2v zDs}LP(3WY?#ucSTp$GJSy#Zj@h&6r%ud%pY*gd=|O-1uI!wctDEo}9j0@WDHdi=<# zFly33@r#I1zX}cLWZt6U&G>|OEeUP;;Q>=l9}vC7PXfpu>$1^$SnV)12Th@JEn5GR z^m-JowJT|4jW@EyU3af3GX|)sI7FeX6Hv% zeCd+D&}Ct@&in&v{01~-jx zY`_>6X0xtpT^+7u@)ufM@GnVmxiq4sq%-uqi(JU+yyT_L3DN6=-d*_~JMVjK%F7^v z?0O)F!lA+2WVg+^Tx!1}6ox`-M*!UxglGLP6?;4r zbd_?xUa{@@XQE7OG=gk#O)uGv9&Q3Q#X39`-w~FsmV>b2+P;tM$OMkSwX%fxG_P8} zPngOq%0v%yJ5w%VBFAkF(FnoJd%Fi^4%SJE!^GMq}e^M|ibqz(%OPvYWK(akJ>&fhw8w3PYb1tKjM>1{%AI740X((>qeof?lTr3PQ! zaq7$cSE}oy888m?Br|G$FWUx4zkM)#`|#)>0#jnjp=YqY~Z!&d^??sx}aSLB4J(BxKl%!7=w_M#6gS9!*jQ$_JXDv zUU~tJVO!Mw-Jk%6R2NMg76}#NSjoa?F20BP@I2wfVynn|>80wWCWEK$1k8n_=Oyhq z9OaR5_*x)#jAq(`Xq{E_(`4L?5a+!<>v4Fpv_!j~))PJqq_v~C}Di1%R`lQ6r; zJ8rBiPKq6!yfmX^M8lvm+0I}S+J?XbWEI!6gv$t3D5a{-$KG+z?tQ|CVgT#V_|76p z1%G+L1>RQ9sDdPqfy2oj6-CeIn{yM_3|OFpo{V;5G9HHhQ3hA#nwcH^Bzh6L zgITgha?&KgoqPtOSQyngZH;jK19qG8qqd06-smjpTQ3Lq?1p31gz6zygHW@~zj`R@ z2!82tXau}9@lnYD!-oh+ZWS>T!`Y&xlMV$@Pja2Al1Hjlk*FtC)tc*T^g~s}11r=H zM<{pxyu;9qy${e*5LC%q8+Ar9L0mPU*<6a^{Na5|N_C%w%H>RPa<$swD;nnJtQ$iX zD$N6#)^t?)r-IdmYy4={E(eUM?eZZEAO!bQ z-HMZ)82oLpCV+BKnYYMvjXy3G=$GAle||W}xbKF5nvjX`*jQVrRHxMLqG5GqdT7?@ zCOxL_ursC9r1~xHU@dBHL9T5A#@i0z;HpAU*Tyj#uSWNYt;)%E6QpTxh1Y4de8Vr_ ztIu$_o`|MRqu3IAJsm2 zA(K~%$ZoP{k02omdez&MLxnI1)go>k?&mL-qt6n9U)X-|HfIWf+F`ENtPU>;FA}zz z#q}z?kn{t$YMg1O^ctnUQlK#$+y1{MxnysaIuh+f_{;tL^w+gA`z8&WkV8T$xyl#4 zNI&Dx#*R>J=+WL}*-*^(T&$q^ywgy-FznSuv))}KStAenDMAPJKN2*6A;$T8i}uG+ z29?-U<499GVvg!6Y1tR;k`!$W^!13T`r||sy3uqU*_Gx{TdY~9N9p@Rl4%E19_=1T z&+x{TxLDW7Gfj6WD$u{5rt+??Yk)t}%C3Z5PtVD}w+|DkoonKO{2R-)|8|%eO?>PrtKhDX7WNPpzmRYX9|cJvDt)v~}|?#EAD zYx-iM4ZX^fl2axwQRK$By3cyA{gQ`ML<5O+D?@EhG5h#4-I)ulJ_AV;%cuqY90E3* z+d@V=!400F!FliyGZG>>{Prxdx5bw@Z!$>8)M#@1mG5<_=8^vLZWC9U-*-qXqHk){ zw)%+~*@Ux1QnVd^ypz_A^MS+oSf?bg+Wgs5I;O^#i!YQ)!mO}>lpB~79t;GDPC0@1 z${baT%LD8*9xZ?4hQ1;hRe0vAN_i7B*S2ZAC<(6^o5i_$C|`3K8;2Px#%H?*iH|Qm ze2%zCdeYW2tz?(z5m6AY`_Pr5qV~Q&8MEN!Oretw?l>3%`=hPRMD9hP41F3g#Fha` zI0c?}En|C9`0e9FJ`?!_e@I0FxJ&r(vq&B9PbZhm7DJuCX)UWJBqQ z$jx-Im*_+{@SsW28>O@BNvwuh4K~fC&$^1;vHIN<^untIOzrt3aI>hAg{E+^Po{!m zvwn2OcQ0mXHNO_ALngGatMFKpdx*6PF?R^UDo6a5hf;j8KkLw&!e&CCYU4RZN4T%z zz1LiD@t&i}+_^E-2h;$QM!jPjoi_g)@1~$AquMo*1o^I&Upbi5@J*bIDxJ(A{edz# z$Yau}p#i#@S!V{)-eJ)V?lcU?Ve{?$X-VfRZ9>SLh&Az;keab`q7 z6a4$A(9BPERt6TY#b~7LX-NN2E#MdY?^RrTlN+9XsUXkvqM&tJMo zhXNJCk|U@~%24yWhLvIps>(=) z)<+AM^|}lG7Qwg)8zP1U2<;$r*I^MaZL4H&y>dtq@+FCl&?Gdss3kHo?s+AkQADqN z@jHdF1y+}vg{^D=$QbYh=Bx>J48oS*)YHQ-q#88+&7TWzJTs#`#xRZ8 zK0-5SxC5y2G$t_}R)#pgPbk8N-`gy30EP0Q0XzqCM7l!&K;h!ke&a?DZMyJ!*@M~V z!A>(yh*(4wySYX)V=}HEi%TXA8G&>PE*zIc>plL|o(IalyXv|2Z)qwrnc6-by7Z)X zgG{HXT|Fy)Iut>}i5-rK-}x?8j3i)Wa0Slz@fZn%wZ*mJWSQmnnEHD zGZ#4!(QlW=%fT@w&`Aha1@JA7!^v9VyPTt}DH;mxv$y_t)hMlF=5!);ea!PtyX4X-3?ebssjx#1ngj z_)~CN4`xfXrpt_}xqLIcPmBBIa%cO2`1-2w+}9u@hf1e*p=;1zr84HhLSX9BjVxNu zWq2Jkp?aaR;?LzySF0|MO7*zW&bl6DJ5N2XJb)=ny82ed0t&i3{RI60qc;`L_1;dD zY#S_v@UI>!2-{zJlnvX)&Q-^9tE(Y=O5YDw+Skv>%eF}?$}r^AF0T-jwH0LTw_7FN zxM6yu+}T zsKxr6Ym5GtKd@8k=)-I*MBD(54kaJ37xOuDPc~63A}5;)4_%iA6ur-gD)!ug4SO99 zU{lu|J~8+3yQt@Rsdx#fb?OeJYjaskb|id5z^<7V(P_ky`U&T}A7Z>Yag8F^gBzE#9S+vyGqqG$BSD7&e-EON$531 z2ZWLinq=>9rDUgAzjpAZm_2ZJh3eX|Ydo1vUgQaD<~jrANxjbrJ`AgrGJIb(IHyAL zo2NsR?8+P8@tZz8ZYMOZ)P8wd@i4g4=+1-_O71_ zA`jMQXBKR+$Tjd5R_ge0|2Req@>c~cd)(fu&I%(u?5w1oov&=1dGWJ|?FHA3pg55`pg;;q z=Ul~RnEXQ&{RdeBO1c%lmAn+4l|wIC6xb>L%2Ish-i$=42Z+DweK8;Xn@e9{amNYAgTIK)HgLM8&kK2~znC1Ylvh5;-58~FAQ#9in7TUuXPK~`E zh48r_Ou<2{BM{0RIgR>FcOAT0{0EL)anoE(U|DNkTQLPhEUd{6&}faZxm=u+EiNCw zr%S9a{UBW(<~hXq?Hr25nIWG-O)1&(kG}V@JYGGSNMzi?zzt$xiMx@^L38XoOwK_Z z(jL({^Ii;a5YxU|6;o=koa{OYU|8dY;x-v26+5gh;+DqD=PG77L`L!3Cc^@0QN?WK z%aj3$`?tf89#~?M+P#!Xx4ZD&XN}(D6hhq8)bT*-+6;R?lpUfZ3*1c(0h#~teD<1W z&GK<;O46o~Nlnv&#Q;)`wGNzVi1B{%vu% z0WV{9glbwbygFT0l#R*L5GW+uO>LcFhNwx%NBT)`7|sBF#Oa;1;m0SzGI4P13)v%6 zIv}?D4zNI9pei@ca%49XXd)x{ouVQXBV7K`K`$k0&-a#8Q#+HL0g-w#6=#CDkMx-j zO7Xp4XdTb&G%RJS1@iE!3oirPC*jU3&U}bJ*w>p8eUojzW0rAz1N@sK*u=n=_2^wM zo~^zIA6JpKfjC>ZRoLv7mXaz>>zhogg_~6;@_Wjz}6Le z+xVZjS7}Nm0?X@fxgMq-s>_P0Ud9qWA^X*d4h*8JJ@s=}=ijP){18dOpa9jq^(FV?IEGZW+t}V6&3mkBvKXx8au{`~(%^oR zddJ#mrdu`CNgT}z^{2hyIr@9vso(t>38YwEJYYH&aexKiH_XVS)W#wTw<>E^2!(*e)I}|SaQDmmDb7R!+3^}{4kO`82Y7yJmYhGp>pQ!O8nM4nd=;pPqM=+b z4ErJbfJ)1sMA~&57;q94cThlxtTa!ALuY>^%eNzBV=D8xGjci>k|MHy^)Tok`|2Jb zAe+i$!@FS%@CYAFI%C{89UTUBI&mffe)J8*hH|L%c90g}|b-WgJ@Mc#T1 zdPaft)=DP~uCn{Az_yUs$D-WfeVT8LsD9gY{QMDx7|AV9v57Wi7+aq6EpWSqm5!q> zd#mPQvT8nW@%a(b{cSiSC%^e#4LhR_SdJRw<&sDgJ|wQZ2vU(?rzSL})UK{I9nqjO zY$UVe9b`PW2eUB`Rc)m&zLLUC3?V~F&4Rl6{_o-vHhsd7C)h9{cpttQP}2^4H(Qc= z>i@D%)c<;pZ{Gi+=Lh1Qur>A5{Jpt31;P<8Q+$~+2V|Rpwrau~OJOz9Mi^9D?lKr| z-}-RKIf%0WdtskTQ!GuunK0UwE{9g;(MaH~wFVaY{3rPp{@$f^+RtA$ER_weH{luq z!~riql$&AHi6P9+ZT{G~oI>;*j~fY5qFt!F79G}6c*kIAZ@h(V7|8g_IQhZyP(=_g zEXLD_{;P+Jqw$v>BV5m^pJ-vtD7^?DEPYq1M*YFI~$^An_nhCMA`RPDZ6Wd`^@R0>yim>PEOaemT)52Kp8$N~iSphcF-uOUs*1 zSRG0Hn5Gh|AzhQ1uy^DtcCC25TXYK)L1M1bxUs6aYCo3V_(hCGSolL_h;|srd|E6f zUEXXFI$gJ(p@x{FasrERU33)xp)m46`{ev2&)?hyN7>EPZ`h!kUTNbdkW1?z%+Nf5TWxA|kOrAZq>}4vG%!sjJkDAw20Wz8*NjA!(x#g= z;s3#)I2>f4=R1H2dvu~^U|f?tmoFZ7?Vb7Cm}a69wJ4wuc}e&X)sFy({Bgi7FM zG}{5_72low7xCpuBr#8f%+QAC8D>ZAV5p{Ri`hN5>_390dmGXgf*#tj(yhCs>(`go zp4Zk?VIHk$~eEpg1c)x*I=1y{K5XFL1jf8THI?) zO2JrflYKS3An|#~N}*9t-dx*l9xEBqHG3wqjSs1y%UmH7sP1A$b&pWclPMJSOL;GT zZ;sc-LF(rao4;qArK)>w_LEwJ`N#(RXPi~L$M!x6fE|6W}H|GvPB?j$I1YOYKcSEC+M=%sX(%`}f(biY;<9$@iR?Ni5 z;0vf1c+M zd@~$BuK!`4fm47G#@9bqK{oKo6$?@R6Px#PX~VYZCPRIghkD`gs$RhR>A6+$g%z({ zE)LrY8+@K|sy?s_{Zej*_D5{o^%$|DlTfj=cT3Em8oC@8VfO_p)28A@zLxi)1;`Z*=Qk<)uB^){jdk)sXAZCgh#6q(b))00_sfePs zAWF_foxN>qbcO1Rk2QFTcJ|a|Z85K!ZqS?ti>Y@ajO-eqo3UL9$)_*;mmdFp+PW$D zOOM9v-^9Q(?Pm6O2p_Z)q5z9zj{xCo`2s4~Hi`M&>*|k1W~Ej5z|Y_7FFsb10dhlP zC$&vVltExz?(!r=qe>1y)IOYf)D#{uwndS2VW>2axdm=gt9#L?BJwuEAWPL19>`SfW=y0M+hyNjrA2>AI5 znm|RKPCAWvG~|{Vkns0n;3$u7w>BT)et_)m_=z@J2D^ZAXH;62aXP84_{Ne@Ow#~# zAvlNGRqX0GYlP88x#Bq ziIFERNv-N>tnp0sgLr7dILR(v$Lq-dGl!gW)dK6fn*!PbrC(YpU@;B#_cT{VpXqUg ztNH~t@%@5K6omX@Y)(?YSmK(2A7p=Usj8f-x29LI>iTbcHI?fUR>UQgvy++cKI}nb zY+&ZpUZ!x3~eE|3yv(1pNN3r9DAxd>hAUh8ycQbSgkQ@#Hn&zbLZBd ze0}vT=`U!(vx*Q^_LNtk)W9@BQuD-=UFA?q_B22P)-ip{IV4?mE}`6*!^bvV3XRk_ zWouru)SOOgSBt-8I1SXL;lbTt_E{P~?XQ$xF*JW90q%)W>>@A==O9?b+H)M%ea}J4 zx9X-VIA$&!#8RbXJxz`Kt5YU2{p{as+0Gdo#nW3|ae{D97KX58tY|&6B{;!Kn6M;I zvsk-qJvKi5U%Hl~$_O<~IkFFmSAx&yk=s^~SWN z>pQMN&5&DA#d&^n(j%TCxEEQhDUik{hSq4Q6q-Xuo0ATuD zBuPI}`k??-h_{5J63D8$Bl~i`i9+ue)}hUGIfJ~{;XW-{@YvE(*lBwGE>n(8e|;V4uf=hf#jgiU2j=G1GV(p2jBh~lQU}?4e*#>uRRMuQt)Hy1U0vPFt2MrG=UM}j(BKoBfcmQO z4*+-)k)M)X>Fh(ppmgZl>ue6mGE(uL?DJMc!$qR#t`(d(kel_3#yRzyaKAqsfRp|p3|rAG*cy2k8J9sR{!#6-jp z6av=ZYHs0fiqr`l{EKblUu?~|Q}2C0!FjZMPH1LtyC2bRcH^A7*)?d*0z1MwiA3!jtltoY(95L#d-ufx8efQ@(h3>1%=sP!od#=lQWMdcOAf5(s$4;j#9~-M)Saz<1oGZA&dzSRUO_7N7 zZ`as*=1rCJ4NEWGib>GrA2Je7Ip;aKs2n>HLnva0{;!q|(Cm`{HoxBrxBih;_k*w^-+w=Rj8deVP0j@oO<&*6qH5mnR8giJJeV$A8^C z)9Cxp#TN42VYd=d!b@;igm*MSK}ZP8Pw+_Oo7Od)Kj#^!!W8AVWd}ngPz>d6XOWxu zd_FeD+xnYWV+rsdrgFgdvfDh4cx=&S2UAZSgE^`y_5p*ZCCf2}=g@mU#@6Mm0KBnB z;*~^1lsO>LJyfLDb5vX^4hoh0;cAv{_JeVxpux33DM=GGZ@H3BSu&bg2>FV zmU*ia9zb8A3URuLo<;){|6M^oPte7DtK7pb4B~5$UJtWvwpvoZAuw?Yp@F~ANV1A! z+k?j~$kt~)UNknU&gOS0wJ=Lt)x~3WnUDt&b;UcJ^m~x9_?@T|gT7(~DmreIzcgV_ zvDD@;9D?6CvutLIRA;! z;#V^ItU!1a{J!dUNFU@9Rn(N$@aeeP243IkNU862eW05H7eI1i1E*kzo{5M|a%w+! zCBU@J*(b_D@DTAo^f-h5>K=k!7h%z0dOw?95k5G$hC?@aadCepLDIXCjnMQz3V6YW zyh|<4kc3i^#k@K}Zm3*Nd(1HZmQG!aCx#vQ;V@S2VOt+K05IPwHL@cIIb#X75F*ws zY&|6ONtnHhG)fZi;LivzlTKOWz?3`$fgGc+>$qn{$9c~ez08ATS{ZdA#CjJf+Lstr5|qRm3un^mG04ioCgb#*X6x0r z*=V;AR?+$wk|iViVOX5AL*MUrTNGOTC&z^Kz=rkLy9J)(S8vV!hD13>$iMi+9jGg;&4~;Fd}g=R{yOjt=y5>cxRa zFgO$W<0WUR?aD%hKzXEvKA+8g;O}1ACpZ|YM=lLDG6;9FvG0;C#>Lv|Oj=(vV3s^&JqjE7=k^03tMbynK;=sU5b-{xDLaqG-tqmaV6 zYG4xsyx}n7r378IV@L`U#@P>eL4_!LA_h*Ys*rT&yDnDsi2Oh)Xz;ZmA(i%km)`LrW@N62lRT~izo)i5*@(6rg`-mm zEkE@2DHQakB2r^;`g5#%`Zr~~ANRZIwhyIS7ITd+W(e?1$f$^wGowIXVC|~Uh11sp z$=vbHFxrT7dUBz4NWDErD4c1KFO1jjSb|0=cSdV_qOuPTV{kZ*Eu1-o-C!qK!!u7z zj~z8BQ>ZBIvtQZDqx4Pl)(?+>!C&;5+qT_GqDAlbgkaRou|wQPsD&>M1gl7GC9>Pk zPdT&53ZN`gf6Oux4K%YYOXdrlg*)S?o1nxD1}iAi8i1R~L)YED-`=gfhQ4*$DuaAK_TMf9n6!!Zy&lYyc$CA)eo785;1kxKZ1e)^r~ie zLJetY`=VHQNXmLW7=Uc4X2eP=^;y9X>w@C~>7;L&tqfpp{2Vwoxpvh*+MBQR`duDK z|NX#`0zSy^^5_CA)O%6lkvWSY0Q}}at_7}%0;+54$GTC%62Em8GgA5O*yM9+2Ddk| zhAqqQQS!o@(*`TWysMh>NN*xz_q2l{_c^=xAR2JfJU$79rfcTBSDsucCE~76WsQnX~-^*P)zBS`7-3ng!;}-G;i(99?dFBe+p7#%)_weY*je zlwt8GE2s{O!jZeTH{<){pvbm{Q7gtdI?AO~%FdGFi8B}80fJX{Rv2a8}MD0o=xx3!s1%ktR?m)KHGQc>Y zTQY_UXIQo*NG$HB9L^8}A`g(YxCces+fba{S4vmJT1w<29iapH>lM)H6bkD*Ow!dU zu>7r0)!!Kq*jKkruaI@CHLynw4t(Yk=TckDh>{dq6xH<9RoA}Ls z)q_DDY8tOWx?ouC+ro}}slXLbPEPR9fxkEHlFeN~GNu+L^>GQsNwQrE*x)27t)kme zw!R0+CSkdR8HIGq3qm}4T1~VikxMMb24dIqFtY6B&UU8?lRN^_>_xZt->M)(IY_u` zXlTuw3ihnEV`WBOP-~A!V&}s#D^<`Zj_8BGE9>~mR2zt0|IGuJNIiuBQ;GC6yeV*B zQvh5pfyQf_*7RcDCkhT9~L7snL?;Jv`t~V zixlcn%~a?z%5WEqN2Qd+Gt1$|d;N4QtM4s6;+zNyGlP*{Q+FbXobEA@_0u_BELvUC zA&2X%;n`6Bl{GX$Zp_w`%#$31+gXq?N+r-Q!|(@A#3_Ad;=o{>O>793T|6au6Qc@; z!paE9#~i4Z0R8h|celvyaO?1i%rx4I!K^j7-uSQfDxoYq%Yfj=g5C|#S{o4NzFPQ} zEaA>I!rlI z_-D=PfRo@{04$s(>z-(vu+SIw++F=tWKurK^3aGs%R?rB`uEi%ITnv}2@i;x+!Ov4 zU8X)BH&pTF6LTHrcqn5C{Y5IP0O-9uE7#|GPL*J`JViyIRPL2(rY=5m^Hk#4G5sqf zv=Xv)`dy6D_EKb2kv#|0JCRSC7unMiO*EM@f@NRae}PVN?RR^?wzg(R_zm9%*SLZl z9|Y3yNOxJb)^~HHBubHDp9wODT=xsy1!1fsvimpVo4Gxws75nhQANOS-=A$BlZJr` z%8^u4!D0{dK8OVXH)e5a;+87_-?zsb2W$Z zO(SzxQ#*A^5ynAI)M@Aq?#qQ6nb;jdcYv}SD#<{F>$UPvlfyM^%q$7VBf{25B3Za~ z{xI7yg9n+fGPoN%#t^7Lf>Nd-&tTjhTj4++=jb)#h4hU+0n4bz!qS-B`~>kHDcjvQ z$3G@7PpE=4khE`5GD^CF40=Yauix0FAR=9+*|`EGWs^fN9$xTRzQ359-JZ_8l~9`3 zzNKHqYmp#^;om5xb`U$hvrKt1;`qpMY(2$Uvu!zH;GZ?gO}7DgkvQkd3rG?? z6`v3Y30Es_zvO)K2U8pqYFnZcfuu=3oMWT+BMa`-?t9Pb*O%XKwXm(M&hj}&@>5q9vaptHo5`E z_G!uFA}@~IfH~bg_LU@RaA$HbEt(#(=6^u~La#t1my`4D0Mh=(w&#dkkVg*xJ{#W! z8D5h6#zk4{OEgQKMFUg1VU_X4t0kGrRuO%pAG?l*#WD1%R>2bVtfPxVFWKh(2me78 z_4_J>gu*v43*5QnRWfhf0s4LNB3`(IctM(gpsrA=IPZee2@%Z8mgGyNX>Mux+B9H% zy>Xk2{FHnr3C;K&VKzyt3QtIIH1w3DkuOsCybHydFdp}g_3N2tf?iP0St|wiw_9bljz|EPeT|7hw<54X5u=%S_G%S(^ zpiP;b9LLT4SsveZ{xc#7V%_sd(QO>owd&)>);mA~xpn$fpRuFv^+bGB-UWP9h%fJy zX&BXj!MvqdRBJmNVmbz-+$^~_9Gp7)33QyR-2u*|!~T)dC?W5FFsoL>I~IIOZVP)p zR-cy)g*&@!`}Wu=LQJ!hTOSV?ZBJ|s7cm{>f-Fj>x&OUmr@JPlPd)52DV$Lf+mKl^q}Q6gu7#rvXxia2}_@! z@?$uZ&37MNbY)Xw3%lD-)slx^V8As!QJbZ76T6toE+9f{o^^TwH_n2ynHv= zJY6S)@SvFZyY~gLK1nm?xJok}ZL0jVk;tD6cxezGE9>`zm9i!?;8^8PQ+iT+Llnb`zepErXc>N8hpFZB75g~3EmFECihSFY*sKKO zYA&CC#g0|QnYu79Y|;S`GvRpVueyxB?Qh?a-kOe@G*I}go(!k3ZN=vjdxLFK1Ydv+ z6)Y!~lV*&ybc*pSP^)p+-}@dt?C@F8jXG{zCWa=H_C1JV({6qndrCp0Ao6j8aH%^n zUCT6(@Kb%D*-BDrUr=$I-{*QzwEH(|_oaccbuZ#^jt!gY^|+HAAj4jKMZ(aeaHa3^ z%rB4+3ybi>fjAd3)y#!aFNf%EsZH%Y!ad6j39T-*MR9YK~?R{e}^1F6YUIIV_-JYm`8|AK9#ln01KmidrN4_y`i$=|DQ1zw09~@fo?7 z?b_Y*ljAlH>6Toi@GWTZmx@l!!!ea>?e7TDRc7I0bnr{$uYI!j0PePlrq@}zLyphR zt+D?4m$E}Y$jiYVfX&=PZj>i_y5|u#uKE4xv9b7@kh{?P2X>u4W2XLe2kcluK2S(< zFH?A`K{-|=xm5$Zfs6K#>y7|bGZr;ROw{VzW`=PqA3WI*9N;%Nu?!t)e3l(Y7%kqt ze%}U>=BcE_zop&Mk1TmekyTM=wCYE*e%!Df$RXn;Hks#R!x)ja8!c!}_R3<@LlTID zCw2f~E&7Q)qi90tjc2zopT+k2ORT1_>uoCs#YKv11=*(?0lvcT9UXPp>Ssmxc7H-T zR%0mBAlu^O0h>mhI9dJ)sPZwOA+vR?b|XFl#pM|)elAQu6{DRo8(XA|gT5f);bUQo z+Nyf^VgN;&Qzqht=Tp4w4j9FpQssP!p(`I7j#`#V;x$q6Ja^!0^8&LGzc;dt?t zk&(cQ5Z#7G74?N&%&Z&_qBhP^4laQ&CuLbeop#RhP%E%@*VJ2%yO@Xya6V~+P=| z{wxm#XzkzSp^)QNUhGHH3KjFQ-vd(*-+nALSBz7>C3|k7K_}iE9Pj!?Vm88!%~V#N zw4v0NsfyMwrjIMG@ul46_qn#ia$tRS!)jv^$3~TnP5xQb!rHrUj zMo!6xA99D_h}OFKMNKiv_x;9*hxPjpZ@C}yL1RYWsQ8&cM>A`E$a!(F@HwKLsA&4R zf1sD8F_WZUwGSu#Y`?m6klMhIzdvZds6L;0zqMdM74E?~SSGlTl0GjPLMyx z*~#7sZ6fQ-H2h9);l5w48RSgus@C4-aaRiM7T)0QQ}nvz1m|(xkF`?CmsTtgZ;Qg3 zK50+Q2CX^4C|*g0Dm@q*H9RV6)y&khgXal1+{0pejKGjfL!N) zDR6?HKj4l1HWVx0&+MN!-|7|82*&J@T1t&tF8;GbOHjn~Ua;#+l9XC0w=LyP#tGav z7vlntW}3t;*}itD8CsKAh)p=grYn0po@$wiAK|O#g&OQMb8e`1C&3-AhHUezkV~So zJT}}XM15*1M^X=-^iFd{W$wqlfcF4$jF?w$G@a4sG-YGrsYNcKImvdj^9mBT;jYK4 zxImUOa{4pbafT^RYWBmMO1w#1EyMO^1g~%y^BYiTcjYTebUqBhsfN0y^qHs67k8+F z(g(;^9Oscj>QUb_bP4{eJpLKy_MacsGggP9mr8{^fh*zPHQ_R=an=S;q+PJlnHWE_ zCC?Wk$&FXcS{f|z1xLCiEnyG^;hF72?6d_fkkZvPpe?6(sTOqWg%w{NI+Me=?w?Dt{}|9C>5_w;tpDOUzUeF~>ifL8A)LIu}P{`D|D~+rG zo9zI@%&L1 zJLx!*2sgNFGkV>ttUl2sK0jy@`WlX7I~Q(s=WsdmojAVhg@CRCeM^Xt-U5}zzej4n zq+_#%=t_6Vy}B_kG6<(LsvXxH!D0z?PObW_`u2hO3DUEUu`B-JZ1$PLpB zm*YkW;p!bdsN-d^eq_g~B-vNaR)-it|Ba!nV0e&(l0}|g{emj8uXvV45OlFYqs@Ar z5P&LH7ZA)mhyiC7u>z*6v9sLSDL|`P7uniV`4d$&#=;(s*}0bfjVlVQl)4z#AeL=s zur@Lx?k6O#jEDI77B(ai-0kvb`akTXnZd35kbTFoFPjoxS|hTU%)St6ZN2d%mV zwv8o~EMED~fzT9da*QR%SGIRAJyOpMxZ_$Ip$V*S>M!AMy_ZDPzBE&HiAXwMqjgU&63kOSZEDp0iaPJ< z|H78bIsfQ8p-nMg&4(Sns(4U_FPB9KhW*^0z>IXk#rRF<3^)V4&llaw?bi&&B~}Bo z!@65DrGcEP8iT2TkkfHU7z8^JtCsWp_|>h2^^0w?tRL!FkF^!0lK-h`|SraI`20BbNzY zJAMo)C0b{EeJ{aCB|k|fNn_+(_Ta;Q&RX|Y(?q>1ek(K~GETtWAh2tJ=)jViZdnh1 zgRxL##|IWu>D>NFnc5A@b-s6uDt$AI!zRKeHn#@(q<_2WxSGI86 z(1b_$$K!gr2efrUSc#D}xf&n^bBR9^sUlhSy z?Ro;w2v_&%@!^g)p$wIjT#5?laJl778kCuk5HHmUBS;t8M5X4itIZ;Dq`jy{1kEU; zJA0&%jcR4sbF}#;vMJiW1d}nd?;U6FL}?-6_amuVPH6;4SApw{{))77x~8E!9!@$IK7rM$%aUh>*z4i4P<$uG zWI?`YIcBS$*i^Il*)pSC+BlW+@vG)Qh$+Q;uyHBf3i_g2SQZ^VjG$rxO$7h-DybC~V;GU5FjwQ<@|yE61w4LN zdGT>%5tc1$oEv0Yf-p*2a=n;{s`4U z_KZyU;~dWV-~GmBcFfZh1h6s2Y)XceXu$kn5SuL0>YD$nJpR*~D4|h>{=Rzj{B-_m z3=3tx`>`YwKNI>2%V66!E0JnI+uDT;np+FPnUgltlNN8>&5*Gva7vp$V#(j6<9;^g zN^YB2K33)8ifl&eR04l1Yt+&n(4IEMNHKVI_G?ly0qhxZLbg|hdpG!M%DbAK->xI5 zNbcR8$M?P~=?6-nWZigOU5>(FL#M2y$J0g~8&S>8wimGMif%%Zu||ex3(ru1J@x|X`oO{yV@}T= z^j=Nm&Tw3Ux(t#iTe^_e(g7N)$I#dkV8lH_t&EM*zvIu`CDJ)?ND}_$|u!dI2wd?m63EY@3c(3DGQ>Sd}>r zF0}|bs=m$m^U9ung^z?g^wd=0<0epdA^X4f+F1?F5Yo10TnUaBx{N$=KxC$L#R7@= zasOQ&QNPP09Y*sz-bv&q-Ax3*uiBnf31if8B`sjuK9c)enM{Vv^d922?&M>(4!KO~ z(~=T=m~L2~ui^eNYxjMogRw~1!p#jPB2%9E^mq}k+WGVJnoarL5=1+?l_>sU8uqC; zV36@U|U49PKmRIf+2bJ&?c&H*+OxcH@zcE;;tMklJ>Tt8iPAf+;U z+$c%GlkMq-X7aB+JXKuD!zIli4t^U7p4REAWCCX~RD?D?C5i+YOZtKc1^4reRS(DW zkhBd>yGVRt>1DPvhCO!6?$%}*bpx%&S5Y7sSy$!Vmvvx0+ZZtj?7|vl960xl5Y>cj zeXv<^6K|Q4I}(n}u{4@oNZz-(i%|T#C!VLTRiz&|YoqW9RwHe)D8L?eQdF{{sYYKxM6pdZZk+~$GjO^4{#Dltt^iZ)w zW$YV8fpM_54Fp}tZtAH1_wt3YgPpO3j)^&qo|Of62vGNbmiNfPfaR!W@%|nv2962| z3R2dUWeRB6|w33qL^E4fz%wYCeVBHGwYike!9RAX+PFlIt-m4&4UaOEhqyu z$a{f)?v+(k{=RHzA=PDH{2(xJRgsNqk}6$a=^mlR85=LN*k3ZF7okPNnO!~p#r!#j zK^F9wJ;P%Wq94W@94TMK*oi*_XwNd9y10ILcL%brzxthk*I^}qOBbDy2tAJcbt4_W z=2RTg%e=&+)TxuP^HFaTthGm82$QiHv#av`hb)p1V*F_iTU^0GBxdRal!-}K_7B)4 zt~vG-LRIqo2*mMqaWOuVncDKGjtUZS3@Jpi*c5B5&2b+{xj);9`QxEKyUo~P_;*Da zC?s$>qY+M(x)%0+o(23DFE@SI_01-;-~@1xvto(}JF+hn7vJF0>=_ZBq6y~XJqLtU zv3Qz6omt7Ki3YmGoUQ~Ec+q>kM)InfX$jd!SC3D zsiQWs;$;B@)=+rGy-~^shxQ(mA}7-exM>N`E+)DFR1(m#xpryRWw zd{bLj;%_q0(}Mhs?6gA@P9~8h7*uFy7FrySV1?RgQjlBrS9gWO{Ll{_t7LT$R;4$mWC#!1e_mk;koweLvq z!fgRP+r3|*VZdD!8x4W-Fa3Grz9#;RwPjK%IhcX{Ho8X7-|bddx5;ZR$6gIT#;@br#W`LoyDPb>veLY(>lCX zQE#?A`Gye#N=^kRbf|wo?V39hIEBq1^gHvQJbp{^>~Y!AVG}LdzQ&>SpXKpaw;5&% z|8D9r$ty?L-hvW0#6d_Q@|}|yn)xw-pbRP<*5VEJ)1z{NsMBf?oU^_@CMCTWy8VZ@@$9(^ z5RsERYweeULvja_Wd){em(;W-7hno=?gV|FL78Xyk1_Xvm|}zwZeGpjOImw;B*j_z zebe)3H83Xnw8oa+O5z7q?DI(xN;+gng7M-63UE2ak^BYqf?huUm=}`R`tHsfIV4ME zu2W`_7X6kgar$}VHso}Lror45JPcR*1_iIv_&d~9i*cTCPE6p?hZi*BSo1v^#nj9j zSmSXwR)Thbykz*8i#aPAWw7*}_Un4M<_OP=-pO>LyeZ=_O;zV^^lH%d#LFa_PSsnk zc$K%apnN36E4ZiqpoHQ+W;U84sa0^4{MI#HKU;l8$xb0wK4_JDDM7?>##4S*nj)2F z98ukPHshS$4b@0eXm7we9&k?kn%z!%S-eDhUING$K&;%?HXXu0j~ z70BbnTW(qAu;f&{rhG8E6ZvbNI0ic8Wf@{Hq4VSiWj9R0+W|dFM1$IX17iPfC;ruK zVjRQ2i>eWYSd(H+_*f7dnAuP^%w#%#soB!f#jy&-CHU-SRo=m+FiC6`YSPxqFHGV& z(85awqbk%nF3l)%N4Xu!AM3AU?@UQ%-4g&DcnUa8I$m40viNI`W zoR(_{y8f-oBwFpME~DX&C<+O)^ksuva=%{zzsf$vl;>(z1K?&?m|dqx`lQU&m?TX) z9`h!6Gv}DaF)oiGIf{-7Mm(C*NWcheLv6j+879h9TIc;1&bN}jNsrqfJjR=c4X>)Z zY-T{!ozJj@_+`VeGnF_Ak+otFZaefrxE+`&c>mBqeK288MEq0lbfZP0Qb+@675NGAt!!$pP1-Z6-m?CA+)44zz1=wL}rHV-=mT(Tr0>a{*$F8=P(SD2Y=B>Uw{|l z$Mw~ihhq%dBCyv{foxk2HKoyT}+ z4T^1^JoxI;O8K$67UNG}nW^|QqHg_C?sit$pDdzi;jwS$)zxPA`OKZ9v7`}&Jbs}X z5noT}{k}q_S%g*egd8>zx;;n{1p!M?+&F{hbaJiL{2UkBpY&=qCZwmwV720aeE82Q z3j)wTHzWV*HrZt0UtlkQM5q*w*R1h6yTs^X?hv7@Mjt1x_uO7beFI=hI=@pzQ*wB= z1z3M#C(^NboE94iZx3?1mlF#cc!l6XPy}hN8qymb)>1s@g0pw7cB?-0JI3Q}AcpdA zou)BXmiu|96PTmp(ofB}u8gln;!tOYZ1Zmi#kKqLeeGE{GXo}&@G#L3+#`*RD#CY<#kt^mBt~_vdp;Ys7)g#w z6U0#AE~TBcHIGUg`|2<=X8TBUD?*9*$z=j0%&cIp<{}fR6D}2W)#T+V$Om30!?k(d z)J-Yav&7a>%1w6`w-P675PFYGj&3a*ew+hA*=szpCA3jsuZmZBUhH8FB5(U}0{^(- zZYYq|p1Q1K`CoUNG#}8~zwtF*qyM|}{7_K-M_pV0-Lq`{x4I_$p@Drb@DT}!C}Wcd$JXNXxodrrD7 zXq}h1Uid^H$^g=FIC$T`XlJNyYLnSzYw?_(Wz_zuoc*P)StkLqQh|t+%p{<2Gd;EL z=zw*fW-O@4K5U&Q_qw)$&)^_ktqJ3lIwv3r9VY+tdZhkR*E|FOnWCt}xe)vv8ye{L z0h3&7>`1Q=KB4SBMS!jeVqSM*QnkB8SI@~{1%Ea z=eAg`M~cJ1yNrecz#ldo!v)rj?d`)u%8ODS`n;tVn(f`6IsaDI5Y0c7JlA#mL2i_= zkrPbUSXwa3{q1TQK$f2(?$Kqxv;;FP2D{a`&uC(e^PjrZU+S719UyD9ormxX8x!

KZX8AcH2$&Sl(B>KCxO znx;GiMJkP?A>czY!CUvfS(o|>h8MMBI&E!mq^K15N6ugBn*4_&WyoZv6iXCguur27 zXNaw7#U+qL14so+`c4*P+%O#e6XcGAB2uyA`tY|h^xx-&)L-hFb`&7fg+(o5VVn7< z)2~FGnIoBXl9SpG&B;~DriIYIaVHme!b;|f|7i0er{<5GztlB}&X0GXCLHCyo95TW zCo=8n2j1G(0;_>ZGaecxL0{`6-NShJWRB{LZ2MZ*{Gr9FPhc z%)(YQUYP!ilp=UFbemNNm5u7d@_W9M8Ac-Zvexc7rwtR{M@gj;{v${2vfy{lKkC}0 z4Irz+n*kF+>(o@&*n1AVo27vqgeo17sh^vkus9tfjDsM96D8s6;E=KM^heJ31DD@9 zP-;A9@)A%gj%9#!#Pa2@!7Gzl9Rr)Lb-fus7h4Z4zG?&ia)N^owe(>^pXUYvIG+ET`+Mfc?NuL8FrDRLJ0 zf8_k7w^d^Tvi48MMuYgj{7`-JBO5LicULBFxdUWfGeSS~DH-%mUV4vI-_CpkBchV| zBj+!@%~=_cRo=+KucN+42iZTH`0ed5F!0*6ACMIrT4D}&uE0U8Km~Ss9Vd2ar(66# zIsYgo|LAS?ANAwDLumsW$DX;iZy_9~O@TY4X@>yFs_T4A35^R@V|5ZQQ$OfKF+UMMPf(uklhy?bc1iW^urlkbV;8uG z0d>N{%?}eWA-YXMN2yEbQ{+_Hk#kdeBOTixIT}^}S(^Aqfir~xWGd#Y9t$0z8s2TG z#dOy?Hj4ZRlKl76TI;k>lZyoWB$}{uw|9-6F+a$WrHAr?@!Z z)om+oz+8bkARU#GpGqU|;wC{44I@=Mzj!*VGVYI@zZAIQ57>(VHYaEaSGS-OsnLD* z8!6q+-LU?L-O2D+m2Vk7#nXd9_YI= zXuuEen?$}Cm5=d@nS8<2q&WLs4l0Zm>m1VU6p9S{tAFJDrN9OK0%U5V_K=Do2_CMP zNNFm8ZZPJ>Bd>kb4|!V1q6k%t4g7UwRHiJfV$hsxu*S#v_1}Bs{;k0Mi~~FrBAAzG z!+=vFv9Nw4m3@vbI)ONm7nhMg{eiT}{2PH|4g)-a(ACv51epa5hmLe+n@AzCS6jmH^n70XSy%(;_A~Sa zyxVQMKZDK9Q>Gf^$VpBgUUHNdd&;)*9Iz77XlYy0(e)f{AwUY`zm~F zj(291H(ma6?v)oeFjtr=M#RSQ3CkbwZmlj^=jTd@hW+rJ*ld}fBLRoJOlZDuK!jeD zPp@x_>0dhA{|N#Ife*-IrQ{OQWY?2JxhTe+C5c(IQE`fA1Xn#WLSmA{E%M zWE)gAXf*Jz|N8#{fr}LZWG$Sp)n9Y6U@cVdUf~2{!>@I0C4VraQUW(u-#rtCg~Loz zGF)6k2)k|ne@Ebuy8)T92A>Zs>Vq@zW*Jn~m&*T-jgtMOHF6lY{^YDfL2ONXJX6aO7#l`pnNvbJ_ z84S(($M)`!MCqsB5rBss+~{SohW!)+3a)3d0MX)f>*d(XwH z32#cN+`Ov4^lRUQe;JZPAEYfe-1)u*?)v+sP+#a%cZXf3sCD!-R76hYA-I*jP9-k( zn&6d85Af?rlHbMWuh)iqW=X`!->=xx`(crvOAJ~gR;Gp~iO4{6bGkV$RlmkjpO5gS zY-UsnYK4@4sS9uyw3}E^_z75*X7XTSENzvg%*P{oW5MaoF(J8GJq_LcxO zprl_K@wyLbB~r_;>m1$$%{wmj$Km;>?fD0RJLZIVx16^OC%_B^VOY{qv_p?ly6xVh z6DPy~BmhaAtJ7=uYm;zVfg&?BnL2=4S5rpc-gijI&V5y%M0MIjofA*voSx+^f^F7Q zce2WGU=Cvf!(Q!t6_vuC7u3c<3c&7%gqXyh|59GNSv1DE@J6t|!w1v6lA}sh%U4`1 z7Xtk=D6VnHRIM*2hYT1}UDR@gI+?~@UwwJ5d{$z2>Q=jcPR@W=ktAL70)HXceLu$x zj8;!sMTw9#7&!m7_*BU-jCd(z{rq_ZE!mPV+_B7j-&i}*V`3HgfI6QA$gD=c>4MJJeIX{Ku zvg37=GBiRKL!{%6D91`(;3v+z?K6Nzqj!>p255!@l7oZ3k#Czj_(~MhX$fmSskONT zr+%*5xW5@7EH0YIRfp=R{al8v#k#lLBi|Eld9%&sng5h#|FImwT-^R`?h-Bd$BRN+ zPn9p(y6nZmN?RxZ>dmiASiR1?L3`gx1iUH zbpocc`PYzYotp58eHRz@fE3yh{ok zWqJ|_cGe?IDk;o>5cYYeA%iuZ{Ls-xpb`^Vc)OK+JZxT`gwlZ92$*P)yTGmWe1yn3 z3$2kIP$1PXNQx}yG5e9@(vn2CtWSe9l4IS#n#+mfkF+z0IEGt8?`JAX850uc3Gx1m z7(B>_&Z_V04oLXz_(O)g_#|gw8P%2iRnHfaM ztVj0xy&8`~=wT+04a&@jWo$(5yD;Cg__Qw+@cwl&9-!QFIKo~M@+FY^AP*SRIfsQW zuxVp#hgqBas>0!Lfrp~It4Z$7*v>Fuc8p51x&KDsw*UNiPK96r-YqHwY6@TL29C#a z(DHV0cbALga7@%{ar8uvtcTlD3acjVf{P=3LocG^C07~Z z?t>JWZ7rR z7Sro2q^>Ooypi|qWIE<&T&7}U65MEIX84+h`s-n4FA08$3EZs_ZihQQP+&L@>ewYc zF*2Gs`2C+g4qx3Y>{6t6YNtLG+e8UfTq+jQ%rCqmdT{x;*aUFV=|QWndZZHB2_B>9 zir8KGD>+}zfrHtB#UnegYqMyI76(Uks;83QEf8EFS9zUZHYy*U zEx9{DtWwcVbTPmYAo0=f)#5;qyi?|`_;s4A%vDMKM%MFGz-z7$-4=sXk=gq=rVYIg z;J4a`_XyZSqE;x;zDcK`YUwT;4U6N6{Fwh5p3=WgaTe=aYG(rxxfVv2*qg3`MT(0R z2@{XA;PDDl8q+3w#wKAa=3!t`(#%=#qMcvmIcEKM)HS}yA=W?VwRdA{_>(#X$GAz} zeFvuZC@8S9R+hP0WFc3;x3jiouBEVM&48HT^NE|T!#6&{8+39OrwH@6@36_Se9?Z4 zd>*JVfk`!~sJg55alUgSlM205PeOTagO*sjZOiq7H|s6m>YL7etU6HjI3@?2Ahp)B zghNyEr@2PYf#M|B?^JGmQV|s}m6QZsE&`33?!K^_1!o!DGb+V`OH&c#uB%ISW6*9p zTMr<4{7g=PiJed^qijFb6L%mZ4!(z_iBn0rP$#8UISe;qNZANRN%(~wzy6EH0G{i= zmhAouDE^BNGeG%R@K+zR%g>`71*M3CmIHcXL}(Y)<*Q8q*`PU~T47&Q3vxX%xU#G* z4b)|wuJ@EMer*jbGf@%KR2tT{~U{jWcg&Gd))l}s|P>nD)BXB3Ci8|WQbwS*SVC0zTp&0q>NH?-TMeMsCW zWXi8g@8=po&52qjWDqBH#WSTQ3h;*%U*QqGiPfk%YkmY;L4YsMlA?QCTl5On?ElDb zNb@DW+7&Fs_ik9@sktiT@zrI^(ugJ=uqgP(DS}kt1jMXXY9dU_fJbsi_mWj!Rf)b~ z;nNTPYCaFDFj#0a!<=0DF#Y58rwx~CwXr4lckZPXAP8WX=xd$`6FIJ=X7l6zjUhXp z;XDi~I91NVcPafYlmtoX3tkoBu2KB%t~fH_mLdX(m77R%Y<07>h}dGDS@Ljv-|0KQ0!{bmqF}GGVuxE*O^^g3LIq_pe#QqhNNj2Nha`FbK@{Ec-=<0zI<{raF zPOB$g*)Ck34^TKxLyhxk=2bP@ValR{LSWRK3DZd=mz`Jenhr#B<6tA@r{pZlYV{t0 zW77}7!6(tYNqpiSdtUk3QbdOX`;Bd(-HcX`d|lLVyQyUBWYDa9TJ`fRq|>Zl+noVJ z=kv5yCu~xWRxvv)>>4>cql%KQTtnzW73umd*TtuARgV!UJ2*Nux{{_#ZY{cN%S}k+ zvt!9{U@B%fT42S}!!i(p!yFF*+w?ITJVun@kiy_B<7dbC6f$>eVm@)_Sw<@lH4e7v zSLPFtM@0!0@h`*nht?ip2S}UjFuyD`V2FuJ_d`sHni!nM!2NtVdSN?7n#%+lkz_8! zzKi07GUDsTeQulepoKHD!)w{EtE_RAaAZfnFpv6XmSEeO0f9b^Z<~4t0AqR+uQ1{^ zP~p71(8t-)eXtK>CYw!73tu8W9tRgiF*(xmyykA#<(UZY1dO6LJwTk%FDa5<@2`d0 zjr2?rQw@{lI$FNrFSSi37?YUwn~g|ZyAvZ@<43JH4+QrOicuA<_R(3wd)fMG2ZL_% z1!@@T%mFcZ)%;l=fAL}T#~%|vB6KYh66KV$4O>ikyrJv%rk9nyiD*1MisVo4%3z_3 z1QxoAO#~ns&X>#LdR;bFpBzc|zt^^hYs8pY>kn=ZHrVXpU8L%EZ*p!LB{<7c8v_wt zbf7!%cwBtpI*<18(6@#q-i^vMdkkz~v4uTE^!CG86!$*IOGz7ia%|Z+rg^>&h{%hl zT6XLf-ceqq3P<%lgK;7$6x}0sUX*C7 zWHnK`{kHrzP-PAT)(0EIg`5y6CL8`T9(R;^2eh370}j{d1=*v3mZG$DXqX9j4bd;% zH-HU!cq;*+Rah5Fhjt+mZTQoky+#u1$S3fg#{3fCpI2UV+N8C}Xct2^NzS)^Pt@(_ zcu~((_yeXD&_T$H>BfTi(@6?^y+O_S*ww;QNif!9Y#kOtR zwr$(CZQH3htLFQ>Pg`@&&9(Nv_T4{W+(+xz82#$~JcQN=)-FXXBHe076LgW%1$fu%^8BENqj0<@d{Rn1pka;iJ@YK<}bu*o7srB|1@n^HS z+}hzn)&z$GYyJ4RYSUk67m2|Et_seATA$}%s0|0%I$JFl`7FN+Q%?0>SxG##LQV>J zv{L%rzWxJ5LWXBTBEzW&vlt_U$w9xj!tb~XnbRwuBTs1fkMnJdtwyV;3(J3;>1q&jRd|J>hy4{k)N`h`k|wH=zfjX10e7q%DpA@$RhcDzw_EG?tG__W6&scCW#1N5>|7o3N(M z#+Jhm5hB)xVeLC<@hAqEac^5vdU968IU^jF3U$yi*?y)rU0XgfM`6R~AL*JxBx2IJ ztFQhYoBWsb0j}UmjCb}o&_Of8HN7*^F(Ad+McmBfO$0zQ-vvk=7Q#rpVAg}fCH5!{ zWn(x`1p_@Y#MyZc>KC=1Tm4MAt@y{6{OC-?3aq^of#m0r`a7PD(fHf6hMN8=PI_mjZ z7nRT7?P0wbcPA%qIw)B-E)>BQUW{~9gPrB-_09fgcLRyetRj8qKPq`(LNDJY6CdMk zUJ<_&UEk|!5bWv61c8J~(S{UwH%gF0#J8W4G1z7n`D zh`bG-(TZ|W6r$YkFH^>zGihQEr0y`v^|YTb6{V9Jc~oCXjLExZsYnIAWZINst2$eY zQD_$Z?xG2%vy7>MvED<*Esdy;_*ZPl%nYAmU zr;yC|0MrFZ!+W&ZgJUyrkm8oWm`mhRwODV*V#QT(%09+g?hf>2EB&VyrarTnn2%oj z;fq^Wn!)NV!8q4NF{DmqI=y}QFXghDtQ%jnD6MwSafzG0iB&6XBy6vMy&7+mk|0U; zAQGurQnXdl>Lx?7i038pU~P2&Jj7ry4Lu~}p9g%!B9DkiXue^fJ%U2nQeY>(@}3IC ztwUhc)W7U?S%7rYsVLgMW!}}nSpNUw@%?{)|0h3zzvJ;QyPO(10>Jc;NUni)gCOHe z12q+;dIbO>jA?7&xdDZ&@_{5#iSKyq%-ua%n&J_p@8O?*BKU;l0=!ieD$gafjoFfN zMqZ2I8@n|hkojyVtRYks7C+xQ=h6z3!Ep=~nRPdIF885Seubb(W$wU)$R+34QsZU4bK`OV>C_7_#> zqx#l9j<7wxh&PVkec_6Icfv5H3=vJrXMKxIOe3Ab^0Px#xCDqFz{I(rI?l6Myoq*E zbPbONbAn`e#lfHK1NtpmSU0aNr#_;`phS7}uP&a8Z%M8vx?c2OE&UuiLMXu#e^#Sy zZ`T>L;}(#Mt2rV}!#jW-8#`wnuK}|?^&LPOGw9hX^QOI|!p$uvK-!<^e4@Jf*_?Wk zaFf8FP&{W6dOo{@>%t(w0f^F?ttpe1`&I+p5tWW=Gy@{c;I7+b4-?8=WvV7!i}S(2 zud8**Xo+W`4>saAT9>Z)wi}xB-BVXefD3g4t3mYewJ6LnPwG*DCgTE7gel20;jbOb0H4K^kngk8JIgTY z8ca=~cd}hWoutNnQWmYLIv;wRdIcok7eltE#h6F9&9$V5R676{obTORbS$V^v7L)c7d%FSU zmbs0hjmwRjz5V6Z#msCzjx(lQqbCJ0Dt`Htpc66n!I-8% zm^s#PuD$14d>(5j3yD2JOXekjH28~y>g%JNEASNVCuO3ub}O9^^yQSh9lZo;!kn~s zx&O@zr11L-tfk4OSkd`No5m8tK{PM;DuG?osqp=hpV<1SRkkMC=#fR9Ayf0&w!g9j zr<-J&vMG|7T1fn#{Sl?hyC0$rUCtuG=7v|1jmYl}L}9cPIsPPTPP=F?XSiH7n4rF& zSgwW51vyDPCmr8lik6xt`Hj!?es>A07aX?fADAn@0nigNNpWM_+lE{RYSx{Eshq)J@3vtjQkysf7#{0tKi>3dv)JY zBhvha1Gg)^O5Mj6EJ)j*4|*f#O-$9vwU~R^QcPPAmbq`awYqo{8q=vspV(oQOiQRS zudaVDx_l9kq=~DvqwK2cd1Q$v%Frik1H2nMVhYvlC*)}Ldk1-L)?#%8ANwLQi|M1< z4lh@!K!IT-#^_TAd+Q4BNt%CwG6^s2BkIvU+vbYhR64XdA|Dq-Xi}X6Ohi_ToaW_F zwq5H@uPM2|tVS7}L0|R{1o~YQ@2Kr14}ne2zDr^_SOB0BDN<&ftjHz0-#Oo}?5;yz ztR%NL({f+NFe7K_ zb*dkx5brS#W?c7Y_?WfBPEHF($5uUJ>Xf?gnd<9b#TgDM18sZg% zp)qPf4La*ezF!+CLZOgN(-kXQLEb|tAnR1AI0OTpxW&t%hN6r55STrB(jcDNncLJkR zCkimkX|kClOsrD-VVgg*>euWLw2c+3LSrd=FOgJFb;Ca?JF2cp!5 zfl3k4@Nqe(+OBdE%TvF691wR&gv`B*?TH}YBqwGiFiCKKsg-H^2Oj^l%a!B7f9o)t zTehkqz=pMOvL-UMQ8sQUWEKfwH*8vT30a6Ib!RRd!`J~9>wkCe9x?48v4{_C&Pq;_ zT^v}a59n_&Ut%AQ;F~j;_uM86ft=HiC_qXEsk$@pRX%`wPl0^g8;+l*^j%i2(8{Ic zwuUEJ7qcd%!9*C4rj+^DJQ7juikL02e$IpRYma13{q97Tl2+U4oOQ)TL0A}JT#$#H zf`udq7RFX1r5c6QpgVq(vsBB;c###A6CK(yLzdSx_bkEpH%_I;h`8Zo)Oh){+$Ifw zO@>W`btSJF0eT3^d7lG=?T|F8qm#}wr#SJ`FV?6!>nnp-oAoQ}57Tu=5afPf^N&f* zsT`f!W;5H>Mm3;HD=$XDuTz4*YZP~9nwvT^4_H&9#~;3%(@v#HD`tJ$&7#doOi)>` zZ9NcuTz+2j=IE0lsStIr4F6e>W#vPR0ftP}?O7FG?V3#vgQc{A>!O8~w2OSF_*geU z+c1m|7pq(~y8K1+^IrMe2Rl!kJi_sZ-* zU)d79unP-rz+hk<{yJQ`svbO{t-H1m)bSz zdqdAgBAswtgR99Dx#Ci`d+D+t$q;iRQ=))505bFevEo^%UoJSbUH`k3|DUd@wx7^n z_Yz%cN%q7?h}o6IqdW^xht34 zZybDLEa0{|DRUs;JDnmY1leuNq~Hj?u^pd{zhMdJS1jdhQG`L?V8!o*4=OSz-NGUE zs)fR@_2lwN>`yURWq;#0y3ufpVmc5ad|iJdqu!tg(G{)PKf*Urr?scPRXvHqW>LnT z8x3`>H8q*PmLRWS|8iI42l8OlDt*AJ2lPE}5{|2VqPVd9rRCsT3L;ouaqUg~%xZ6%O#0ovRBqfy6 zcE}*UDFL}m-p+ZbN(}(ztM|y%; zm6YWKM^RmE)ckzu0Mu~o3^;!@K1B{t+sgA6#rK5Y+Dqd;wX@4)w8mOcM%~g816M>p z-C3Hl?F?WfJ{@z_A6j{9)Q}_okm!j0%G1 z!cPiVjb58Afavw0$yVz z@KFlqORfZsb_r9}KSrFM9+J)IuRx2_H`>u35l1Mjurpy>2Z%xgzMFZ&uphK<%99ip zhEJ$fDl`<0S^{=7&Fpg7sCE=t2KFslQ(eWiggVeuIgIE7^aXC_qf3z5qgTPN!~3>X1$z80&7K==rH+4h#5FrX!p*8I~6BUzLOtySWkz zzn#C!dt`^lyP#l!_=AV5Q)bf>@Rz6*=TGVxt47j@Mnsb&zx$--xo$Dg7VWO|RkdRq z$6pL`~(sLDVY5okAKMrx6cp&id#_+Pm)Tao)MoIO=~NZ+)Jv;aN#=+XrY7J*B-pW z&mW&W^?&8Kxq}CH{F+lQ$JguoARIi?eFBS?tjHLMZb_ikZQyr3q0_p1|MB?G_h9}wKzuMvbu4o;)+>kUU0Yo}-#aF9)jV9T+TQe$tW-|SA(8;7&K zZHAt$m)(+gNv^{ro;*~GVH`iXt}d>ULp&!h8;X>;PDl*DlZ>~3`0WO|0Czkx`z{{@ zc0mmm>}((HxA?xyQU8v|zvP2FE`RXQe8nvN4qy@&@;vMG_#)7q+Jero^*z}WZ!=mL zR~$aFh2+9734J9oe|qJXspvjrl;{6gESw59VyeA1&XDGgR6pDMEE&k&JvWgrl7gqy zERp_cv2j0cUFp$rqBA^GH!l>^6wwu@Pau^(yYKtu)d{n(2TgC7EYhMYASEZw_A#1I z3lO598M%lvp?yE~0#@2)God%cII3S0a~!+4)505L-aj~L>Q>i|3k%ote54Exp=HZgVo~dnSko~ zBHs?c>M-MXH-9+3dHYYQ=c`y;FZO%Zje~ESecz{~>gUPYdT#`*)oUU8bL(jT!PmaE z`cK+wkRJ}i)Ab30n#7Xg3n3}R?rbMAi`Lg%qOma0;Ohdoc96TtCTsDmZ!ljhp~rQ% zx+}tph%S$+J)q>2({Vic{TpOFe2@u5Bhw*cZ!kh$!ohw0>rbe23SIQ&B(@d%rekBw zQGFgapxpSa8BDD6`60_h*iih0q&>GenKd`8&3ujM&f{`j6dukb9!t!1%p=I9*o`{$ zfyC(8&0vUAPF`+QV)0(R>zthXtC_^ljH!Z}AM+`GBm5)R0Sugs0Uca4AMZf+1I*=D zFM}npTvhH6k@a-d5UF~9$Kzk}LAqi1Z+=(rn8*W;6VQ2aW2MIi%@$kjLZBPOWa*T+ zjF2l|reQF&5Y}EmU?bJf;f`1wB@gOO13f3sT$$F4D&C+I4fo>NyW4yjs2)>vKb&5% z*fL_t!CI;7drU}|>qs%g34u?#3ca5$oIMxMNs3lRN~%2_r#rJq0QA_QGZ&=8qN3v} za!G8Zg0P4Dk?>LKV@h>@YtJX(2;rG9toa#ZE{rNzluXc{Rl-&@ zOKgcI7vdicKCtglNLOEJ)suz<*x3__=({ps6mk<{l1sw%#%9;&G;)K!ZY#BjG#*He z!?8rJ5#Jh_Oo7vG)!8HRz8I0gSpF?0D%h~-qX+`sUk5M={J}uzsUJOW^0?mddMHD+)HO|9H?jDcA0wqG)@>fYOWoD z;w4wGR+w5U{CrI6^qWrSsX~hTo}=wlN>T+aD&#S~d1Ej)@LNZ%H8}sK9{d83+lmI7 zHyazhYzh+w)s8mwJH`@={{A~2|B??rr@()4GT0fH)QI0|AsNK>W-8Q$rgDzH9JMgqhNkkd&i7*HW5xA6OU3a2M2pkY?vo!M5yycw*VpVd|NeLDsy32DqRRTU4 z@%!5vMtw@o-dEfvo}?7boB%g*?4tGA1RE@>8i01J@|QB!#|}BNg}*-<+?Mg^BD%++~;{Tlgp}=i*gLm!po=uyk-QbGJb$!n`ZceGGID{Hil_Yg_O zQP;;9>?exd6NXstndXF^j#BLBL{0DGEn@Ee;jg`%#l(PMhTwE^Ty5LO^vGZ-c%XOv ziklkstv?R|)5IOW?bb_+$oKi}{)5N=4*CC6J}9jC2M;RNaZNb|$t(y6W6fsgVAxC4 z&SDq)Qq2(x_2wh!9JB2m^4?ZzAvW6i&Dq&gA}2Q@ySxN^3;Cq+vDECfghK|!Bh7`g zqhIk@*6SZweWhpy4&Wuk zae3S2i}Z`EiCiu!@6$O1^nT_KCSQ|ZqMx!C9S4SyfG#(ll3k`SsG8I!s^ZYTPS-j< zQ#&eY$jsou-c&6sv||(A&Zw1nZ)C8Xu;UJ-?o5$9y$%~_UA;~nASQ1HAP~pT^V)n& zm?gDcwChpP@kw$EZXA!CY(i2*%cQ@LlON}QbXZ&gOe(2+MF6g(K2Cm1y31Rf;(pD{ z-PwN~;Sr|U*e;p`a0WnF1m`fA3oNw`;AafBO{ypyGk7JRa2m~ih?}@+qjLV{L@D7K z3J{n-U%BWJt`Bd%aYCg#w`67qsGG!C@dOcsGnNgKx3lolpe@}H!>!dQodkC!v$Sk# zL$6b3DJJjbpYrDFA&Yfww4Sx&d`E_o`5xU6v1ecD<-tl{7ReMC9Vc*1`k9fF?M7a4 zEm}~<)V^+zNEK&oWdp#iW-QNtjSFb;?Z72p)y?ctf2I~htSwPHkTq9J@6cYMt19>6 zkEr&JvjiJu5Z};3R$Xb~F*V|pOrz8b4*YjK{v{v$+(7{7hwMbX%S2bs;143atX4Ls zhA*=XTgJl~Nyh8@^C@~GljCM3Os)CL!c2O^IBi&o#(hX1(c1yS)(^TF1aM`?`byIl z?s3_QdU*?wUj*ZoVIEFme~snzq@EZU`PtiQZF|#^dnBx^!Z{xt=4DmuM=%~FgPmzI zCW4B6?JwQ1!*#;Rj#FJ#FEbzllF(o^atUByGzrd-h+K{Mb$AJ?pbJ|3K0+eAG zv6YO(8jpxrXx%(G(_yEVLdd+t>0Ey^0IGIBiGY8k6R@S#Pf*5ZBA+wZAM2l!6^2gh+dYfssd~$?OsGu{LXAAx$u*1t2YzjV z_-T)WQq&4GZo{+-kD2D6h7BMW!-|CjdEU|HtenwyUR$qMA#bb|hwP2OAfqRP-NKj5 zA?@qIh`72CE)K!*3Zgp@Tz66;GjX>sNGCM!rwbUqb&=#fZ*sThr4!Jvh4;!W zsVMWkw#z8t-*QvoBbA?vh!$@@%2pO|QmWgw#SNx!Wb{&`K}tprvH1EVJ163a&bW!@ zaKm+XN^aLgP4h@&3rWt~IemRGV|hol81=ahRxfC}5zDFcZqn>~(NNT$w)H@LoM_Rc z3Sbp2b5z+|ZDPoPLN6-MiguKX2~-efHs)f2WJqT{SFqD1PPV^ZU`lzUgg|T=xyhL` z7n!<_gI^A5Gy^#0HqA&IP`?*>si5^M#n@G2Rd+hJO-L^xJ0}IvXXN-DFu0 zxbilW=w&KeisP!74Sjr7tkV3M#aNc}E$@5xx-g23e&1jGkvDR9Q3(((}H zYEDD_kie)A;De;K=kZMg1IB&qgfvrZ6fo{_Azu#nSoW4;g^5^dkv6pvJCOD^)jfN|9Y1=Tj zMP`FUxwN!_pIdmMHPPMS5rhxi+&Jx0mWO8ct}_%Z6${8^j-zc1p4A;Mj64s_uqy%L zaC|?Qyr!>EN{|Mx^pT`-FF6AQ(8W0$$@A}1iC3madG0shmX5wg?PlVjmO~Piq6Q2~ zBF$6QBL7YMa^Ii8J#;p@ zO-LAvYtHIYPC2?08uUf_qP&W-xUdm_wkW|$Z0>hs7;}Cxp?{IQ{2x62v+(#Y`QS7I z{0E#18TD~gu0;Sw!Y@5-X(Hsw?p7!lKbKjg+g(DkgBdkvaiabMGA^3;p*Nz@m|cDU zssWg9inpQ`CgQIUYrh``3ic@AFOXZmPB~UtT88x~=rt8-%}R+v(TscLD}iZoy`YaQ zWVdKhz#MCPgW5IsE_Mb7iJnw~M-kv<03hj7#)tC;bV}jku>W!T6Ruzm4tlH zsSN7;+>oyF0)ED+Qqx~9+b$dU!}2vwa(aM>jO>e&C-AhYg) zS8*}`?b1_qUHG~ems8gl9VE2`wST ziP6R{_-%ET`1!#Z6DUKv!9bu$Cv(sv8>_C6K8dEo0AWA#HjQ(^a*8Kh_&PeP?H3%v zQR~wUg3HUqgo37;1spS(bzDE>cKa;%G~fG61Que8-~5t6Hj zLPm6&`WMI-KHP$PzbjA<8_Nt3x(92A@dOBwF7|mAxA1*<+G|@X5;}ZGt6Jbc@c5^E zkTnthi))t{@N8S(JEmzziTwMZDg_?!Vhdp{9)K)yZsyaom~XiyBWeT8eoKeO5`B3x zXuNNd-Ty%}NUIEs^q_8ugRvuP5CGwtKFMcnqK)Tn?dEK3|3et^BKX9WlQzf)M#8H3sL)$rx(IuP~{kZ<28V78m2$>oQerE?#+Qi1@#Js+Dqhy;~ zCSOS6*&$o$twuKmRKGIY=@M(1b*K2_Ydcg0d6+C5LjDw_Kzo9;q+<{ZjN9eB z%FW@WCe5~Ep#?9$%~$vS>O#_0w>t(A@P|QdPPn~X?v0PIdCL_JCKauwwQIk!jcodl z!tBaOj}<2GrMX;#_;7mcZewEh8K5n>661H7W#%xBk#T>%i^g{~b%T>=1t1dfntjL+ z;?r@N>H!Q3h9A;2XVkb>xaK-ar7N#+kWQ8Ea+(aIuMn;ukT8kWjuO#i5CCs0mA*km z8XnlsR7%K?eG9q9%Ys@N5FJdQzKH`kK8%-1HN7?$kQ22G3TJ0tFzjZ>%BLwCdWZh~ zz%1QPL;lYzBap@lCm-0TuDsI}#^%GuJ9T0%%CfT3Um{oRTPJI&up4n^PSF%Dmq(S( zN#e#`;H2L4CnbjEK!GjXW~N8qlNPC&tZu%c?<$h(GHPy#H$fmINC$2E#8D|E|C>Gb zpX%{1`JiwU{I{BK8g#?_INVy9pv+Idx;<^_)k%)^5=Hnc5cxi}5cz$qLz9RU51bEr z5P|uGPHf3N`WU7A;+R7p9v8X)3_O1Y+$ZjCL&j!a{akv>QQ9S| z2(Csts>GYJI8j$~ZI;fa8kwNXN=1_jYIh`UxB4k8O3sv_rOQ5s2&g-Dym~R76aw)X zWCG0HQ|AMVli+Run6)WFO-|(iqXtdZRF>eWQQIV*f)GPv0d1(OCt^f^TPC{lvlpEr zGYs@A1C%|?eu&1Iy5QcaVz{7j_8d2xJW$rp201Y8yVq$j!#s!#)>NX_A0MhRtmpCp zt52_PVE;45rGMnsJiUa)!C3i^(?t>)W1!(-X36LJY-vDJkZwemA7s9^n(-68%bKIF zBsk|IcLS{W3|BZPDP5-`#J}z{+@~#;`^9c##df4aPBBBYoA4pJyT$AYO@qXAJhWLspuCR3U+*3o?yPBh;zsN#69Llz|FL>6zK=>W_yr1~xZ8N%0 z#0>%Ibg$vl@ahgqhO$3&Ora$4*F*Gqgz?0eiebvpd@!t@w^+&_gw!axg!R2e1?QNZ z3z3MKX%K(zc?Hb%h^wTIMjUx|v+aHvt)}#8-Qk3{;Sy;3KRdgyqG3rlc-Z8hurguu zlFQy!>Y?QP`Fv8-?4+)MAwJvIJP9&WGwZ%0UdFWNHGAIF&jFdITDa9R65IobckLkS=BFFgM1rW{H_0Psssc1&vx1I=TX) zvEfY)oFSQ_uZJrTK~}4{*h_o5dlzq}quY>#H(3U}LIG^fG761AL;b8b1{Ykkwli^# z=Q5|e9JMZ-fZZB}&DyBZpA)O+k{HyfQReleA&{#qqKAIrEjTNrp-bLgjyqi#`Z`>O{QKw z5zQGY-4$)w_p|vlO2JQKefXjNrU65Jf+e46DN2HZ(6Fm?baeCuEal7ljiWbqR7Di! zK~5fOL;?HCy6ZGSJh{50E@&;lfjKv=!-7EAUdAP9y;*Umdyys=v(f)eI&eX-rS&RE z(Y<2=jmNpd%#)Q)5Mx~lP1uLqal>P-{N$T`!<&rQnTPH{IiTrx!nkVpLcI>wa?X&{ zHW6#Ca!&Xk=|=5ciXA61h}fvm22`H;mJMig_)}0x_`N0?n)N11-k%ig=-23(Uth1q zr?zpw#A_V5+Y}nf7hRk((PfPaX12yc7 z5wIrkg4v#ItJ~rgDV6%y9N{;#N1UdCWS9#`Ihp>d9{*jFmHDmp7asq0Q+nFMe`4G{ z1wmQjQ?&*!4X{KPmH&C;)uOudF)KMAL=a*U>>wze^}?wu;5gFZS|osphIYf_-{ho& zNfeG4H9#kwm$AD#G6|}<-lLbil_MkUau4=MiBhlu6l?w8T6k6i*zQtx96xZYP4G|MX zBPT}g(*w#^Z{rWYuvxI0;?2&{wFvL9aZv<=C3zKA1}Ndtp6CS~CpFsN^j&<{W5GO* zmx}uEWRaP>v6t4ZU(CeYL8XMtSGje>WL(8AV^NPw_x(z)}Ry7%!Z9vVM z%u#@ew+@e+U`4Z9!i9kLpOHwqgkrZG00octeclVEY>28;1wZMz>|G!QLZ(S4dH0!4 z6u7ZtMN$kj%FR3=Q;$6?QTI@>fSS=(1R*>*r44Ns|ClIu-B9Je?8Z~84I$_Xprgg~ zQ+Y3mi1Do13l0P_bC3?(#>z&p;3M!9 z3S5xE8b7yL0Q3aaJ&Xaj??_$NU`x`hEtTM|F6i&v!2*Dg1Xl{^h3J2Z8@0 zvwC%vET7Tm;XP~;c1oWkNQ9FClG(t(-QTF$5-t=hP#Y4{4}FTTmi9P1kDkfR3t`Gh zM}_W6eq*qZeXhqko6L$NPOazRu=n~U)=opsOKIA@Qx-HM>&?6#4A)v z+0m|0?Q-$#u8hq0j41yE8X6&%fv#y1K=#mgF^a_K&W5hI_klTWqP#T7W42DH&|{0b z%S_Tb=5~wDQRUXgB}Lz_?1ySH>CmeY0gW3rZkjpnGQK%Df#3Y&b9H%feydf#_gHI) zuOOmD&=}RP6-?u*il-Rf(2Xe~domS>>@0j@=WwBvQF(OWKg8U?(^kTZf zduZo)3^F*}fU6NybUyub9OpOuvi2y+)h+=KLFJ$JNj8;TPF8-bq0_9gKm*QhkMf)% z`dXulS8tn2b6^(A&v>bzO~ceY2jfEu(Z?p|b;F$D zpFI~59si~VHAp)e@!7$wI?V2ko)Sx$u+ukXMpY5O;%_HMN;ajSf>E1jS z<7~56>ZI4Accr1TOh34sY_vNVGM^|OrmoQ~1(Y`K_k&)9a_f>|LC9|)3GAI1-O4j< zPB1;~fXu>V_WCSftw>;Z8Dw8 zA=G(*n3=Xy-#7056W%hmy;qf792n^mV}_|yK(zlK{; zlPOXnd@6tuonHdEP>_{=ukf~`lP$34(^!)~=qm^>Y<&KlR#wXVEt!rWf^ct-+%d=k zp{})jjvJ&pbTEF3HY)w|tWAqIpE!A(n&81K9mXprS zNGvSP?Dvp7_k$ZzS62V1wDa~> zppS5_%8PJpEcbBLf^MqV`4w2JQ`AF7fz!5Ry*K>%`Y(ceuxMOOFtU1YY+EkYF3(U1 zs~N1Z#*N{L$>(1#f!Ckb`1%>hxn^AkTwp|a)y>cNh2l`1p6z|*&f!C6$?%ri45>Tt z)uLVg@C5e3vHRs<_Mokbr&83@e)R_zL8?mxIQY@7(idU8jK`IJ^iNGafJ~Zy$3yWT z_^-p|zivu&FZgfkZqzj$#w)OKlmqqdoS7Zz>xbo15{e=J%TW9yTl3eDq>>NWz22Y5 z%oga^^|gXvHF<_%cWRFps*wvgota47s$6?DERk}E0wK-M-5cbwK{Rt&n*8@)zIjNB zVv^-dQP56-55MntL6X5tGp7vpM_89VJ^k?k=|vL~^9JqM5xDJCle<1P4qc3okVEPw#RwQH9Jx8c|mZA`$uXI3bjRrfo$n?7eNlCpQr1F(svN!;onl8o7;&aVs zW49i<_Nt<0YZ6M*`JMlGoYE5$Tfc~&)}I7Xv)58i)hm81lN9$RcHcuEDlAwTxRmgo zY?s*pWhH8h;u$uvopR2=!Gtxsy;!lov)O-Udj+s#m&T9g+yrW?^y=Fj!Ur=bFZ$p< zgh{*fhYmXp3T|UVv-~7w+1xd;M3nX^pFMVX^Qv-O5pD z7eW?nr3{Ah5Qp-yGHZM88!yu@0D{mrnPV%fY-P;)}ZlreC)?DS37 zZv9b!v-tS=_b&m)sU^%ixjbcL-xg4HS&xK?g}F!M?KowACPtO3G)qkIp!|h6ZJ`o{ z5RJw_rR_u1WZzTv649h?Ix{xYJ196PW${AQ^p_<__xQsGN1F1!)R}e-O2Xq+gKHK~7L9nQ_jJ_e0+-}UgLDA# z`1HrA$2t;@Ji{c%Gs<|DT>h`NroG#XAO_QFkCX-#g0q{4u^3MQiCePf?5%>mfwY%1 zfN&!)u!$k21q8FJ*w>Yf4Sq`PU1SPu{>j*R3Wa9j{=^7bc-{MUZhGprhM%Oaqn6_Y z(n~l`z%`I)jRhyqpK9uGb<(mBL35i1DK109TTw-tz?NmXB&Xy(YdR+qpj8~(LRN(% zuEE8GDWgy2z5!m;cZRr&Pi>Ca=7Vz)Sq?vcW2l%h!^QMZAKt#)i)68pLMv-5F4nA4 za1Q?hzjShQWmmx={V0~_=9B&aQsyoGZrM#zfKJQ#upJ%j?j%?OVH!;tMXk?djg8;u zt`5ScrD1rV_xU>>^20WNRgeF=DYM2A0DO1FOJp`Qk@cvOThNe=BPFppBNtMw8XxmY z^QF;p&{?fxWU($Um865Jq0dUqTFaEHWxitwg6<(+`nqxb^-<^Cb`UnWRx1p}rYT8} zM3Z6Erh!O8Vho9)Cs_l-Sx*tIH8xkS>k!X#$Is3~P{no!s;7JAH>tQh4RQpMxoPLa z@_mTJIs0)}sX=Z8)wxc&o9L{S(^oJXf8n8~7bj95ia^Hfjd*?>8TGK*ibROs)N|Yz zL!J|JYh89gz8H^9Q+V4jTTuR}qKA?hA%L!89t%W4B<7;qK3&Xn1FziJ+9DE(dhn+V*y9T+}NlCG>R)0o(>8z08Kjmt$f%PA2HjRXAG{-r)T(3tvnA{X?RuTMu%SB`KPAxiC^1!~@i7#As` z?ur);87^%*$@}k)Trf)5P)t!S1*IY{sJugddjK3g9P;-Jf)#f1g~WD{d6b&BEZnL+ zK3^LZK22fl*wUyd2Y9uRvH$6s{$-c@;|G&gg8HAn$A8_FWAq3BO%xj>ao^R`1==Hj z$vHUUjmAv>>ggw@8&P{oTaNlJC>SlCoua3zznW3%@DI{=<8$B#Z&Tf0mia|{rAF#> zZ(*@ADh(6wN~Sk(x)>cUFjK=Y)TDEX7mXh6I38A&0klzNXjg=g@bxZr zLwD(?p3{n|yw9dRk664;Kev(Y)MWg0G||-MaDoQy2lk|XHl%bQ7f3qC4f`a$cR@>$ ze++DHo1jHpeHz0>wV;69wCP}rcsBeAs^TT&88hN@;ZOgxRdvp!BUhr;{IHi5ollVS z3{&1cDbKJrf%9{xJH9OLN!P#h#VW5kXD~-nKiG9O0Je+k^aR6o$Eq@DAnA+6ifLm$ z;E6PNT(=OGltm(OaCk8tiMtCaL7mqex1m~Bx9Yasar+ZH;SHqC&Y5IlU+y6IHD}vf zalsqg=dL-vift)v7@yhh*sRRg+wXznxh|BC1DVx+YfO z`q1+O4Th^iF|h`?X0;o4#FN#asA3Wxz0Y7jB+>y3px>?9>ia{)3~c@$H)&ahw6^~9 zS5=@6!n> zl!ldz0OMlrNxQ<@%bdz^YHEDOr`WV^V9j4AAYM|GQ+<0+;8c3^U)k)i{YZG`ll{`^PV0z(4ihHLkY+&gY zT*0A)uR`!Rn_Yz1@(cxSz-AmZ(u1J(HUmbTh8Oz)zf_9}!=XQK=W4uW;x4St@_?GlL#vx1t zGFf|8L(^dP$()L59qfDmy7~WPI59j{T_ukcM}X%O_9QPTz1>J=*XjpGJK+)*GaEc zN8l;?!^;{++=1jt@0`uVU=!?@UE_)yU*KP%Oht~*Pi|bsR(d>W8gq>ivJp;=3K@f* zzoh}$%BF3lbPV*gp6MffTWx!Q>Lb;?jG%1w26<`C*QMS9&;fs!(yRhB;OhSekN-J) z{w*I&EQ0?;kyCLSLPc7Vrjy9n5RwDhiG}ohB42Z^PxAH=7ol+A$n>%=I&cds5UGBZf5G*+s(3oHK1HRO=? z{|O=r-St^r>Npv73rpGHjN=MUU>{)k*;`gA{s`5i_;)4VT~<9q$g)$uzqnIlZp@rh{eR12>aN>RZ;J5Dwk#U&Z`q9V4jSVn%bm{BNl zrnuMA%&8|Z*LdwKiUQo4O94lNXJ5_?+Ai86;?jsx-(@Oc?O=rPV!pV?{p0UCJYCw{ zXWqMKR!cLa31!I3X2i@A!?G3tPk5h>f>2C`tdxP0N8FYp`S>kfY*@6_P~r8r!O4UN zfpcDjM~4=++0kGl2&-C5A0${r#?R?3sqq=}_oyWJuvh~)fQOlly3B^^2qvrABflAu zdn>J|pNb;Wz2>QD5dXnPBXESRY{(1IDCeYtkU9++r+y$IV9Lw$0maSMjl7b1sJwi% zu_nZ4$Ks6e=3a=5@RD$vUzqV3bj=PP$}_C0Ayja!d+-6FTL zF@b&nAs~qY90U*n3IGNL0#+6)kN^q^5S4j5Dq|5A<;eH!1HTx$Xd>e=+w z9T@>5K*Ru6#_a5_J=Q>SzLxEA0KXbhh3W~*ULpQWyyh`~>6E%(HHN0A;HEe@pl2Ke zj-)_HmM1xT0lO7PcXQ0%v00_=WK!}hAy;1o9VWnT|F7*=s*$)PjkhbcLC{U^lbCpe z1Pgt&fb^(>UXD~oXDt^_BG57VwV-vX&r_f$4*T#d7UDf-TGHVR{4iR<;`kC6GQkgf zUJOyq&m$<8L%2}+qU7V+q8DG#+UQ~}1zcZL0&PM0wc3NcE#f`odrs4uMabVM9Bf1V z8Yr`#sz}S(Ij*<1hSA57ve5(g;)aVc4fDe+fFypA2Z@g_j4Fyv3A${}&ht2EC)N9C zfx=h7+Oa@BOJ$f_+<&Y`f(mvtuB?F|P#o&R%ATl!o=9|=b+iTifIH9XvFwX|{iFTu z6d^%%&<8(Tl-px;+IihtR%^4DJa}PXaB?q|$1-Dp(Nl^Bxxs{bf?H;Q4`iTOJ1CZ3 zz@eHPYH#v-j~L-aW|YN>jB5pXZ%)HH*u#uEr^iET$8igDGgSqy~_9y%e@tm};eiYVk$^L=A zC_3*M?*Sm_ZXP^?IwlzU=nj~YDYje^wYHanV7UPe1V|m`EddAszxH>?xl2%mzdpo!Hk zez{}GOI}c_3yyMMxIEpudo{b>AU}Yp0xhgVH7d^=ahugmFo>STU z(zj?jDLj5j@7{0L=aO;+EzXkb{I|PuqdwwG_tF}=$F%cH01*KI0f_?01Q-DV01pKM zNFC-a0viGa2@=c$00Aip5Gn3hxt4}eall<51Q`JW00spDNFC-b0162ZonET;kQ2B< zF-QmihGvNS&un?NLidS<)N4+-L2UBcLTnsAM3_$K002HYb4vC#n^e{wT7pWjkG2w7 z_;&bDHy`-(TN&LLolT^&QA{s`81B{eeleo^6+CBbM;8v`N8vd8v<%hrk5q>SS@qVz z2`^5r_=J7dg&(#*CUp6sLd6-sdMCb6+(x-64kz6dnn*Q5Rc>9UZC2S^PFH5`Pc$Gq;$#FfI!+UV z!o&<9f!hQSto{ItKDcX#(2}|iEoSVyDV?!SGy2pXb&B&BRi8eZI$0bz)j?@(drX)8 z+l3$IOqO?(V%(Vn&hNOZuajp1VJ(M9vo|^NF%w@o&8&1jXkrl^pboJlT>8-XFK?Ti zc)}lL4RxW7lxYQdH_J3mxH7|119nqZL$-12=kvACRAH}>rl<>agE*G zt4=2${7>*E_uTK#Uaq!Fl()B!$#$g^CtOfEBG|(EX0Z`3y*ff@@7KGyZ4hcrV136vzc}TA9Cq%l3MlEyU`-bUzgpm^<2!j-8LvN42K=5@VtC`9)j4 zJaos_%YTHDMl^i>7|fRw|Es6;sJa%TDnn+)^X(*gzL+W&-nxsZwoRl?FiBnQ+o|X# z#K&c1_&2#h6&3^eH7Yd@EAuP_CO5di=Ji2>r63hbt0162ZDehRgmWEMrcq9xUt?FcW>-`;qzP`O1mW1FZ`4&;-*}fLV zUq_6@AzG5wm?8;Q6P1st%%9aw$X%@%#Hs~rt9qG-ku_w&ELNqnx$Ds65Oa zlmD~S_EAf!-4ubH{hE2!-vaMP4x4QCQS!f937(k_V`HN;{Z3%%MBdIhq)%`Km9a%x z)djZ%-WK@VD*2ESixW9o4yatlJ+P&lz5uzXVCy%6YgeM{bQx0_mlW0&30;TLW?6V_ zcmG5~+I4Nr?ba5lYFJQ6s4&eMWMB$Ou!SeTtY`-}C{zqY z^@M_we_d>SIhlic&lKFd-zW4|&AkaX4%)YNu|ql<5ahWX%&4EO6}WAZ2f!{OuM6BE zjvoo@xT)DJ@ItPtJSD5quo5({lt>5CpzO_%Rn3{RRDV$1YiIpCzC6PbUQ?R%j#xEH zx(~7~$z*sq`a@g`-`nNB*ao}ej$+J*9Dz$LST?_y5tKo`Oq=kVFQzVrBlBm2t4Cj; DFB%lQ literal 0 HcmV?d00001 diff --git a/gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg b/gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg new file mode 100644 index 0000000000000000000000000000000000000000..42f2eada8571400cf041fe6b292daa48d9dd087e GIT binary patch literal 2135 zcmV-d2&ng&0gVJwuQR0q3;^xpu)_|Wu>BUia@a#s0t)VNegqt{BBE9~a9dQ)W>Y|7 zQG!CE=4f62h;JNkJ~+)FvXt%meA=$Wf*%n6f5Fr6ydxF`2_hm`XyVV$a~gty%Uzi; z%#i5atz_!tr+-;#44-2+`MSfIG!yl*wnP2=J*OR&l~7scd#Zj@bTv!5%C=tZwij89 zC5C23{>LB9!Rip$S7Xt7R_D}Nmk6I)wU9z5z&*BL&%(27>5sQ2Mqxqmrz;CL#h%9B zrKqPD$~XBZKd$Ql8l4C&6*eSlkC!KK9tC#wV~Y4#rp16B zD`V5xMdWLQ?I4V3<50RRECDNbo?Z*w3` zVRmwFXK7(>Zf|gJb!=~QAUtkuVRk@rWn^e!bS`6WZ9a(sz628i0strl0#dItr2-oR z1ql+&0{{jK2?z%R0tOWb0tpHW1Qr4V0RkQY0vCV)3JDN)HxhJzG(V>oRSW(n2{3kZ zoZd|#a;IJBd{qPyFA+Ba@gP`J&U2`?;t~$>>0qYj732iKq1#gh^)yTlw^k0Qxr%Y>()!ivFiYV_cZu5+{(|CE zhWn>1t{AQE&%$RmwRun8o-2TGFg?v4Ou641f0-o)lm{T3cpm1(ebae<|+Jh`vg7V3ZIi@)(LX!$} zKw(2O(+S6`Pj2j%WN1c-0iXmB0RjL91p-p9G#LO22@omnSh<#lQE?q`3?Q?@_+%GY zj6`h8XwbUH@knP)CdW0S`qhQ6ZKJK*W4gw zWK*LN6CCcEgo16OXIbx~iNf^}fKfWaq=^~g%prFbk?J{T*10={s>g)Pj$pPlT!GXO{(EUrc&?l8Qc~FyrW{OAT zHLgNwG~dAC6UlzCpd)qoPW)=iegXnoP+Hd8;Q69Mg)k6va5~jNi*N8L?bNVJ6qZGQ zrIbNM$U2iZTQxx~pOO&S_pG@AjRaD!Go=9x0N!Ud3in$zcL{ljKS_|@38R=47VhPu z)`KEO*K=LYI>)7+AhIi-{9!Ez4x5zv!R;;q+(xk?H0>cIBOA4%g_zDj@LOgWa3=0c ztqn7%ax+8qXheHhU4hTxLI*Equ=HIkWVn7p2U3k6K?mrA-f|Q;XeaI>M?_?D_Mp|C z6@GNKa;umx0Gs*&-UfS;-TE96pfmDmy^ko9nH5ks5A`SgNS8hwrL32ZADd5=-Pq)j zJ|G+%)5IXP;io9UP}v7$4IA6+I*mQaN~BZJ%LY{w3}Dp(ZKnO38K#K2FEf&Z&X$(+ zV0(;@zO212<74h?lkzUh)MNWqWh^-vOe{5LF?(BO0k7D)IQeR|^Ln8m94b@3(ZOe- z6mee#2nUjmj(q@$z58@M;_F}sd9|PX3<56|Kk<9Gi~`RJZcZammb5`X(Wi=Kb_2|3 z)8f?x8h{vBNA1wa#Zx_PzC$$!@;@b_rmBd=ZY{o=ms!?4hc1AMq=sdb&51!vF#r(( z00D^sr34rO0ss#M0#dItr2-oa1ql+&0{{RD2@rNS5_EqwKc`-}3;sWzHSMmh;A>s5 z&^KEth;3%C6<5d!21H;V>Mn1#Z{(-UQ1`j!G>OKcrg9m!OBc+8Yv9hV!Jyu03xjHV zl-$%cUZrqo5J_!T6j#`>2!S?UJM~J - 0.11.6-2 +- Removed gpgkeys from sources + * Tue Nov 15 2016 Nikos Mavrogiannopoulos - 0.11.6-1 - New upstream release diff --git a/sources b/sources index 6dd3e56..f7d16dd 100644 --- a/sources +++ b/sources @@ -1,4 +1,2 @@ -310168e221d6e810022b270e32bf9662 gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg -c144d7522377a701cb9e63a20098e122 gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg 0e4f82d267d27f2f9d3fcba58ac6cf5a ocserv-0.11.6.tar.xz 12a026b472daa54373f38538773673d8 ocserv-0.11.6.tar.xz.sig From 81f261225981c82fc6c21e83fee08f761b2c3d22 Mon Sep 17 00:00:00 2001 From: Igor Gnatenko Date: Thu, 12 Jan 2017 17:30:35 +0100 Subject: [PATCH 090/177] Rebuild for readline 7.x Signed-off-by: Igor Gnatenko --- ocserv.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 599545c..1d32fc5 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -2,7 +2,7 @@ Name: ocserv Version: 0.11.6 -Release: 2%{?dist} +Release: 3%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -162,6 +162,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Thu Jan 12 2017 Igor Gnatenko - 0.11.6-3 +- Rebuild for readline 7.x + * Tue Nov 15 2016 Nikos Mavrogiannopoulos - 0.11.6-2 - Removed gpgkeys from sources From a64c8c405cccdc392367be0d13810b3bfc8dcf70 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 11 Feb 2017 00:37:43 +0000 Subject: [PATCH 091/177] - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild --- ocserv.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 1d32fc5..404c68b 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -2,7 +2,7 @@ Name: ocserv Version: 0.11.6 -Release: 3%{?dist} +Release: 4%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -162,6 +162,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Sat Feb 11 2017 Fedora Release Engineering - 0.11.6-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + * Thu Jan 12 2017 Igor Gnatenko - 0.11.6-3 - Rebuild for readline 7.x From 38af83d5e9d323769eae3c8270a6f4fad70f7eb3 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 13 Feb 2017 11:23:29 +0100 Subject: [PATCH 092/177] Update to 0.11.7-1 - Update to upstream 0.11.7 release --- .gitignore | 10 ++++++++++ ocserv.spec | 8 ++++++-- sources | 12 ++++++++++-- 3 files changed, 26 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 683b9bb..433523a 100644 --- a/.gitignore +++ b/.gitignore @@ -50,3 +50,13 @@ /ocserv-0.11.5.tar.xz.sig /ocserv-0.11.6.tar.xz /ocserv-0.11.6.tar.xz.sig +/gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg +/ocserv-script +/ocserv-genkey +/PACKAGE-LICENSING +/ocserv-pamd.conf +/ocserv.service +/ocserv.conf +/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +/ocserv-0.11.7.tar.xz.sig +/ocserv-0.11.7.tar.xz diff --git a/ocserv.spec b/ocserv.spec index 404c68b..e24d20d 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,8 +1,9 @@ +# This spec file has been automatically updated +Version: 0.11.7 +Release: 1%{?dist} %global _hardened_build 1 Name: ocserv -Version: 0.11.6 -Release: 4%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -162,6 +163,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Mon Feb 13 2017 Nikos Mavrogiannopoulos - 0.11.7-1 +- Update to upstream 0.11.7 release + * Sat Feb 11 2017 Fedora Release Engineering - 0.11.6-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild diff --git a/sources b/sources index f7d16dd..907a2bb 100644 --- a/sources +++ b/sources @@ -1,2 +1,10 @@ -0e4f82d267d27f2f9d3fcba58ac6cf5a ocserv-0.11.6.tar.xz -12a026b472daa54373f38538773673d8 ocserv-0.11.6.tar.xz.sig +SHA512 (gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg) = c664fd9999cbf9912eeea88ee3a2c356df3f70813a664bb7a7f592be258c12bdeb9e99e4aa9a368c1f123ee449eb08e288d1dc3dcf81e849a958ece6eab82d67 +SHA512 (ocserv-script) = 6d77ebe95d23469d96b45b1ac8de7a062cb1360febd0f9664b42debf0494891a522e3da8feec53d22b84e39ad349a1824b7ecd6b6b8f0790edf75aed1087e2d0 +SHA512 (ocserv-genkey) = c02a25a5504e2bd514c6e6944651960a3cc9bf2ef0a4509744f99d61421feace1f8e440c4d336652efd7349465d1a707cd3a370ff6102ef5096d709b34099a86 +SHA512 (PACKAGE-LICENSING) = eea2a2a4765c90d874c79bb72d754c8b26b58d5e5b3c3cee10c24754fbba6849fd91f7b28e380b5db9789a456f95fc94b3bd8fe8c160a98c8042f404479ecb68 +SHA512 (ocserv-pamd.conf) = 3a75f19d89ddd164f3faa9c3579c7f675fc58413a194f43ec28eee7ebced6fee3f4ca305fe9b0ddf76ae39cd669e8d3d63b58afbbf19b84e4ca646ae7f42d61a +SHA512 (ocserv.service) = 264f3389d88aec1f7d2e4683a4dfc0aa67af2325154de822eecf5fb43f8c221aab0d9f0c6a8eedb893e6d69ed4d94c9397b01e5d0d12e88330017a3bfa5f3644 +SHA512 (ocserv.conf) = 0a48d394dba183528c1e92df2a8b844a4d7d419244b1c08883f79c8b48843986e786ea4d48478ed4e8d57fd56626bf962dbcf6c76b5839ba5ab5fac8b089c44c +SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 7eccc70fb763cf8a6525228230c1f537224809cf553efb3ad6bc88ad96f01122c30a5cd9d8328fa3a97b242d59e00bc9966589a24b1e65dd4a27eb71393f097c +SHA512 (ocserv-0.11.7.tar.xz.sig) = fd4af775842cff6817adaf4a641b180d3be3b55e3b64a026977fd6f328ddc5f7070f4c91cdce7e83eb8c3b078a5c1dc7780cfe40c5322abef61ca7fc408fbb2c +SHA512 (ocserv-0.11.7.tar.xz) = a563725bd8753186ece80c91a237a2940071047bb32d1990e2ee122a32ad0468b78a7f35d422dcc9b968a8c56358992842d00958dbf9d743632a03623dd2f5cf From 236cc5805c81592c7f1d550961d1c4c34d0f80e9 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 3 May 2017 02:51:27 +0200 Subject: [PATCH 093/177] Update to 0.11.8-1 - Update to upstream 0.11.8 release --- .gitignore | 11 ++++ ocserv-genkey | 1 + ocserv.init | 141 ++++++++++++++++++++++++++++++++++++++++++++++++++ ocserv.spec | 100 ++++++++++++++++++++++++++++++----- sources | 7 +-- 5 files changed, 243 insertions(+), 17 deletions(-) create mode 100644 ocserv.init diff --git a/.gitignore b/.gitignore index 433523a..333d3bb 100644 --- a/.gitignore +++ b/.gitignore @@ -60,3 +60,14 @@ /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg /ocserv-0.11.7.tar.xz.sig /ocserv-0.11.7.tar.xz +/ocserv.init +/gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg +/ocserv-script +/ocserv-genkey +/PACKAGE-LICENSING +/ocserv-pamd.conf +/ocserv.service +/ocserv.conf +/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +/ocserv-0.11.8.tar.xz.sig +/ocserv-0.11.8.tar.xz diff --git a/ocserv-genkey b/ocserv-genkey index 687d685..924aab9 100755 --- a/ocserv-genkey +++ b/ocserv-genkey @@ -2,6 +2,7 @@ #generate CA certificate/key if test ! -f /etc/pki/ocserv/private/ca.key;then +mkdir -p /etc/pki/ocserv/private certtool --generate-privkey --outfile /etc/pki/ocserv/private/ca.key >/dev/null 2>&1 echo "cn=`hostname -f` CA" >/etc/pki/ocserv/ca.tmpl echo "expiration_days=-1" >>/etc/pki/ocserv/ca.tmpl diff --git a/ocserv.init b/ocserv.init new file mode 100644 index 0000000..81be91b --- /dev/null +++ b/ocserv.init @@ -0,0 +1,141 @@ +#!/bin/sh +# +# ocserv This shell script takes care of starting and stopping +# ocserv on RedHat or other chkconfig-based system. +# +# chkconfig: - 24 76 +# +# processname: ocserv +# port. + +### BEGIN INIT INFO +# Provides: ocserv +# Required-Start: $network +# Required-Stop: $network +# Short-Description: start and stop ocserv +# Description: ocserv is a VPN server +### END INIT INFO + + +# To install: +# copy this file to /etc/rc.d/init.d/ocserv +# shell> chkconfig --add ocserv +# shell> mkdir /etc/ocserv +# make .conf or .sh files in /etc/ocserv (see below) + +# To uninstall: +# run: chkconfig --del ocserv + +ocserv="" +ocserv_locations="/usr/sbin/ocserv /usr/local/sbin/ocserv" +for location in $ocserv_locations +do + if [ -f "$location" ] + then + ocserv=$location + fi +done + +# PID directory +piddir="/var/run/ocserv" +pidf="$piddir/ocserv.pid" + +# Our working directory +work=/etc/ocserv + +# Source function library. +. /etc/rc.d/init.d/functions + +# Source networking configuration. +. /etc/sysconfig/network + +# Check that networking is up. +if [ ${NETWORKING} = "no" ] +then + echo "Networking is down" + exit 0 +fi + +# Check that binary exists +if ! [ -f $ocserv ] +then + echo "ocserv binary not found" + exit 0 +fi + +# See how we were called. +case "$1" in + start) + echo -n $"Starting ocserv: " + + /sbin/modprobe tun >/dev/null 2>&1 + + # From a security perspective, I think it makes + # sense to remove this, and have users who need + # it explictly enable in their --up scripts or + # firewall setups. + + #echo 1 > /proc/sys/net/ipv4/ip_forward + + # Run startup script, if defined + if [ -x /usr/sbin/ocserv-genkey ]; then + /usr/sbin/ocserv-genkey + fi + + if [ ! -d $piddir ]; then + mkdir $piddir + fi + + if [ -s $pidf ]; then + kill `cat $pidf` >/dev/null 2>&1 + sleep 2 + fi + rm -f $pidf + + cd $work + + # Start every .conf in $work and run .sh if exists + errors=0 + $ocserv --pid-file $pidf -c $work/ocserv.conf + errors=$? + if [ $errors != 0 ]; then + failure; echo + else + success; echo + fi + ;; + stop) + echo -n $"Shutting down ocserv: " + if [ -s $pidf ]; then + kill `cat $pidf` >/dev/null 2>&1 + fi + rm -f $pidf + + success; echo + rm -f $lock + ;; + restart) + $0 stop + sleep 2 + $0 start + ;; + reload) + /usr/bin/occtl reload + exit $? + ;; + reopen) + ;; + condrestart) + $0 stop + sleep 2 + $0 start + ;; + status) + /usr/bin/occtl show status + ;; + *) + echo "Usage: ocserv {start|stop|restart|condrestart|reload|reopen|status}" + exit 1 + ;; +esac +exit 0 diff --git a/ocserv.spec b/ocserv.spec index e24d20d..687f8ab 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,8 +1,16 @@ # This spec file has been automatically updated -Version: 0.11.7 +Version: 0.11.8 Release: 1%{?dist} %global _hardened_build 1 +%if 0%{?fedora} || 0%{?rhel} >= 7 +%define use_systemd 1 +%define have_gpgv2 1 +%else +%define use_systemd 0 +%define have_gpgv2 0 +%endif + Name: ocserv Summary: OpenConnect SSL VPN server @@ -20,28 +28,25 @@ Source6: PACKAGE-LICENSING Source8: ocserv-genkey Source9: ocserv-script Source10: gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg +Source11: ocserv.init # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +%if 0%{?rhel} && 0%{?rhel} <= 6 +BuildRequires: gnutls30-devel +%else BuildRequires: gnutls-devel +%endif BuildRequires: pam-devel BuildRequires: iproute -BuildRequires: systemd -BuildRequires: systemd-devel -BuildRequires: autogen-libopts-devel + BuildRequires: protobuf-c-devel BuildRequires: libnl3-devel BuildRequires: krb5-devel BuildRequires: libtasn1-devel -BuildRequires: liboath-devel -BuildRequires: readline-devel -BuildRequires: autogen BuildRequires: gperf -%ifarch x86_64 %{ix86} %{arm} aarch64 -BuildRequires: libseccomp-devel -%endif BuildRequires: pcllib-devel BuildRequires: libtalloc-devel BuildRequires: libev-devel @@ -50,16 +55,40 @@ BuildRequires: tcp_wrappers-devel BuildRequires: automake, autoconf BuildRequires: radcli-devel BuildRequires: lz4-devel +BuildRequires: readline-devel +BuildRequires: GeoIP-devel + +%if %{use_systemd} +BuildRequires: systemd +BuildRequires: systemd-devel +BuildRequires: autogen-libopts-devel +BuildRequires: autogen +BuildRequires: liboath-devel BuildRequires: uid_wrapper BuildRequires: socket_wrapper +%if 0%{?rhel} && 0%{?rhel} >= 7 +%ifarch x86_64 %{ix86} +BuildRequires: libseccomp-devel +%endif +%else +%ifarch x86_64 %{ix86} %{arm} aarch64 +BuildRequires: libseccomp-devel +%endif +%endif + +%endif #use systemd + Requires: gnutls-utils Requires: iproute Requires: pam Requires(pre): shadow-utils +%if %{use_systemd} Requires(post): systemd Requires(preun): systemd Requires(postun): systemd +%endif + #gnulib is bundled. See https://fedorahosted.org/fpc/ticket/174 Provides: bundled(gnulib) #CCAN is bundled. See https://fedorahosted.org/fpc/ticket/364 @@ -76,13 +105,14 @@ uses the standard IETF security protocols such as TLS 1.2, and Datagram TLS to provide the secure VPN service. %prep +%if %{have_gpgv2} gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} || gpgv2 --keyring %{SOURCE10} %{SOURCE1} %{SOURCE0} +%endif %setup -q rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h rm -rf src/protobuf/protobuf-c/ rm -rf src/ccan/talloc -rm -f libopts/*.c libopts/*.h libopts/*/*.c libopts/*/*.h rm -f src/pcl/*.c src/pcl/*.h sed -i 's|/etc/ocserv.conf|/etc/ocserv/ocserv.conf|g' src/config.c sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/data/*.config @@ -91,10 +121,28 @@ sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/data/*.config sed -i 's/either version 3 of the License/either version 2 of the License/g' build-aux/snippet/* touch src/*.proto +%if 0%{?rhel} && 0%{?rhel} <= 6 +echo "int main() { return 77; }" > tests/valid-hostname.c +%else +rm -f libopts/*.c libopts/*.h libopts/*/*.c libopts/*/*.h +%endif + %build +%if 0%{?rhel} && 0%{?rhel} <= 6 +export PKG_CONFIG_LIBDIR="%{_libdir}/gnutls30/pkgconfig:%{_libdir}/pkgconfig" +export LIBGNUTLS_CFLAGS="-I/usr/include/gnutls30" +export LIBGNUTLS_LIBS="-L%{_libdir}/gnutls30/ -lgnutls" +export CFLAGS="$CFLAGS -I/usr/include/libev -I/usr/include/gnutls30" +sed -i 's/AM_PROG_AR//g' configure.ac +autoreconf -fvi +%configure \ + --disable-systemd \ + --enable-local-libopts +%else %configure \ --enable-systemd +%endif make #%{?_smp_mflags} @@ -110,6 +158,7 @@ mkdir -p %{_sysconfdir}/pki/ocserv/cacerts %check make check %{?_smp_mflags} +%if %{use_systemd} %post %systemd_post ocserv.service @@ -118,6 +167,7 @@ make check %{?_smp_mflags} %postun %systemd_postun ocserv.service +%endif %install rm -rf %{buildroot} @@ -126,14 +176,29 @@ mkdir -p %{buildroot}/%{_sysconfdir}/pam.d/ mkdir -p %{buildroot}/%{_sysconfdir}/ocserv/ install -p -m 644 %{SOURCE5} %{buildroot}/%{_sysconfdir}/pam.d/ocserv install -p -m 644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/ocserv/ -mkdir -p %{buildroot}/%{_unitdir} -install -p -m 644 %{SOURCE4} %{buildroot}/%{_unitdir} mkdir -p %{buildroot}%{_localstatedir}/lib/ocserv/ install -p -m 644 doc/profile.xml %{buildroot}%{_localstatedir}/lib/ocserv/ mkdir -p %{buildroot}/%{_sbindir} install -p -m 755 %{SOURCE8} %{buildroot}/%{_sbindir} mkdir -p %{buildroot}/%{_bindir} install -p -m 755 %{SOURCE9} %{buildroot}/%{_bindir} + +%if 0%{?rhel} +sed -i 's|expiration_days=-1|expiration_days=9999|' %{buildroot}/%{_sbindir}/ocserv-genkey +sed -i 's|tls-priorities = "@SYSTEM"|tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"|' %{buildroot}/%{_sysconfdir}/ocserv/ocserv.conf +%if 0%{?rhel} <= 6 +sed -i 's|isolate-workers = true|isolate-workers = false|' %{buildroot}/%{_sysconfdir}/ocserv/ocserv.conf +%endif +%endif + +%if %{use_systemd} +mkdir -p %{buildroot}/%{_unitdir} +install -p -m 644 %{SOURCE4} %{buildroot}/%{_unitdir} +%else +mkdir -p %{buildroot}/%{_initrddir} +install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} +%endif + %make_install %clean @@ -159,10 +224,17 @@ rm -rf %{buildroot} %{_bindir}/ocserv-script %{_sbindir}/ocserv %{_sbindir}/ocserv-genkey -%{_unitdir}/ocserv.service %{_localstatedir}/lib/ocserv/profile.xml +%if %{use_systemd} +%{_unitdir}/ocserv.service +%else +%{_initrddir}/%{name} +%endif %changelog +* Wed May 03 2017 Nikos Mavrogiannopoulos - 0.11.8-1 +- Update to upstream 0.11.8 release + * Mon Feb 13 2017 Nikos Mavrogiannopoulos - 0.11.7-1 - Update to upstream 0.11.7 release diff --git a/sources b/sources index 907a2bb..348aa08 100644 --- a/sources +++ b/sources @@ -1,10 +1,11 @@ +SHA512 (ocserv.init) = 7c3256dd0f7d5882c4e126c95209084e2476f7d8d142af137f46c5987364982eb88044bfa5d587ebc397ebd379edb40f22e5c97c0276764be982a27715a9c601 SHA512 (gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg) = c664fd9999cbf9912eeea88ee3a2c356df3f70813a664bb7a7f592be258c12bdeb9e99e4aa9a368c1f123ee449eb08e288d1dc3dcf81e849a958ece6eab82d67 SHA512 (ocserv-script) = 6d77ebe95d23469d96b45b1ac8de7a062cb1360febd0f9664b42debf0494891a522e3da8feec53d22b84e39ad349a1824b7ecd6b6b8f0790edf75aed1087e2d0 -SHA512 (ocserv-genkey) = c02a25a5504e2bd514c6e6944651960a3cc9bf2ef0a4509744f99d61421feace1f8e440c4d336652efd7349465d1a707cd3a370ff6102ef5096d709b34099a86 +SHA512 (ocserv-genkey) = e898144fd977e4c57c4a9a5480b38f6a166c0281c41500c3fa9b7e142197c4525d3fb90846a738e38d217116dc33c2ba5c16ec3e11de0dbf4d834e204c598eac SHA512 (PACKAGE-LICENSING) = eea2a2a4765c90d874c79bb72d754c8b26b58d5e5b3c3cee10c24754fbba6849fd91f7b28e380b5db9789a456f95fc94b3bd8fe8c160a98c8042f404479ecb68 SHA512 (ocserv-pamd.conf) = 3a75f19d89ddd164f3faa9c3579c7f675fc58413a194f43ec28eee7ebced6fee3f4ca305fe9b0ddf76ae39cd669e8d3d63b58afbbf19b84e4ca646ae7f42d61a SHA512 (ocserv.service) = 264f3389d88aec1f7d2e4683a4dfc0aa67af2325154de822eecf5fb43f8c221aab0d9f0c6a8eedb893e6d69ed4d94c9397b01e5d0d12e88330017a3bfa5f3644 SHA512 (ocserv.conf) = 0a48d394dba183528c1e92df2a8b844a4d7d419244b1c08883f79c8b48843986e786ea4d48478ed4e8d57fd56626bf962dbcf6c76b5839ba5ab5fac8b089c44c SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 7eccc70fb763cf8a6525228230c1f537224809cf553efb3ad6bc88ad96f01122c30a5cd9d8328fa3a97b242d59e00bc9966589a24b1e65dd4a27eb71393f097c -SHA512 (ocserv-0.11.7.tar.xz.sig) = fd4af775842cff6817adaf4a641b180d3be3b55e3b64a026977fd6f328ddc5f7070f4c91cdce7e83eb8c3b078a5c1dc7780cfe40c5322abef61ca7fc408fbb2c -SHA512 (ocserv-0.11.7.tar.xz) = a563725bd8753186ece80c91a237a2940071047bb32d1990e2ee122a32ad0468b78a7f35d422dcc9b968a8c56358992842d00958dbf9d743632a03623dd2f5cf +SHA512 (ocserv-0.11.8.tar.xz.sig) = 5551591abc54dfc053125c356095138aaecec6c3255cd125bd38e17350a257bc822094c270d5b3bb329afd4a9e37f355d3d16db16b4db804e15b8c5959321214 +SHA512 (ocserv-0.11.8.tar.xz) = cea5ef084a15de1e16c0d55f418f454f32c77e4303246f3d11e71ddbc7dbea028282b8200b59a49f5509e786970749b0a9795262639209924bbaa1d619c5c25c From 8c7b340f2dd54dde6423c5582c0d68398ced1f1f Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 27 Jul 2017 01:33:44 +0000 Subject: [PATCH 094/177] - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild --- ocserv.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 687f8ab..62e5760 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 0.11.8 -Release: 1%{?dist} +Release: 2%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -232,6 +232,9 @@ rm -rf %{buildroot} %endif %changelog +* Thu Jul 27 2017 Fedora Release Engineering - 0.11.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + * Wed May 03 2017 Nikos Mavrogiannopoulos - 0.11.8-1 - Update to upstream 0.11.8 release From f855e9af5f0268dc83365ebb9d34a1e5b73dc374 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 3 Aug 2017 04:22:01 +0000 Subject: [PATCH 095/177] - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild --- ocserv.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 62e5760..b2766aa 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 0.11.8 -Release: 2%{?dist} +Release: 3%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -232,6 +232,9 @@ rm -rf %{buildroot} %endif %changelog +* Thu Aug 03 2017 Fedora Release Engineering - 0.11.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + * Thu Jul 27 2017 Fedora Release Engineering - 0.11.8-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild From afb369ee55a7c5939d8e3b79fe79f94e7a99193d Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 10 Oct 2017 13:13:21 +0200 Subject: [PATCH 096/177] Update to 0.11.9-1 - Update to upstream 0.11.9 release --- .gitignore | 11 +++++++++++ ocserv.spec | 7 +++++-- sources | 4 ++-- 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 333d3bb..5ca14e7 100644 --- a/.gitignore +++ b/.gitignore @@ -71,3 +71,14 @@ /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg /ocserv-0.11.8.tar.xz.sig /ocserv-0.11.8.tar.xz +/ocserv.init +/gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg +/ocserv-script +/ocserv-genkey +/PACKAGE-LICENSING +/ocserv-pamd.conf +/ocserv.service +/ocserv.conf +/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +/ocserv-0.11.9.tar.xz.sig +/ocserv-0.11.9.tar.xz diff --git a/ocserv.spec b/ocserv.spec index b2766aa..f6dae2d 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated -Version: 0.11.8 -Release: 3%{?dist} +Version: 0.11.9 +Release: 1%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -232,6 +232,9 @@ rm -rf %{buildroot} %endif %changelog +* Tue Oct 10 2017 Nikos Mavrogiannopoulos - 0.11.9-1 +- Update to upstream 0.11.9 release + * Thu Aug 03 2017 Fedora Release Engineering - 0.11.8-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild diff --git a/sources b/sources index 348aa08..dadd5d3 100644 --- a/sources +++ b/sources @@ -7,5 +7,5 @@ SHA512 (ocserv-pamd.conf) = 3a75f19d89ddd164f3faa9c3579c7f675fc58413a194f43ec28e SHA512 (ocserv.service) = 264f3389d88aec1f7d2e4683a4dfc0aa67af2325154de822eecf5fb43f8c221aab0d9f0c6a8eedb893e6d69ed4d94c9397b01e5d0d12e88330017a3bfa5f3644 SHA512 (ocserv.conf) = 0a48d394dba183528c1e92df2a8b844a4d7d419244b1c08883f79c8b48843986e786ea4d48478ed4e8d57fd56626bf962dbcf6c76b5839ba5ab5fac8b089c44c SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 7eccc70fb763cf8a6525228230c1f537224809cf553efb3ad6bc88ad96f01122c30a5cd9d8328fa3a97b242d59e00bc9966589a24b1e65dd4a27eb71393f097c -SHA512 (ocserv-0.11.8.tar.xz.sig) = 5551591abc54dfc053125c356095138aaecec6c3255cd125bd38e17350a257bc822094c270d5b3bb329afd4a9e37f355d3d16db16b4db804e15b8c5959321214 -SHA512 (ocserv-0.11.8.tar.xz) = cea5ef084a15de1e16c0d55f418f454f32c77e4303246f3d11e71ddbc7dbea028282b8200b59a49f5509e786970749b0a9795262639209924bbaa1d619c5c25c +SHA512 (ocserv-0.11.9.tar.xz.sig) = 10fb1a9b80e92ce0aafc79af647fe16e61eafc20e3d6846d74cd357826f3d0217ab57c4e9e6efe8ba2ea7b665224e863caef2c5567c512c6403bbf99a3dd321d +SHA512 (ocserv-0.11.9.tar.xz) = e497dfbb55e83874d55238162b0c4340db0a9c6ac2223cfd905923b59ebfd2fba0f998c1a60e9492be2d1e4434c66c960c3619968b47efc8464420f2e9319067 From 4197da7e800100e9726fb47251e402146cdf525b Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 16 Nov 2017 08:54:10 +0100 Subject: [PATCH 097/177] do not enable libwrap --- ocserv.spec | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ocserv.spec b/ocserv.spec index f6dae2d..790a9a3 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 0.11.9 -Release: 1%{?dist} +Release: 2%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -141,7 +141,8 @@ autoreconf -fvi --enable-local-libopts %else %configure \ - --enable-systemd + --enable-systemd \ + --without-libwrap %endif make #%{?_smp_mflags} @@ -232,6 +233,9 @@ rm -rf %{buildroot} %endif %changelog +* Thu Nov 16 2017 Nikos Mavrogiannopoulos - 0.11.9-2 +- Do not enable libwrap + * Tue Oct 10 2017 Nikos Mavrogiannopoulos - 0.11.9-1 - Update to upstream 0.11.9 release From f65600d86fcc3ecc9cbe289bd77de4c1ff250ef9 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 21 Nov 2017 11:22:29 +0100 Subject: [PATCH 098/177] Update to 0.11.9-3 - Update to upstream 0.11.9 release --- .gitignore | 11 +++++++++++ ocserv.spec | 33 +++++++++++++++++++++++++++++---- 2 files changed, 40 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 5ca14e7..75a2b6c 100644 --- a/.gitignore +++ b/.gitignore @@ -82,3 +82,14 @@ /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg /ocserv-0.11.9.tar.xz.sig /ocserv-0.11.9.tar.xz +/ocserv.init +/gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg +/ocserv-script +/ocserv-genkey +/PACKAGE-LICENSING +/ocserv-pamd.conf +/ocserv.service +/ocserv.conf +/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +/ocserv-0.11.9.tar.xz.sig +/ocserv-0.11.9.tar.xz diff --git a/ocserv.spec b/ocserv.spec index 790a9a3..94af597 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 0.11.9 -Release: 2%{?dist} +Release: 3%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -11,6 +11,12 @@ Release: 2%{?dist} %define have_gpgv2 0 %endif +%if 0%{?fedora} >= 28 || 0%{?rhel} > 7 +%define use_libwrap 0 +%else +%define use_libwrap 1 +%endif + Name: ocserv Summary: OpenConnect SSL VPN server @@ -42,7 +48,15 @@ BuildRequires: gnutls-devel BuildRequires: pam-devel BuildRequires: iproute +%if 0%{?rhel} && 0%{?rhel} == 7 +%ifnarch ppc64 BuildRequires: protobuf-c-devel +%endif +%else + +BuildRequires: protobuf-c-devel +%endif + BuildRequires: libnl3-devel BuildRequires: krb5-devel BuildRequires: libtasn1-devel @@ -136,12 +150,20 @@ export LIBGNUTLS_LIBS="-L%{_libdir}/gnutls30/ -lgnutls" export CFLAGS="$CFLAGS -I/usr/include/libev -I/usr/include/gnutls30" sed -i 's/AM_PROG_AR//g' configure.ac autoreconf -fvi +%endif + %configure \ +%if %{use_systemd} + --enable-systemd \ +%else --disable-systemd \ - --enable-local-libopts +%endif +%if 0%{?rhel} && 0%{?rhel} <= 6 + --enable-local-libopts \ +%endif +%if %{use_libwrap} + --with-libwrap %else -%configure \ - --enable-systemd \ --without-libwrap %endif @@ -233,6 +255,9 @@ rm -rf %{buildroot} %endif %changelog +* Tue Nov 21 2017 Nikos Mavrogiannopoulos - 0.11.9-3 +- Update to upstream 0.11.9 release + * Thu Nov 16 2017 Nikos Mavrogiannopoulos - 0.11.9-2 - Do not enable libwrap From 9b84d3301b67f88de962d971a17322ccc6fc0c96 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 8 Jan 2018 13:33:03 +0100 Subject: [PATCH 099/177] Update to 0.11.10-1 - Update to upstream 0.11.10 release --- .gitignore | 11 +++++++++++ ocserv.spec | 28 +++++++++++++++++++--------- sources | 4 ++-- 3 files changed, 32 insertions(+), 11 deletions(-) diff --git a/.gitignore b/.gitignore index 75a2b6c..ed5bff9 100644 --- a/.gitignore +++ b/.gitignore @@ -93,3 +93,14 @@ /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg /ocserv-0.11.9.tar.xz.sig /ocserv-0.11.9.tar.xz +/ocserv.init +/gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg +/ocserv-script +/ocserv-genkey +/PACKAGE-LICENSING +/ocserv-pamd.conf +/ocserv.service +/ocserv.conf +/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +/ocserv-0.11.10.tar.xz.sig +/ocserv-0.11.10.tar.xz diff --git a/ocserv.spec b/ocserv.spec index 94af597..f536113 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated -Version: 0.11.9 -Release: 3%{?dist} +Version: 0.11.10 +Release: 1%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -17,6 +17,13 @@ Release: 3%{?dist} %define use_libwrap 1 %endif +%define use_local_protobuf 0 +%if 0%{?rhel} && 0%{?rhel} == 7 +%ifarch ppc64 +%define use_local_protobuf 1 +%endif +%endif + Name: ocserv Summary: OpenConnect SSL VPN server @@ -48,12 +55,7 @@ BuildRequires: gnutls-devel BuildRequires: pam-devel BuildRequires: iproute -%if 0%{?rhel} && 0%{?rhel} == 7 -%ifnarch ppc64 -BuildRequires: protobuf-c-devel -%endif -%else - +%if (0%{?use_local_protobuf} == 0) BuildRequires: protobuf-c-devel %endif @@ -125,7 +127,10 @@ gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} || gpgv2 --keyring %{SOURCE10} %setup -q rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h +%if (0%{?use_local_protobuf} == 0) rm -rf src/protobuf/protobuf-c/ +touch src/*.proto +%endif rm -rf src/ccan/talloc rm -f src/pcl/*.c src/pcl/*.h sed -i 's|/etc/ocserv.conf|/etc/ocserv/ocserv.conf|g' src/config.c @@ -133,7 +138,6 @@ sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/data/*.config # GPLv3 in headers is a gnulib bug: # http://lists.gnu.org/archive/html/bug-gnulib/2013-11/msg00062.html sed -i 's/either version 3 of the License/either version 2 of the License/g' build-aux/snippet/* -touch src/*.proto %if 0%{?rhel} && 0%{?rhel} <= 6 echo "int main() { return 77; }" > tests/valid-hostname.c @@ -161,6 +165,9 @@ autoreconf -fvi %if 0%{?rhel} && 0%{?rhel} <= 6 --enable-local-libopts \ %endif +%if %{use_local_protobuf} + --without-protobuf \ +%endif %if %{use_libwrap} --with-libwrap %else @@ -255,6 +262,9 @@ rm -rf %{buildroot} %endif %changelog +* Mon Jan 08 2018 Nikos Mavrogiannopoulos - 0.11.10-1 +- Update to upstream 0.11.10 release + * Tue Nov 21 2017 Nikos Mavrogiannopoulos - 0.11.9-3 - Update to upstream 0.11.9 release diff --git a/sources b/sources index dadd5d3..43899fc 100644 --- a/sources +++ b/sources @@ -7,5 +7,5 @@ SHA512 (ocserv-pamd.conf) = 3a75f19d89ddd164f3faa9c3579c7f675fc58413a194f43ec28e SHA512 (ocserv.service) = 264f3389d88aec1f7d2e4683a4dfc0aa67af2325154de822eecf5fb43f8c221aab0d9f0c6a8eedb893e6d69ed4d94c9397b01e5d0d12e88330017a3bfa5f3644 SHA512 (ocserv.conf) = 0a48d394dba183528c1e92df2a8b844a4d7d419244b1c08883f79c8b48843986e786ea4d48478ed4e8d57fd56626bf962dbcf6c76b5839ba5ab5fac8b089c44c SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 7eccc70fb763cf8a6525228230c1f537224809cf553efb3ad6bc88ad96f01122c30a5cd9d8328fa3a97b242d59e00bc9966589a24b1e65dd4a27eb71393f097c -SHA512 (ocserv-0.11.9.tar.xz.sig) = 10fb1a9b80e92ce0aafc79af647fe16e61eafc20e3d6846d74cd357826f3d0217ab57c4e9e6efe8ba2ea7b665224e863caef2c5567c512c6403bbf99a3dd321d -SHA512 (ocserv-0.11.9.tar.xz) = e497dfbb55e83874d55238162b0c4340db0a9c6ac2223cfd905923b59ebfd2fba0f998c1a60e9492be2d1e4434c66c960c3619968b47efc8464420f2e9319067 +SHA512 (ocserv-0.11.10.tar.xz.sig) = d88f3e42595df6c3a13dc64cbcdcca2126f22be7143856b00b0c7620358f9d0e5c524019c11ff10549e74ef5eebb0613c25afd9f7244c6ab14fb70b8059188b8 +SHA512 (ocserv-0.11.10.tar.xz) = 40fe152adf4438ed390406ec46049ff3769208e1d48b40bc0f015d507902a6e81012a52dd4ddd867f56a6d50de1dfb8fa497dc3bb6ece3e666ca14df1d76c561 From 2aa5d4894213553235ab9b5920329e23b7456c5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Sat, 20 Jan 2018 23:07:21 +0100 Subject: [PATCH 100/177] Rebuilt for switch to libxcrypt --- ocserv.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index f536113..93f5a4d 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 0.11.10 -Release: 1%{?dist} +Release: 2%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -262,6 +262,9 @@ rm -rf %{buildroot} %endif %changelog +* Sat Jan 20 2018 Björn Esser - 0.11.10-2 +- Rebuilt for switch to libxcrypt + * Mon Jan 08 2018 Nikos Mavrogiannopoulos - 0.11.10-1 - Update to upstream 0.11.10 release From c5e8e8678935b8c95a10e62a98d9b585bc77e218 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 8 Feb 2018 09:03:26 +0000 Subject: [PATCH 101/177] - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- ocserv.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 93f5a4d..ff47c89 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 0.11.10 -Release: 2%{?dist} +Release: 3%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -262,6 +262,9 @@ rm -rf %{buildroot} %endif %changelog +* Thu Feb 08 2018 Fedora Release Engineering - 0.11.10-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + * Sat Jan 20 2018 Björn Esser - 0.11.10-2 - Rebuilt for switch to libxcrypt From 294a8e96f6a14fefb8c3d2a905d10afc7506cce8 Mon Sep 17 00:00:00 2001 From: Igor Gnatenko Date: Tue, 13 Feb 2018 23:56:17 +0100 Subject: [PATCH 102/177] Remove BuildRoot definition None of currently supported distributions need that. It was needed last for EL5 which is EOL now Signed-off-by: Igor Gnatenko --- ocserv.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index ff47c89..e2c72d7 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -45,7 +45,6 @@ Source11: ocserv.init # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %if 0%{?rhel} && 0%{?rhel} <= 6 BuildRequires: gnutls30-devel From d582cc66e84d03dab3579f61f6e936b2832a282f Mon Sep 17 00:00:00 2001 From: Igor Gnatenko Date: Wed, 14 Feb 2018 07:23:36 +0100 Subject: [PATCH 103/177] Remove %clean section None of currently supported distributions need that. Last one was EL5 which is EOL for a while. Signed-off-by: Igor Gnatenko --- ocserv.spec | 3 --- 1 file changed, 3 deletions(-) diff --git a/ocserv.spec b/ocserv.spec index e2c72d7..e40f34b 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -230,9 +230,6 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %make_install -%clean -rm -rf %{buildroot} - %files %defattr(-,root,root,-) From e193d435ca9b0393762db2df2162138f4c28eeea Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 5 Mar 2018 16:56:38 +0100 Subject: [PATCH 104/177] Update to 0.11.11-1 - Update to upstream 0.11.11 release --- .gitignore | 11 +++++++++++ ...42418905D8206AA754CCDC29EE58B996865171.gpg | Bin 56226 -> 58697 bytes ocserv.spec | 11 +++++++++-- sources | 6 +++--- 4 files changed, 23 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index ed5bff9..325d272 100644 --- a/.gitignore +++ b/.gitignore @@ -104,3 +104,14 @@ /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg /ocserv-0.11.10.tar.xz.sig /ocserv-0.11.10.tar.xz +/ocserv.init +/gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg +/ocserv-script +/ocserv-genkey +/PACKAGE-LICENSING +/ocserv-pamd.conf +/ocserv.service +/ocserv.conf +/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +/ocserv-0.11.11.tar.xz.sig +/ocserv-0.11.11.tar.xz diff --git a/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg b/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg index 1f9a40cc96ea43f54ea9dc0f1873971a85535c2f..b1ee43c60379c783e5f3457c480d6a7ecc2447c5 100644 GIT binary patch delta 2201 zcmai!c{~%0AIGFw&m~CPK1&IdwEJkRr%`N7)EU|mEgMP-ZFkmY94 zkl^ERd1;%H=i1`~G?OmyuGEiHXHX5aLRG4EmHiWmT;`K8Z{Bb+{y4PdJ)eE*;CGgs z6nR6~N`nYA|p5#ilWx!s`lH~C96Qml8Wp3=nX>WYI zB>9j7fOd$g$jDdOw?hfa;kG_>MUvC^lu|aKsXc3)dNp6gE2pOC_<-lR^;2$Tp=j}h zFymZ-rc2lFwCwkZ4v*WdqdLt{Bv=S8(AiiVT~PaUCePpG`{pS2@9cf*?K{9m#h40f zZZ1B9@mN^(^rs5r=eZp)sf^xeyje?|l$Tf>odS}N-vqHRXZo*dt`GHj0luZ0JJ&P& z*!hNl47{)S0hJ>9cdla$r2U)N<+AcrdgG>X!8xUGXj3E*iU{NYyT%%?16cs|A7Xf~ z=2E63f<%Y-Lmh<)<^gbt)<8HrEKMOaH-At^y5wbRp6ji4(0!&V1kdqV+qWV{Rs25H z`2)BhyS$WS`f~J|otjDvTBopKR%Ol8ia={fCCl8}x1Z$WQo+gW!nr#|`AHphOni?q zbQlr-m4MQ~%DNc12|PwF!MseU3`PFV6BPV#DuOag3xHVHd{plz+J@8gLb&|)bl7KC z1vq;Bo0;U2iCUxn*k3Hv%$yFgIt zZRI<6CZSN1zFt%o{3Ug??3u9_Mx{$jopE;+1^Z}x0uF~K%`zMg69GIx05Bc&?bmKu z0CECSU7$fMvzCfZNMpoWo1_02QmHSWBaYqs?{0oKt zLS0Up+$#5RRS^3N5mRDTsk;G%e!o!w8!Pvp3rg!I^N(|hN)8|}cK*o0N{_Ft=(Oat zmlP!?4}T46m$E6ux5FwfMZm?D_#1W-aV<3XR#dHfOdJmHE5#g{!P2b z0;#EyDArz7j;JGwVtRjWErNHLt^9MtT;_Zucc0hU(}^pYhCga_mc3^xq7a^A37APY zlze9uyt<@0U|Hx@3;ahnlM@LkbQ+Q!lwTqpt0n=Ag2kU?6ecXxL*G19qV@};*_cwZ z9l&=s7le`%=j8<_oNa(gYO4>%h<1p)EO!1_c&IWiOLyMa3dBa$_x22)Bt9Uh(sI<357JZ5zB8evT%%r^i#wX05OWT^B3WdBsnvvbZ&3DSWZaaPvgQsOZktPTpXb0kg^3KnW>k{F?ZN1aHQx?kGPC| zypw^;tMTgtp4+eksW7NO4(p9Ew(Qks1&U*;$Dc+V>8a94#s=~pwd${#BT3YLoiGR{ zJ0s#K_VkP%K6pIib^65LR~UM@@apZ!CmqTb_HN#@d!bGP9cYnbYo;h}dy!{SjH8O4 zuUpcbvah%{EG6lAEbt&Ng}2Q#AC24(harkx3$)W8R{Hj*s9VIev|N~ymu zJ|?YzYY$W{>&b)8YQ&80?~y2{Pi&EEQ+rh5eui2yb4V9+0|#w3edi_*^q(Drg_Aw1 zN93ZTd=6#J`5I{=%KBY|Lh86IJhC9d$$-=FOYQCcWt5p z@7Y=|aK&s)g-`e$DwbK2_3%-gGBPdHP~-$#3VvZ@6)c`siZA;%;DpMY^OEY5R{wx* zH)mZLil3}o&GH*0n6lcb4A`P2m6Y)*Nm!RiR+X^1T zY=Pjqc>#33*acif)`ZR|ai|}2(f{Ix=`=TLQuYW-mZ}olr>&J^^WPHqNlU_*w9TqB z>|&}vyQ#vqDB`Nfcv-po*>V=cq)EFBFDcP!gQG+Hez6V;wE0HL#+iy{cE-C}-PcSD zT9MuYuC_l|IUsRZ>+6Pno0cYxlPNr$MVa=0p{uV<>@z7>m8n!BZIbytyPv&^;(ZXc zcDCfHT&X8XiskZP_a*@nF`%y)GjM=LC(!bZ1*xd zYxovZ=01D4HtNp(76P#2{|do`4I~QrErkEx`;QRJS0Um`QOddo5owE9tQy&GI{H^# zS%Kk~tPa>VKEInp$;meD(EW&h=%XEkn9~DZiLJ2y)OQ|49%ZIa7c2$M;!L>pvl`Q9 za>^7%-#_5K(N=2XsrN4IQAa6T&1$_#ai^c^|D5nfoM{guTzgxyOU3}Q*UWV;y2Q@{ z>&b`1vkMA0Esl4Ayj8DX(josslq!<1Ks4ez=kluYIphq0ZayIwHlh3qkT3aOq5k z*gS0gDLJNK7xCd9-PQ$JGkDppj}1n(00x;#Cs%9GK6-A@mPHII-dn#EC-h{!QWLFj zVGJ3(HnDoof+E~LGSLN!BO-`cBSy$AubH2w)!Mg9oB=P)b?N0-_qfLd;qW=I7JHJ7 zQ`?M-*7*m4!N*$?TG~OX+c}U% zo#YgLRxnbkP&}Gn$|9kludslbHBT`Okmc-Sy&Bi`S$PPMfGZBRofgl71d?VBj|2}t NHP}L{11QR2{{nR^3U&Yh delta 14 WcmX?kih0p?<_*toY~FZ#4-)`B(Fk4u diff --git a/ocserv.spec b/ocserv.spec index e40f34b..eac0ae1 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated -Version: 0.11.10 -Release: 3%{?dist} +Version: 0.11.11 +Release: 1%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -66,7 +66,9 @@ BuildRequires: pcllib-devel BuildRequires: libtalloc-devel BuildRequires: libev-devel BuildRequires: http-parser-devel +%if %{use_libwrap} BuildRequires: tcp_wrappers-devel +%endif BuildRequires: automake, autoconf BuildRequires: radcli-devel BuildRequires: lz4-devel @@ -81,6 +83,7 @@ BuildRequires: autogen BuildRequires: liboath-devel BuildRequires: uid_wrapper BuildRequires: socket_wrapper +BuildRequires: gnupg2 %if 0%{?rhel} && 0%{?rhel} >= 7 %ifarch x86_64 %{ix86} @@ -137,6 +140,7 @@ sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/data/*.config # GPLv3 in headers is a gnulib bug: # http://lists.gnu.org/archive/html/bug-gnulib/2013-11/msg00062.html sed -i 's/either version 3 of the License/either version 2 of the License/g' build-aux/snippet/* +sed -i 's/exit 1/exit 77/g' tests/ocpasswd-test %if 0%{?rhel} && 0%{?rhel} <= 6 echo "int main() { return 77; }" > tests/valid-hostname.c @@ -258,6 +262,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Mon Mar 05 2018 Nikos Mavrogiannopoulos - 0.11.11-1 +- Update to upstream 0.11.11 release + * Thu Feb 08 2018 Fedora Release Engineering - 0.11.10-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild diff --git a/sources b/sources index 43899fc..2f7f48b 100644 --- a/sources +++ b/sources @@ -6,6 +6,6 @@ SHA512 (PACKAGE-LICENSING) = eea2a2a4765c90d874c79bb72d754c8b26b58d5e5b3c3cee10c SHA512 (ocserv-pamd.conf) = 3a75f19d89ddd164f3faa9c3579c7f675fc58413a194f43ec28eee7ebced6fee3f4ca305fe9b0ddf76ae39cd669e8d3d63b58afbbf19b84e4ca646ae7f42d61a SHA512 (ocserv.service) = 264f3389d88aec1f7d2e4683a4dfc0aa67af2325154de822eecf5fb43f8c221aab0d9f0c6a8eedb893e6d69ed4d94c9397b01e5d0d12e88330017a3bfa5f3644 SHA512 (ocserv.conf) = 0a48d394dba183528c1e92df2a8b844a4d7d419244b1c08883f79c8b48843986e786ea4d48478ed4e8d57fd56626bf962dbcf6c76b5839ba5ab5fac8b089c44c -SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 7eccc70fb763cf8a6525228230c1f537224809cf553efb3ad6bc88ad96f01122c30a5cd9d8328fa3a97b242d59e00bc9966589a24b1e65dd4a27eb71393f097c -SHA512 (ocserv-0.11.10.tar.xz.sig) = d88f3e42595df6c3a13dc64cbcdcca2126f22be7143856b00b0c7620358f9d0e5c524019c11ff10549e74ef5eebb0613c25afd9f7244c6ab14fb70b8059188b8 -SHA512 (ocserv-0.11.10.tar.xz) = 40fe152adf4438ed390406ec46049ff3769208e1d48b40bc0f015d507902a6e81012a52dd4ddd867f56a6d50de1dfb8fa497dc3bb6ece3e666ca14df1d76c561 +SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 3b1989dc6a64d1140f83a2af0773da2adb03c50d97b6da7357cf09525050651aafa21131f1e3180baa540a8af922119a256f5ff5bcd6602996a806e8e1816bad +SHA512 (ocserv-0.11.11.tar.xz.sig) = 7a1521f94d48d7aafb66e6c544eb2e1c5a08d02441acc5f57876faaa984ad203f0395da37e602ad5539f54aa0ce1ff5da7389254028f6b811a9e01d6f86b1e84 +SHA512 (ocserv-0.11.11.tar.xz) = 1750e4ddd221913f82379ed34cf63f2ce858d73cfda0bcf60670a32bf2e8574a39f267c77abab78d2cf9a563a816d975e1a07b85c5e2412bd6d009850c8c262d From dc565f4e83076ee38dd0893fa304a3384bf8fa49 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 12 Apr 2018 16:37:32 +0200 Subject: [PATCH 105/177] Update to 0.11.11-2 - Update to upstream 0.11.11 release - include crypt.h to use crypt() --- .gitignore | 11 +++++++ ocserv-0.11.11-crypt.patch | 65 ++++++++++++++++++++++++++++++++++++++ ocserv.spec | 7 +++- 3 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 ocserv-0.11.11-crypt.patch diff --git a/.gitignore b/.gitignore index 325d272..3553425 100644 --- a/.gitignore +++ b/.gitignore @@ -115,3 +115,14 @@ /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg /ocserv-0.11.11.tar.xz.sig /ocserv-0.11.11.tar.xz +/ocserv.init +/gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg +/ocserv-script +/ocserv-genkey +/PACKAGE-LICENSING +/ocserv-pamd.conf +/ocserv.service +/ocserv.conf +/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +/ocserv-0.11.11.tar.xz.sig +/ocserv-0.11.11.tar.xz diff --git a/ocserv-0.11.11-crypt.patch b/ocserv-0.11.11-crypt.patch new file mode 100644 index 0000000..cec65e6 --- /dev/null +++ b/ocserv-0.11.11-crypt.patch @@ -0,0 +1,65 @@ +From cf9cda99a5caf8fabd547f25a962b96a46e13957 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Thu, 12 Apr 2018 14:58:59 +0200 +Subject: [PATCH] include crypt.h to use crypt() + +This is necessary in Fedora28 as it doesn't provide +crypt() prototype in unistd.h + +https://bugzilla.redhat.com/show_bug.cgi?id=1566464 + +Signed-off-by: Nikos Mavrogiannopoulos +--- + configure.ac | 2 +- + src/auth/plain.c | 5 +++++ + src/ocpasswd/ocpasswd.c | 5 +++++ + 3 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 71c27564..c03d8e7b 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -319,7 +319,7 @@ AC_CHECK_MEMBER([struct sockaddr.sa_len], + #include + ]) + +-AC_CHECK_HEADERS([net/if_tun.h linux/if_tun.h netinet/in_systm.h], [], [], []) ++AC_CHECK_HEADERS([net/if_tun.h linux/if_tun.h netinet/in_systm.h crypt.h], [], [], []) + + AC_CHECK_FUNCS([setproctitle vasprintf clock_gettime isatty pselect ppoll getpeereid sigaltstack]) + AC_CHECK_FUNCS([strlcpy posix_memalign malloc_trim strsep]) +diff --git a/src/auth/plain.c b/src/auth/plain.c +index 2052e07d..f9c7b1b1 100644 +--- a/src/auth/plain.c ++++ b/src/auth/plain.c +@@ -37,6 +37,11 @@ + #ifdef HAVE_LIBOATH + # include + #endif ++#ifdef HAVE_CRYPT_H ++ /* libcrypt in Fedora28 does not provide prototype ++ * in unistd.h */ ++# include ++#endif + + #define MAX_CPASS_SIZE 128 + #define HOTP_WINDOW 20 +diff --git a/src/ocpasswd/ocpasswd.c b/src/ocpasswd/ocpasswd.c +index de3b8396..abb66744 100644 +--- a/src/ocpasswd/ocpasswd.c ++++ b/src/ocpasswd/ocpasswd.c +@@ -32,6 +32,11 @@ + #include + #include + #include "ocpasswd-args.h" ++#ifdef HAVE_CRYPT_H ++ /* libcrypt in Fedora28 does not provide prototype ++ * in unistd.h */ ++# include ++#endif + + /* Gnulib portability files. */ + #include +-- +2.14.3 + diff --git a/ocserv.spec b/ocserv.spec index eac0ae1..53982f9 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,7 @@ # This spec file has been automatically updated Version: 0.11.11 -Release: 1%{?dist} +Release: 2%{?dist} +Patch1: ocserv-0.11.11-crypt.patch %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -262,6 +263,10 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Thu Apr 12 2018 Nikos Mavrogiannopoulos - 0.11.11-2 +- Update to upstream 0.11.11 release +- include crypt.h to use crypt() + * Mon Mar 05 2018 Nikos Mavrogiannopoulos - 0.11.11-1 - Update to upstream 0.11.11 release From 914a518ada555171c0e5fbda48a632eaf8c4bec5 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 23 Apr 2018 11:20:16 +0200 Subject: [PATCH 106/177] Update to 0.12.0-1 - Update to upstream 0.12.0 release --- .gitignore | 11 +++++ ocserv-0.11.11-crypt.patch | 65 ---------------------------- ocserv-0.12.0-add-missing-test.patch | 46 ++++++++++++++++++++ ocserv.conf | 27 +++++++++--- ocserv.spec | 31 +++++++------ sources | 6 +-- 6 files changed, 97 insertions(+), 89 deletions(-) delete mode 100644 ocserv-0.11.11-crypt.patch create mode 100644 ocserv-0.12.0-add-missing-test.patch diff --git a/.gitignore b/.gitignore index 3553425..d09b5eb 100644 --- a/.gitignore +++ b/.gitignore @@ -126,3 +126,14 @@ /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg /ocserv-0.11.11.tar.xz.sig /ocserv-0.11.11.tar.xz +/ocserv.init +/gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg +/ocserv-script +/ocserv-genkey +/PACKAGE-LICENSING +/ocserv-pamd.conf +/ocserv.service +/ocserv.conf +/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +/ocserv-0.12.0.tar.xz.sig +/ocserv-0.12.0.tar.xz diff --git a/ocserv-0.11.11-crypt.patch b/ocserv-0.11.11-crypt.patch deleted file mode 100644 index cec65e6..0000000 --- a/ocserv-0.11.11-crypt.patch +++ /dev/null @@ -1,65 +0,0 @@ -From cf9cda99a5caf8fabd547f25a962b96a46e13957 Mon Sep 17 00:00:00 2001 -From: Nikos Mavrogiannopoulos -Date: Thu, 12 Apr 2018 14:58:59 +0200 -Subject: [PATCH] include crypt.h to use crypt() - -This is necessary in Fedora28 as it doesn't provide -crypt() prototype in unistd.h - -https://bugzilla.redhat.com/show_bug.cgi?id=1566464 - -Signed-off-by: Nikos Mavrogiannopoulos ---- - configure.ac | 2 +- - src/auth/plain.c | 5 +++++ - src/ocpasswd/ocpasswd.c | 5 +++++ - 3 files changed, 11 insertions(+), 1 deletion(-) - -diff --git a/configure.ac b/configure.ac -index 71c27564..c03d8e7b 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -319,7 +319,7 @@ AC_CHECK_MEMBER([struct sockaddr.sa_len], - #include - ]) - --AC_CHECK_HEADERS([net/if_tun.h linux/if_tun.h netinet/in_systm.h], [], [], []) -+AC_CHECK_HEADERS([net/if_tun.h linux/if_tun.h netinet/in_systm.h crypt.h], [], [], []) - - AC_CHECK_FUNCS([setproctitle vasprintf clock_gettime isatty pselect ppoll getpeereid sigaltstack]) - AC_CHECK_FUNCS([strlcpy posix_memalign malloc_trim strsep]) -diff --git a/src/auth/plain.c b/src/auth/plain.c -index 2052e07d..f9c7b1b1 100644 ---- a/src/auth/plain.c -+++ b/src/auth/plain.c -@@ -37,6 +37,11 @@ - #ifdef HAVE_LIBOATH - # include - #endif -+#ifdef HAVE_CRYPT_H -+ /* libcrypt in Fedora28 does not provide prototype -+ * in unistd.h */ -+# include -+#endif - - #define MAX_CPASS_SIZE 128 - #define HOTP_WINDOW 20 -diff --git a/src/ocpasswd/ocpasswd.c b/src/ocpasswd/ocpasswd.c -index de3b8396..abb66744 100644 ---- a/src/ocpasswd/ocpasswd.c -+++ b/src/ocpasswd/ocpasswd.c -@@ -32,6 +32,11 @@ - #include - #include - #include "ocpasswd-args.h" -+#ifdef HAVE_CRYPT_H -+ /* libcrypt in Fedora28 does not provide prototype -+ * in unistd.h */ -+# include -+#endif - - /* Gnulib portability files. */ - #include --- -2.14.3 - diff --git a/ocserv-0.12.0-add-missing-test.patch b/ocserv-0.12.0-add-missing-test.patch new file mode 100644 index 0000000..91e1f6b --- /dev/null +++ b/ocserv-0.12.0-add-missing-test.patch @@ -0,0 +1,46 @@ +diff --git a/tests/server-cert-rsa-pss b/tests/server-cert-rsa-pss +new file mode 100755 +index 0000000..be3d098 +--- /dev/null ++++ b/tests/server-cert-rsa-pss +@@ -0,0 +1,40 @@ ++#!/bin/sh ++# ++# Copyright (C) 2017 Red Hat, Inc. ++# ++# This file is part of ocserv. ++# ++# ocserv is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 2 of the License, or (at ++# your option) any later version. ++# ++# ocserv is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GnuTLS; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++SERV="${SERV:-../src/ocserv}" ++srcdir=${srcdir:-.} ++NO_NEED_ROOT=1 ++PORT=4444 ++ ++. `dirname $0`/common.sh ++ ++echo "Testing server cert with RSA-PSS... " ++ ++update_config test-rsa-pss.config ++launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! ++wait_server $PID ++ ++echo "Connecting to obtain cookie... " ++( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=sha256:7462b697482f771a9a787bc19db00f704a1685ae09ed201b7a126b052a09522e --cookieonly ) || ++ fail $PID "Could not receive cookie from server" ++ ++cleanup ++ ++exit 0 diff --git a/ocserv.conf b/ocserv.conf index 96082b7..63ac7db 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -1,12 +1,19 @@ -# User authentication method. Could be set multiple times and in -# that case all should succeed. To enable multiple methods use -# multiple auth directives. Available options: certificate, -# plain, pam, radius, gssapi. +### The following directives do not change with server reload. +# +# User authentication method. To require multiple methods to be +# used for the user to login, add multiple auth directives. The values +# in the 'auth' directive are AND composed (if multiple all must +# succeed). +# Available options: certificate, plain, pam, radius, gssapi. +# Note that authentication methods utilizing passwords cannot be +# combined (e.g., the plain, pam or radius methods). # -# Note that authentication methods cannot be changed with reload. - # certificate: # This indicates that all connecting users must present a certificate. +# The username and user group will be then extracted from it (see +# cert-user-oid and cert-group-oid). The certificate to be accepted +# it must be signed by the CA certificate as specified in 'ca-cert' and +# it must not be listed in the CRL, as specified by the 'crl' option. # # pam[gid-min=1000]: # This enabled PAM authentication of the user. The gid-min option is used @@ -44,7 +51,9 @@ auth = "pam" # Specify alternative authentication methods that are sufficient # for authentication. That is, if set, any of the methods enabled -# will be sufficient to login. +# will be sufficient to login, irrespective of the main 'auth' entries. +# When multiple options are present, they are OR composed (any of them +# succeeding allows login). #enable-auth = "certificate" #enable-auth = "gssapi" #enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]" @@ -176,6 +185,10 @@ try-mtu-discovery = false # # There may be multiple server-cert and server-key directives, # but each key should correspond to the preceding certificate. +# The certificate files will be reloaded when changed allowing for in-place +# certificate renewal (they are checked and reloaded periodically; +# a SIGHUP signal to main server will force reload). + server-cert = /etc/pki/ocserv/public/server.crt server-key = /etc/pki/ocserv/private/server.key diff --git a/ocserv.spec b/ocserv.spec index 53982f9..8744f34 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,7 +1,7 @@ # This spec file has been automatically updated -Version: 0.11.11 -Release: 2%{?dist} -Patch1: ocserv-0.11.11-crypt.patch +Version: 0.12.0 +Release: 1%{?dist} +Patch1: ocserv-0.12.0-add-missing-test.patch %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -20,9 +20,9 @@ Patch1: ocserv-0.11.11-crypt.patch %define use_local_protobuf 0 %if 0%{?rhel} && 0%{?rhel} == 7 -%ifarch ppc64 -%define use_local_protobuf 1 -%endif +#%ifarch ppc64 +#%define use_local_protobuf 1 +#%endif %endif Name: ocserv @@ -79,12 +79,11 @@ BuildRequires: GeoIP-devel %if %{use_systemd} BuildRequires: systemd BuildRequires: systemd-devel -BuildRequires: autogen-libopts-devel -BuildRequires: autogen BuildRequires: liboath-devel BuildRequires: uid_wrapper BuildRequires: socket_wrapper BuildRequires: gnupg2 +BuildRequires: rubygem(ronn) %if 0%{?rhel} && 0%{?rhel} >= 7 %ifarch x86_64 %{ix86} @@ -127,7 +126,12 @@ to provide the secure VPN service. %if %{have_gpgv2} gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} || gpgv2 --keyring %{SOURCE10} %{SOURCE1} %{SOURCE0} %endif + +%if 0%{?rhel} && 0%{?rhel} <= 6 %setup -q +%else +%autosetup -p1 +%endif rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h %if (0%{?use_local_protobuf} == 0) @@ -141,14 +145,13 @@ sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/data/*.config # GPLv3 in headers is a gnulib bug: # http://lists.gnu.org/archive/html/bug-gnulib/2013-11/msg00062.html sed -i 's/either version 3 of the License/either version 2 of the License/g' build-aux/snippet/* -sed -i 's/exit 1/exit 77/g' tests/ocpasswd-test %if 0%{?rhel} && 0%{?rhel} <= 6 echo "int main() { return 77; }" > tests/valid-hostname.c -%else -rm -f libopts/*.c libopts/*.h libopts/*/*.c libopts/*/*.h %endif +chmod 755 tests/server-cert-rsa-pss + %build %if 0%{?rhel} && 0%{?rhel} <= 6 @@ -166,9 +169,6 @@ autoreconf -fvi %else --disable-systemd \ %endif -%if 0%{?rhel} && 0%{?rhel} <= 6 - --enable-local-libopts \ -%endif %if %{use_local_protobuf} --without-protobuf \ %endif @@ -263,6 +263,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Mon Apr 23 2018 Nikos Mavrogiannopoulos - 0.12.0-1 +- Update to upstream 0.12.0 release + * Thu Apr 12 2018 Nikos Mavrogiannopoulos - 0.11.11-2 - Update to upstream 0.11.11 release - include crypt.h to use crypt() diff --git a/sources b/sources index 2f7f48b..db4b5fa 100644 --- a/sources +++ b/sources @@ -5,7 +5,7 @@ SHA512 (ocserv-genkey) = e898144fd977e4c57c4a9a5480b38f6a166c0281c41500c3fa9b7e1 SHA512 (PACKAGE-LICENSING) = eea2a2a4765c90d874c79bb72d754c8b26b58d5e5b3c3cee10c24754fbba6849fd91f7b28e380b5db9789a456f95fc94b3bd8fe8c160a98c8042f404479ecb68 SHA512 (ocserv-pamd.conf) = 3a75f19d89ddd164f3faa9c3579c7f675fc58413a194f43ec28eee7ebced6fee3f4ca305fe9b0ddf76ae39cd669e8d3d63b58afbbf19b84e4ca646ae7f42d61a SHA512 (ocserv.service) = 264f3389d88aec1f7d2e4683a4dfc0aa67af2325154de822eecf5fb43f8c221aab0d9f0c6a8eedb893e6d69ed4d94c9397b01e5d0d12e88330017a3bfa5f3644 -SHA512 (ocserv.conf) = 0a48d394dba183528c1e92df2a8b844a4d7d419244b1c08883f79c8b48843986e786ea4d48478ed4e8d57fd56626bf962dbcf6c76b5839ba5ab5fac8b089c44c +SHA512 (ocserv.conf) = 5b68a3547c6c69bf7c2b322692d6382162a587c47edad97690223c36f30ed98d3869d1ce063c630740d91888a4d70aadd657ddc6052c10e6e26800fca2e9d0c0 SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 3b1989dc6a64d1140f83a2af0773da2adb03c50d97b6da7357cf09525050651aafa21131f1e3180baa540a8af922119a256f5ff5bcd6602996a806e8e1816bad -SHA512 (ocserv-0.11.11.tar.xz.sig) = 7a1521f94d48d7aafb66e6c544eb2e1c5a08d02441acc5f57876faaa984ad203f0395da37e602ad5539f54aa0ce1ff5da7389254028f6b811a9e01d6f86b1e84 -SHA512 (ocserv-0.11.11.tar.xz) = 1750e4ddd221913f82379ed34cf63f2ce858d73cfda0bcf60670a32bf2e8574a39f267c77abab78d2cf9a563a816d975e1a07b85c5e2412bd6d009850c8c262d +SHA512 (ocserv-0.12.0.tar.xz.sig) = a746e72ba07bf7d28104385a70ba4c685389353368d02383eb385aece19ccc9d51a86226371338dbe1737046e403b17e351a04ffa2674ca594bf9e467438b534 +SHA512 (ocserv-0.12.0.tar.xz) = 73e39a6073761a42cff7637fdc0748d969dc6ddd80635633487aa2627ae7234af772194cf27fdded9f08637b26d7ca9017555242ccdb6ade03897f9d4ca4de8d From d4859d253fa969f4cc85473af34a2ec5f71e7ef3 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Sat, 12 May 2018 12:03:06 +0200 Subject: [PATCH 107/177] Update to 0.12.1-1 - Update to upstream 0.12.1 release --- .gitignore | 11 +++++++ ocserv-0.12.0-add-missing-test.patch | 46 ---------------------------- ocserv.service | 4 +-- ocserv.spec | 28 ++++++++--------- sources | 6 ++-- 5 files changed, 30 insertions(+), 65 deletions(-) delete mode 100644 ocserv-0.12.0-add-missing-test.patch diff --git a/.gitignore b/.gitignore index d09b5eb..5aa3c3c 100644 --- a/.gitignore +++ b/.gitignore @@ -137,3 +137,14 @@ /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg /ocserv-0.12.0.tar.xz.sig /ocserv-0.12.0.tar.xz +/ocserv.init +/gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg +/ocserv-script +/ocserv-genkey +/PACKAGE-LICENSING +/ocserv-pamd.conf +/ocserv.service +/ocserv.conf +/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +/ocserv-0.12.1.tar.xz.sig +/ocserv-0.12.1.tar.xz diff --git a/ocserv-0.12.0-add-missing-test.patch b/ocserv-0.12.0-add-missing-test.patch deleted file mode 100644 index 91e1f6b..0000000 --- a/ocserv-0.12.0-add-missing-test.patch +++ /dev/null @@ -1,46 +0,0 @@ -diff --git a/tests/server-cert-rsa-pss b/tests/server-cert-rsa-pss -new file mode 100755 -index 0000000..be3d098 ---- /dev/null -+++ b/tests/server-cert-rsa-pss -@@ -0,0 +1,40 @@ -+#!/bin/sh -+# -+# Copyright (C) 2017 Red Hat, Inc. -+# -+# This file is part of ocserv. -+# -+# ocserv is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License as published by the -+# Free Software Foundation; either version 2 of the License, or (at -+# your option) any later version. -+# -+# ocserv is distributed in the hope that it will be useful, but -+# WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+# General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with GnuTLS; if not, write to the Free Software Foundation, -+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+ -+SERV="${SERV:-../src/ocserv}" -+srcdir=${srcdir:-.} -+NO_NEED_ROOT=1 -+PORT=4444 -+ -+. `dirname $0`/common.sh -+ -+echo "Testing server cert with RSA-PSS... " -+ -+update_config test-rsa-pss.config -+launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! -+wait_server $PID -+ -+echo "Connecting to obtain cookie... " -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=sha256:7462b697482f771a9a787bc19db00f704a1685ae09ed201b7a126b052a09522e --cookieonly ) || -+ fail $PID "Could not receive cookie from server" -+ -+cleanup -+ -+exit 0 diff --git a/ocserv.service b/ocserv.service index 4fe4813..a71f2dd 100644 --- a/ocserv.service +++ b/ocserv.service @@ -7,10 +7,10 @@ After=dbus.service [Service] PrivateTmp=true -Type=forking +Type=simple PIDFile=/var/run/ocserv.pid ExecStartPre=/usr/sbin/ocserv-genkey -ExecStart=/usr/sbin/ocserv --pid-file /var/run/ocserv.pid --config /etc/ocserv/ocserv.conf +ExecStart=/usr/sbin/ocserv --pid-file /var/run/ocserv.pid --config /etc/ocserv/ocserv.conf -f ExecReload=/bin/kill -HUP $MAINPID [Install] diff --git a/ocserv.spec b/ocserv.spec index 8744f34..492d171 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,7 +1,6 @@ # This spec file has been automatically updated -Version: 0.12.0 +Version: 0.12.1 Release: 1%{?dist} -Patch1: ocserv-0.12.0-add-missing-test.patch %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -19,11 +18,6 @@ Patch1: ocserv-0.12.0-add-missing-test.patch %endif %define use_local_protobuf 0 -%if 0%{?rhel} && 0%{?rhel} == 7 -#%ifarch ppc64 -#%define use_local_protobuf 1 -#%endif -%endif Name: ocserv Summary: OpenConnect SSL VPN server @@ -83,7 +77,6 @@ BuildRequires: liboath-devel BuildRequires: uid_wrapper BuildRequires: socket_wrapper BuildRequires: gnupg2 -BuildRequires: rubygem(ronn) %if 0%{?rhel} && 0%{?rhel} >= 7 %ifarch x86_64 %{ix86} @@ -97,6 +90,11 @@ BuildRequires: libseccomp-devel %endif #use systemd +# no rubygem in epel7 +%if 0%{?fedora} || 0%{?rhel} > 7 +BuildRequires: rubygem(ronn) +%endif + Requires: gnutls-utils Requires: iproute Requires: pam @@ -127,11 +125,7 @@ to provide the secure VPN service. gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} || gpgv2 --keyring %{SOURCE10} %{SOURCE1} %{SOURCE0} %endif -%if 0%{?rhel} && 0%{?rhel} <= 6 -%setup -q -%else %autosetup -p1 -%endif rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h %if (0%{?use_local_protobuf} == 0) @@ -150,8 +144,6 @@ sed -i 's/either version 3 of the License/either version 2 of the License/g' bui echo "int main() { return 77; }" > tests/valid-hostname.c %endif -chmod 755 tests/server-cert-rsa-pss - %build %if 0%{?rhel} && 0%{?rhel} <= 6 @@ -246,9 +238,14 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %doc AUTHORS ChangeLog NEWS COPYING LICENSE README.md TODO PACKAGE-LICENSING %doc src/ccan/licenses/CC0 src/ccan/licenses/LGPL-2.1 src/ccan/licenses/BSD-MIT + +## Temporarily disable when rubygem is not present; there is a bug in 0.12.0 dist +%if 0%{?fedora} || 0%{?rhel} > 7 %{_mandir}/man8/ocserv.8* %{_mandir}/man8/occtl.8* %{_mandir}/man8/ocpasswd.8* +%endif + %{_bindir}/ocpasswd %{_bindir}/occtl %{_bindir}/ocserv-fw @@ -263,6 +260,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Sat May 12 2018 Nikos Mavrogiannopoulos - 0.12.1-1 +- Update to upstream 0.12.1 release + * Mon Apr 23 2018 Nikos Mavrogiannopoulos - 0.12.0-1 - Update to upstream 0.12.0 release diff --git a/sources b/sources index db4b5fa..e483c81 100644 --- a/sources +++ b/sources @@ -4,8 +4,8 @@ SHA512 (ocserv-script) = 6d77ebe95d23469d96b45b1ac8de7a062cb1360febd0f9664b42deb SHA512 (ocserv-genkey) = e898144fd977e4c57c4a9a5480b38f6a166c0281c41500c3fa9b7e142197c4525d3fb90846a738e38d217116dc33c2ba5c16ec3e11de0dbf4d834e204c598eac SHA512 (PACKAGE-LICENSING) = eea2a2a4765c90d874c79bb72d754c8b26b58d5e5b3c3cee10c24754fbba6849fd91f7b28e380b5db9789a456f95fc94b3bd8fe8c160a98c8042f404479ecb68 SHA512 (ocserv-pamd.conf) = 3a75f19d89ddd164f3faa9c3579c7f675fc58413a194f43ec28eee7ebced6fee3f4ca305fe9b0ddf76ae39cd669e8d3d63b58afbbf19b84e4ca646ae7f42d61a -SHA512 (ocserv.service) = 264f3389d88aec1f7d2e4683a4dfc0aa67af2325154de822eecf5fb43f8c221aab0d9f0c6a8eedb893e6d69ed4d94c9397b01e5d0d12e88330017a3bfa5f3644 +SHA512 (ocserv.service) = 2b258b2e9d211c9626e9e5c67b6c2573b713e0f490917ed1c84c2bb2708f874026ddb55dceb9585e491f86de5d3c8cd400bba864d12966ae96609cc4ce6413d2 SHA512 (ocserv.conf) = 5b68a3547c6c69bf7c2b322692d6382162a587c47edad97690223c36f30ed98d3869d1ce063c630740d91888a4d70aadd657ddc6052c10e6e26800fca2e9d0c0 SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 3b1989dc6a64d1140f83a2af0773da2adb03c50d97b6da7357cf09525050651aafa21131f1e3180baa540a8af922119a256f5ff5bcd6602996a806e8e1816bad -SHA512 (ocserv-0.12.0.tar.xz.sig) = a746e72ba07bf7d28104385a70ba4c685389353368d02383eb385aece19ccc9d51a86226371338dbe1737046e403b17e351a04ffa2674ca594bf9e467438b534 -SHA512 (ocserv-0.12.0.tar.xz) = 73e39a6073761a42cff7637fdc0748d969dc6ddd80635633487aa2627ae7234af772194cf27fdded9f08637b26d7ca9017555242ccdb6ade03897f9d4ca4de8d +SHA512 (ocserv-0.12.1.tar.xz.sig) = 0dd3123ffc525faa724de7a10f0a2202fc31ea667428e41c3ca68a3fffc29979d9bff16abde3adece8e921881704efc952d077e9bc161be4d69a124218ae5616 +SHA512 (ocserv-0.12.1.tar.xz) = 3fc5e6c6a3b4390cb0ffa78fac4f8e70aa689227c6f5b62180b95f35cf2de0c41075a157412de40866ce1af12ad8feabd87b2b986c8ca09ebee70514da9ec13f From a6201d770437f2c326b44ee2c590a35f0cfba481 Mon Sep 17 00:00:00 2001 From: Igor Gnatenko Date: Mon, 9 Jul 2018 19:06:49 +0200 Subject: [PATCH 108/177] add BuildRequires: gcc Reference: https://fedoraproject.org/wiki/Changes/Remove_GCC_from_BuildRoot --- ocserv.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/ocserv.spec b/ocserv.spec index 492d171..55098a8 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -42,6 +42,7 @@ Source11: ocserv.init # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 %if 0%{?rhel} && 0%{?rhel} <= 6 +BuildRequires: gcc BuildRequires: gnutls30-devel %else BuildRequires: gnutls-devel From fd5e7c4a707b777c23555299578a90e5621ea89f Mon Sep 17 00:00:00 2001 From: Jason Tibbitts Date: Tue, 10 Jul 2018 01:54:25 -0500 Subject: [PATCH 109/177] Remove needless use of %defattr --- ocserv.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 55098a8..675b95b 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -229,7 +229,6 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %make_install %files -%defattr(-,root,root,-) %dir %{_localstatedir}/lib/ocserv %dir %{_sysconfdir}/ocserv From c692b002287d20bb4f1dc818e18f5b7389a4deec Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 13 Jul 2018 14:51:24 +0000 Subject: [PATCH 110/177] - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- ocserv.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 675b95b..079b664 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 0.12.1 -Release: 1%{?dist} +Release: 2%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -260,6 +260,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Fri Jul 13 2018 Fedora Release Engineering - 0.12.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + * Sat May 12 2018 Nikos Mavrogiannopoulos - 0.12.1-1 - Update to upstream 0.12.1 release From 9d114bd7a92000adb24355eb79fd81d3b37d4108 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 24 Jul 2018 09:09:40 +0200 Subject: [PATCH 111/177] Added gcc as build-dependency --- ocserv.spec | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ocserv.spec b/ocserv.spec index 079b664..d780d14 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 0.12.1 -Release: 2%{?dist} +Release: 3%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -41,8 +41,9 @@ Source11: ocserv.init # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 -%if 0%{?rhel} && 0%{?rhel} <= 6 BuildRequires: gcc + +%if 0%{?rhel} && 0%{?rhel} <= 6 BuildRequires: gnutls30-devel %else BuildRequires: gnutls-devel @@ -260,6 +261,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Tue Jul 24 2018 Nikos Mavrogiannopoulos - 0.12.1-3 +- Added gcc as build-dependency + * Fri Jul 13 2018 Fedora Release Engineering - 0.12.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild From 040d07710192d1bd0d9c2da163b41b0a736c8038 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 10 Jan 2019 20:53:38 +0100 Subject: [PATCH 112/177] Update to 0.12.2-1 - Update to upstream 0.12.2 release --- .gitignore | 11 +++++++++++ ocserv.spec | 14 +++++++------- sources | 4 ++-- 3 files changed, 20 insertions(+), 9 deletions(-) diff --git a/.gitignore b/.gitignore index 5aa3c3c..aab5bdc 100644 --- a/.gitignore +++ b/.gitignore @@ -148,3 +148,14 @@ /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg /ocserv-0.12.1.tar.xz.sig /ocserv-0.12.1.tar.xz +/ocserv.init +/gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg +/ocserv-script +/ocserv-genkey +/PACKAGE-LICENSING +/ocserv-pamd.conf +/ocserv.service +/ocserv.conf +/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +/ocserv-0.12.2.tar.xz.sig +/ocserv-0.12.2.tar.xz diff --git a/ocserv.spec b/ocserv.spec index d780d14..663142c 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated -Version: 0.12.1 -Release: 3%{?dist} +Version: 0.12.2 +Release: 1%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -41,8 +41,7 @@ Source11: ocserv.init # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 -BuildRequires: gcc - +BuildRequires: gcc %if 0%{?rhel} && 0%{?rhel} <= 6 BuildRequires: gnutls30-devel %else @@ -230,6 +229,7 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %make_install %files +%defattr(-,root,root,-) %dir %{_localstatedir}/lib/ocserv %dir %{_sysconfdir}/ocserv @@ -240,12 +240,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %doc AUTHORS ChangeLog NEWS COPYING LICENSE README.md TODO PACKAGE-LICENSING %doc src/ccan/licenses/CC0 src/ccan/licenses/LGPL-2.1 src/ccan/licenses/BSD-MIT -## Temporarily disable when rubygem is not present; there is a bug in 0.12.0 dist -%if 0%{?fedora} || 0%{?rhel} > 7 %{_mandir}/man8/ocserv.8* %{_mandir}/man8/occtl.8* %{_mandir}/man8/ocpasswd.8* -%endif %{_bindir}/ocpasswd %{_bindir}/occtl @@ -261,6 +258,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Thu Jan 10 2019 Nikos Mavrogiannopoulos - 0.12.2-1 +- Update to upstream 0.12.2 release + * Tue Jul 24 2018 Nikos Mavrogiannopoulos - 0.12.1-3 - Added gcc as build-dependency diff --git a/sources b/sources index e483c81..4b8f0de 100644 --- a/sources +++ b/sources @@ -7,5 +7,5 @@ SHA512 (ocserv-pamd.conf) = 3a75f19d89ddd164f3faa9c3579c7f675fc58413a194f43ec28e SHA512 (ocserv.service) = 2b258b2e9d211c9626e9e5c67b6c2573b713e0f490917ed1c84c2bb2708f874026ddb55dceb9585e491f86de5d3c8cd400bba864d12966ae96609cc4ce6413d2 SHA512 (ocserv.conf) = 5b68a3547c6c69bf7c2b322692d6382162a587c47edad97690223c36f30ed98d3869d1ce063c630740d91888a4d70aadd657ddc6052c10e6e26800fca2e9d0c0 SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 3b1989dc6a64d1140f83a2af0773da2adb03c50d97b6da7357cf09525050651aafa21131f1e3180baa540a8af922119a256f5ff5bcd6602996a806e8e1816bad -SHA512 (ocserv-0.12.1.tar.xz.sig) = 0dd3123ffc525faa724de7a10f0a2202fc31ea667428e41c3ca68a3fffc29979d9bff16abde3adece8e921881704efc952d077e9bc161be4d69a124218ae5616 -SHA512 (ocserv-0.12.1.tar.xz) = 3fc5e6c6a3b4390cb0ffa78fac4f8e70aa689227c6f5b62180b95f35cf2de0c41075a157412de40866ce1af12ad8feabd87b2b986c8ca09ebee70514da9ec13f +SHA512 (ocserv-0.12.2.tar.xz.sig) = 135eda011200679e7ae29fc66a09f940a88c056561c8491538089070327554c295533ad238a1b866f90a702b5465969817148495c96fa5b3ef8d1a10bf14ce6d +SHA512 (ocserv-0.12.2.tar.xz) = 3ce6cf68ad9349d6d090f35c14712ce3ddb8f2fe6b33285e050e99ac4457ca1127b55d3cea739a4364072534c69cb094912b4631a14b87362bd31ccc1a550b3a From 7feaa2186078638ec55da9f949ad0775b78eb7ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Mon, 14 Jan 2019 19:10:33 +0100 Subject: [PATCH 113/177] Rebuilt for libcrypt.so.2 (#1666033) --- ocserv.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 663142c..2516e05 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 0.12.2 -Release: 1%{?dist} +Release: 2%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -258,6 +258,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Mon Jan 14 2019 Björn Esser - 0.12.2-2 +- Rebuilt for libcrypt.so.2 (#1666033) + * Thu Jan 10 2019 Nikos Mavrogiannopoulos - 0.12.2-1 - Update to upstream 0.12.2 release From d5f2f4f60c9415040ea3e1973713c5e273951320 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 1 Feb 2019 17:02:29 +0000 Subject: [PATCH 114/177] - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- ocserv.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 2516e05..a6f9d9e 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 0.12.2 -Release: 2%{?dist} +Release: 3%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -258,6 +258,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Fri Feb 01 2019 Fedora Release Engineering - 0.12.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + * Mon Jan 14 2019 Björn Esser - 0.12.2-2 - Rebuilt for libcrypt.so.2 (#1666033) From 49598e0b1109be5ebd7b24b62d8fdecb75b17a2f Mon Sep 17 00:00:00 2001 From: Igor Gnatenko Date: Sun, 17 Feb 2019 09:30:52 +0100 Subject: [PATCH 115/177] Rebuild for readline 8.0 --- ocserv.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index a6f9d9e..75f110f 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 0.12.2 -Release: 3%{?dist} +Release: 4%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -258,6 +258,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Sun Feb 17 2019 Igor Gnatenko - 0.12.2-4 +- Rebuild for readline 8.0 + * Fri Feb 01 2019 Fedora Release Engineering - 0.12.2-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild From 7ab4ba388f0f4bfb045c55c37d26fdd549503b8d Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 12 Mar 2019 21:24:37 +0100 Subject: [PATCH 116/177] Update to 0.12.3-1 - Update to upstream 0.12.3 release --- .gitignore | 11 +++++++++++ ocserv.spec | 7 +++++-- sources | 4 ++-- 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index aab5bdc..4aac85e 100644 --- a/.gitignore +++ b/.gitignore @@ -159,3 +159,14 @@ /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg /ocserv-0.12.2.tar.xz.sig /ocserv-0.12.2.tar.xz +/ocserv.init +/gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg +/ocserv-script +/ocserv-genkey +/PACKAGE-LICENSING +/ocserv-pamd.conf +/ocserv.service +/ocserv.conf +/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +/ocserv-0.12.3.tar.xz.sig +/ocserv-0.12.3.tar.xz diff --git a/ocserv.spec b/ocserv.spec index 75f110f..957abba 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated -Version: 0.12.2 -Release: 4%{?dist} +Version: 0.12.3 +Release: 1%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -258,6 +258,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Tue Mar 12 2019 Nikos Mavrogiannopoulos - 0.12.3-1 +- Update to upstream 0.12.3 release + * Sun Feb 17 2019 Igor Gnatenko - 0.12.2-4 - Rebuild for readline 8.0 diff --git a/sources b/sources index 4b8f0de..8e150a5 100644 --- a/sources +++ b/sources @@ -7,5 +7,5 @@ SHA512 (ocserv-pamd.conf) = 3a75f19d89ddd164f3faa9c3579c7f675fc58413a194f43ec28e SHA512 (ocserv.service) = 2b258b2e9d211c9626e9e5c67b6c2573b713e0f490917ed1c84c2bb2708f874026ddb55dceb9585e491f86de5d3c8cd400bba864d12966ae96609cc4ce6413d2 SHA512 (ocserv.conf) = 5b68a3547c6c69bf7c2b322692d6382162a587c47edad97690223c36f30ed98d3869d1ce063c630740d91888a4d70aadd657ddc6052c10e6e26800fca2e9d0c0 SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 3b1989dc6a64d1140f83a2af0773da2adb03c50d97b6da7357cf09525050651aafa21131f1e3180baa540a8af922119a256f5ff5bcd6602996a806e8e1816bad -SHA512 (ocserv-0.12.2.tar.xz.sig) = 135eda011200679e7ae29fc66a09f940a88c056561c8491538089070327554c295533ad238a1b866f90a702b5465969817148495c96fa5b3ef8d1a10bf14ce6d -SHA512 (ocserv-0.12.2.tar.xz) = 3ce6cf68ad9349d6d090f35c14712ce3ddb8f2fe6b33285e050e99ac4457ca1127b55d3cea739a4364072534c69cb094912b4631a14b87362bd31ccc1a550b3a +SHA512 (ocserv-0.12.3.tar.xz.sig) = cac126cc717dded853ffcca2754111c7f1fda270e931ce912aed6c2b7394ebb193e67bc2c1c10bd883e93a271c0ec60393945d37c4820d5ca648894a265effcf +SHA512 (ocserv-0.12.3.tar.xz) = 93a85a09c1d55c265a188864744ef99a52d72d5bdcd5cce1c3cb6a1089fadd27464be9bb7775d05001e962bc4ac7edcb9cbaf7b209557cb147b8b27252082dbe From 1e4d860399d6a3646e14ce6abcb49e896039d0df Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 3 Jul 2019 21:27:29 +0200 Subject: [PATCH 117/177] Update to 0.12.4-1 - Update to upstream 0.12.4 release --- .gitignore | 11 +++++++++++ ocserv.spec | 5 ++++- sources | 4 ++-- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 4aac85e..14c17cd 100644 --- a/.gitignore +++ b/.gitignore @@ -170,3 +170,14 @@ /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg /ocserv-0.12.3.tar.xz.sig /ocserv-0.12.3.tar.xz +/ocserv.init +/gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg +/ocserv-script +/ocserv-genkey +/PACKAGE-LICENSING +/ocserv-pamd.conf +/ocserv.service +/ocserv.conf +/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +/ocserv-0.12.4.tar.xz.sig +/ocserv-0.12.4.tar.xz diff --git a/ocserv.spec b/ocserv.spec index 957abba..858cf5d 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ # This spec file has been automatically updated -Version: 0.12.3 +Version: 0.12.4 Release: 1%{?dist} %global _hardened_build 1 @@ -258,6 +258,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Wed Jul 03 2019 Nikos Mavrogiannopoulos - 0.12.4-1 +- Update to upstream 0.12.4 release + * Tue Mar 12 2019 Nikos Mavrogiannopoulos - 0.12.3-1 - Update to upstream 0.12.3 release diff --git a/sources b/sources index 8e150a5..7a8dae7 100644 --- a/sources +++ b/sources @@ -7,5 +7,5 @@ SHA512 (ocserv-pamd.conf) = 3a75f19d89ddd164f3faa9c3579c7f675fc58413a194f43ec28e SHA512 (ocserv.service) = 2b258b2e9d211c9626e9e5c67b6c2573b713e0f490917ed1c84c2bb2708f874026ddb55dceb9585e491f86de5d3c8cd400bba864d12966ae96609cc4ce6413d2 SHA512 (ocserv.conf) = 5b68a3547c6c69bf7c2b322692d6382162a587c47edad97690223c36f30ed98d3869d1ce063c630740d91888a4d70aadd657ddc6052c10e6e26800fca2e9d0c0 SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 3b1989dc6a64d1140f83a2af0773da2adb03c50d97b6da7357cf09525050651aafa21131f1e3180baa540a8af922119a256f5ff5bcd6602996a806e8e1816bad -SHA512 (ocserv-0.12.3.tar.xz.sig) = cac126cc717dded853ffcca2754111c7f1fda270e931ce912aed6c2b7394ebb193e67bc2c1c10bd883e93a271c0ec60393945d37c4820d5ca648894a265effcf -SHA512 (ocserv-0.12.3.tar.xz) = 93a85a09c1d55c265a188864744ef99a52d72d5bdcd5cce1c3cb6a1089fadd27464be9bb7775d05001e962bc4ac7edcb9cbaf7b209557cb147b8b27252082dbe +SHA512 (ocserv-0.12.4.tar.xz.sig) = 8ac5a5a7b3b4dcedce4a497cba923092e0035c816ea0d6b9a888102aeb03889af101259eb392d676501717abdc7544b78f60054f4409835022cf2a6949e795ff +SHA512 (ocserv-0.12.4.tar.xz) = 5483cede9627886912f9620d358f1a22504b5de2653529e4275f4b96e4fc874b264877ff0c9ef85c9a0662253d0de44950c4f3a8410fea427d742cc733d5f741 From 27ded8f35d395bd3489e470cd6a9395b38372e07 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 25 Jul 2019 23:06:02 +0000 Subject: [PATCH 118/177] - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- ocserv.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 858cf5d..79213fb 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 0.12.4 -Release: 1%{?dist} +Release: 2%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -258,6 +258,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Thu Jul 25 2019 Fedora Release Engineering - 0.12.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + * Wed Jul 03 2019 Nikos Mavrogiannopoulos - 0.12.4-1 - Update to upstream 0.12.4 release From 61100caa824332fc212f854a9ef3e4601362ae30 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 14 Oct 2019 14:42:22 +0200 Subject: [PATCH 119/177] spec: updated for rhel8 --- ocserv.spec | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 79213fb..7b1ebcf 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -17,6 +17,13 @@ Release: 2%{?dist} %define use_libwrap 1 %endif +%if 0%{?rhel} && 0%{?rhel} == 8 +%define use_http_parser 0 +%define use_geoip 0 +%else +%define use_geoip 1 +%endif + %define use_local_protobuf 0 Name: ocserv @@ -61,7 +68,10 @@ BuildRequires: gperf BuildRequires: pcllib-devel BuildRequires: libtalloc-devel BuildRequires: libev-devel +%if %{use_http_parser} BuildRequires: http-parser-devel +%endif + %if %{use_libwrap} BuildRequires: tcp_wrappers-devel %endif @@ -69,7 +79,9 @@ BuildRequires: automake, autoconf BuildRequires: radcli-devel BuildRequires: lz4-devel BuildRequires: readline-devel +%if %{use_geoip} BuildRequires: GeoIP-devel +%endif %if %{use_systemd} BuildRequires: systemd @@ -92,7 +104,7 @@ BuildRequires: libseccomp-devel %endif #use systemd # no rubygem in epel7 -%if 0%{?fedora} || 0%{?rhel} > 7 +%if 0%{?fedora} BuildRequires: rubygem(ronn) %endif @@ -128,7 +140,9 @@ gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} || gpgv2 --keyring %{SOURCE10} %autosetup -p1 +%if %{use_http_parser} rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h +%endif %if (0%{?use_local_protobuf} == 0) rm -rf src/protobuf/protobuf-c/ touch src/*.proto @@ -165,6 +179,9 @@ autoreconf -fvi %if %{use_local_protobuf} --without-protobuf \ %endif +%if ! %{use_http_parser} + --without-http-parser \ +%endif %if %{use_libwrap} --with-libwrap %else From c1e22541312dfbc95249f670025ce8f87d7a70b0 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 16 Oct 2019 20:41:46 +0200 Subject: [PATCH 120/177] spec: fix missing definition --- ocserv.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/ocserv.spec b/ocserv.spec index 7b1ebcf..78bc59f 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -21,6 +21,7 @@ Release: 2%{?dist} %define use_http_parser 0 %define use_geoip 0 %else +%define use_http_parser 1 %define use_geoip 1 %endif From 3df62c607cca082ba5edae8b5a8db70f33586066 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 16 Oct 2019 22:05:13 +0200 Subject: [PATCH 121/177] Update to 0.12.5-1 - Update to upstream 0.12.5 release --- .gitignore | 11 +++++++++++ ocserv.spec | 13 +++++++++---- sources | 4 ++-- 3 files changed, 22 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index 14c17cd..2e600d0 100644 --- a/.gitignore +++ b/.gitignore @@ -181,3 +181,14 @@ /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg /ocserv-0.12.4.tar.xz.sig /ocserv-0.12.4.tar.xz +/ocserv.init +/gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg +/ocserv-script +/ocserv-genkey +/PACKAGE-LICENSING +/ocserv-pamd.conf +/ocserv.service +/ocserv.conf +/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +/ocserv-0.12.5.tar.xz.sig +/ocserv-0.12.5.tar.xz diff --git a/ocserv.spec b/ocserv.spec index 78bc59f..7037de8 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated -Version: 0.12.4 -Release: 2%{?dist} +Version: 0.12.5 +Release: 1%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -13,16 +13,16 @@ Release: 2%{?dist} %if 0%{?fedora} >= 28 || 0%{?rhel} > 7 %define use_libwrap 0 +%define use_geoip 0 %else %define use_libwrap 1 +%define use_geoip 1 %endif %if 0%{?rhel} && 0%{?rhel} == 8 %define use_http_parser 0 -%define use_geoip 0 %else %define use_http_parser 1 -%define use_geoip 1 %endif %define use_local_protobuf 0 @@ -82,6 +82,8 @@ BuildRequires: lz4-devel BuildRequires: readline-devel %if %{use_geoip} BuildRequires: GeoIP-devel +%else +BuildRequires: libmaxminddb-devel %endif %if %{use_systemd} @@ -276,6 +278,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Wed Oct 16 2019 Nikos Mavrogiannopoulos - 0.12.5-1 +- Update to upstream 0.12.5 release + * Thu Jul 25 2019 Fedora Release Engineering - 0.12.4-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild diff --git a/sources b/sources index 7a8dae7..585bfb5 100644 --- a/sources +++ b/sources @@ -7,5 +7,5 @@ SHA512 (ocserv-pamd.conf) = 3a75f19d89ddd164f3faa9c3579c7f675fc58413a194f43ec28e SHA512 (ocserv.service) = 2b258b2e9d211c9626e9e5c67b6c2573b713e0f490917ed1c84c2bb2708f874026ddb55dceb9585e491f86de5d3c8cd400bba864d12966ae96609cc4ce6413d2 SHA512 (ocserv.conf) = 5b68a3547c6c69bf7c2b322692d6382162a587c47edad97690223c36f30ed98d3869d1ce063c630740d91888a4d70aadd657ddc6052c10e6e26800fca2e9d0c0 SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 3b1989dc6a64d1140f83a2af0773da2adb03c50d97b6da7357cf09525050651aafa21131f1e3180baa540a8af922119a256f5ff5bcd6602996a806e8e1816bad -SHA512 (ocserv-0.12.4.tar.xz.sig) = 8ac5a5a7b3b4dcedce4a497cba923092e0035c816ea0d6b9a888102aeb03889af101259eb392d676501717abdc7544b78f60054f4409835022cf2a6949e795ff -SHA512 (ocserv-0.12.4.tar.xz) = 5483cede9627886912f9620d358f1a22504b5de2653529e4275f4b96e4fc874b264877ff0c9ef85c9a0662253d0de44950c4f3a8410fea427d742cc733d5f741 +SHA512 (ocserv-0.12.5.tar.xz.sig) = 049cf165ba148090a6b21bbb17d68c0c35936e904ab5731a7a8473cd85944af955ea738b87ce580cdb8c3524bdca8a3361d1f30895cf7e272682b1061902b3bf +SHA512 (ocserv-0.12.5.tar.xz) = b6e6262fbf5f00639253f85ce8ed0b10d8b45dbcdf4325cbba7f5a80fee979d556f23a635df36b85b307f12b7e5bd44165d8631624500d52168170ca00a166aa From 2dc5db7b83e0508133ef22fc8197ee0e6b64e1a8 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Sat, 28 Dec 2019 20:32:14 +0100 Subject: [PATCH 122/177] Update to 0.12.6-1 - Update to upstream 0.12.6 release --- .gitignore | 11 +++++++++++ ocserv.spec | 5 ++++- sources | 4 ++-- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 2e600d0..6270347 100644 --- a/.gitignore +++ b/.gitignore @@ -192,3 +192,14 @@ /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg /ocserv-0.12.5.tar.xz.sig /ocserv-0.12.5.tar.xz +/ocserv.init +/gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg +/ocserv-script +/ocserv-genkey +/PACKAGE-LICENSING +/ocserv-pamd.conf +/ocserv.service +/ocserv.conf +/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +/ocserv-0.12.6.tar.xz.sig +/ocserv-0.12.6.tar.xz diff --git a/ocserv.spec b/ocserv.spec index 7037de8..117a2be 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ # This spec file has been automatically updated -Version: 0.12.5 +Version: 0.12.6 Release: 1%{?dist} %global _hardened_build 1 @@ -278,6 +278,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Sat Dec 28 2019 Nikos Mavrogiannopoulos - 0.12.6-1 +- Update to upstream 0.12.6 release + * Wed Oct 16 2019 Nikos Mavrogiannopoulos - 0.12.5-1 - Update to upstream 0.12.5 release diff --git a/sources b/sources index 585bfb5..7ff8e74 100644 --- a/sources +++ b/sources @@ -7,5 +7,5 @@ SHA512 (ocserv-pamd.conf) = 3a75f19d89ddd164f3faa9c3579c7f675fc58413a194f43ec28e SHA512 (ocserv.service) = 2b258b2e9d211c9626e9e5c67b6c2573b713e0f490917ed1c84c2bb2708f874026ddb55dceb9585e491f86de5d3c8cd400bba864d12966ae96609cc4ce6413d2 SHA512 (ocserv.conf) = 5b68a3547c6c69bf7c2b322692d6382162a587c47edad97690223c36f30ed98d3869d1ce063c630740d91888a4d70aadd657ddc6052c10e6e26800fca2e9d0c0 SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 3b1989dc6a64d1140f83a2af0773da2adb03c50d97b6da7357cf09525050651aafa21131f1e3180baa540a8af922119a256f5ff5bcd6602996a806e8e1816bad -SHA512 (ocserv-0.12.5.tar.xz.sig) = 049cf165ba148090a6b21bbb17d68c0c35936e904ab5731a7a8473cd85944af955ea738b87ce580cdb8c3524bdca8a3361d1f30895cf7e272682b1061902b3bf -SHA512 (ocserv-0.12.5.tar.xz) = b6e6262fbf5f00639253f85ce8ed0b10d8b45dbcdf4325cbba7f5a80fee979d556f23a635df36b85b307f12b7e5bd44165d8631624500d52168170ca00a166aa +SHA512 (ocserv-0.12.6.tar.xz.sig) = 8791479c6f1e6e8c6fd7b6f08857c5e6c1fc81ebc9a11c55231a049c27e2ee9f0bf938ccf1b66fb704eafb26cda6c9595f54edffa265d732dd640e8123538313 +SHA512 (ocserv-0.12.6.tar.xz) = 4d254298dc897304b4676f28a21338c138196cbdb08170c6d536c8c6730fab307642dbf853f96e66335604cb68711262678d3d0be84e6768ec720b9a81ccf813 From a8f51f2fe48ca54d8f874baf77aab34779feeeb9 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Sat, 28 Dec 2019 21:25:34 +0100 Subject: [PATCH 123/177] ocserv.conf: updated to latest upstream version --- ocserv.conf | 287 +++++++++++++++++++++++++++++++++------------------- ocserv.spec | 4 +- 2 files changed, 185 insertions(+), 106 deletions(-) diff --git a/ocserv.conf b/ocserv.conf index 63ac7db..59d8e75 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -1,5 +1,5 @@ ### The following directives do not change with server reload. -# + # User authentication method. To require multiple methods to be # used for the user to login, add multiple auth directives. The values # in the 'auth' directive are AND composed (if multiple all must @@ -7,7 +7,7 @@ # Available options: certificate, plain, pam, radius, gssapi. # Note that authentication methods utilizing passwords cannot be # combined (e.g., the plain, pam or radius methods). -# + # certificate: # This indicates that all connecting users must present a certificate. # The username and user group will be then extracted from it (see @@ -16,7 +16,7 @@ # it must not be listed in the CRL, as specified by the 'crl' option. # # pam[gid-min=1000]: -# This enabled PAM authentication of the user. The gid-min option is used +# This enabled PAM authentication of the user. The gid-min option is used # by auto-select-group option, in order to select the minimum valid group ID. # # plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] @@ -24,18 +24,20 @@ # entries of the following format. # "username:groupname1,groupname2:encoded-password" # One entry must be listed per line, and 'ocpasswd' should be used -# to generate password entries. The 'otp' suboption allows to specify +# to generate password entries. The 'otp' suboption allows one to specify # an oath password file to be used for one time passwords; the format of -# the file is described in https://code.google.com/p/mod-authn-otp/wiki/UsersFile +# the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile # -# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name,override-interim-updates=false]: +# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]: # The radius option requires specifying freeradius-client configuration -# file. If the groupconfig option is set, then config-per-user will be overriden, -# and all configuration will be read from radius. The 'override-interim-updates' if set to -# true will ignore Acct-Interim-Interval from the server and 'stats-report-time' will be considered. +# file. If the groupconfig option is set, then config-per-user/group will be overridden, +# and all configuration will be read from radius. That also includes the +# Acct-Interim-Interval, and Session-Timeout values. +# +# See doc/README-radius.md for the supported radius configuration atributes. # # gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900] -# The gssapi option allows to use authentication methods supported by GSSAPI, +# The gssapi option allows one to use authentication methods supported by GSSAPI, # such as Kerberos tickets with ocserv. It should be best used as an alternative # to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with # tickets and without tickets to login. The default value for require-local-user-map @@ -79,6 +81,10 @@ auth = "pam" # reconnects. #listen-host-is-dyndns = true +# Use udp-listen-host to limit udp to specific IPs or to the IPs of a provided +# hostname. if not set, listen-host will be used +#udp-listen-host = [IP|HOSTNAME] + # TCP and UDP port number tcp-port = 443 udp-port = 443 @@ -106,6 +112,50 @@ socket-file = ocserv.sock # The default server directory. Does not require any devices present. chroot-dir = /var/lib/ocserv +# The key and the certificates of the server +# The key may be a file, or any URL supported by GnuTLS (e.g., +# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user +# or pkcs11:object=my-vpn-key;object-type=private) +# +# The server-cert file may contain a single certificate, or +# a sorted certificate chain. +# There may be multiple server-cert and server-key directives, +# but each key should correspond to the preceding certificate. +# The certificate files will be reloaded when changed allowing for in-place +# certificate renewal (they are checked and reloaded periodically; +# a SIGHUP signal to main server will force reload). + +server-cert = /etc/pki/ocserv/public/server.crt +server-key = /etc/pki/ocserv/private/server.key + +# Diffie-Hellman parameters. Only needed if for old (pre 3.6.0 +# versions of GnuTLS for supporting DHE ciphersuites. +# Can be generated using: +# certtool --generate-dh-params --outfile /etc/ocserv/dh.pem +#dh-params = /etc/ocserv/dh.pem + +# In case PKCS #11, TPM or encrypted keys are used the PINs should be available +# in files. The srk-pin-file is applicable to TPM keys only, and is the +# storage root key. +#pin-file = /etc/ocserv/pin.txt +#srk-pin-file = /etc/ocserv/srkpin.txt + +# The password or PIN needed to unlock the key in server-key file. +# Only needed if the file is encrypted or a PKCS #11 object. This +# is an alternative method to pin-file. +#key-pin = 1234 + +# The SRK PIN for TPM. +# This is an alternative method to srk-pin-file. +#srk-pin = 1234 + +# The Certificate Authority that will be used to verify +# client certificates (public keys) if certificate authentication +# is set. +#ca-cert = /etc/ocserv/ca.pem + + + ### All configuration options below this line are reloaded on a SIGHUP. ### The options above, will remain unchanged. Note however, that the @@ -137,6 +187,14 @@ max-clients = 16 # multiple times). Unset or set to zero for unlimited. max-same-clients = 2 +# When the server receives connections from a proxy, like haproxy +# which supports the proxy protocol, set this to obtain the correct +# client addresses. The proxy protocol would then be expected in +# the TCP or UNIX socket (not the UDP one). Although both v1 +# and v2 versions of proxy protocol are supported, the v2 version +# is recommended as it is more efficient in parsing. +#listen-proxy-proto = true + # Limit the number of client connections to one every X milliseconds # (X is the provided value). Set to zero for no limit. #rate-limit-ms = 100 @@ -147,6 +205,12 @@ max-same-clients = 2 # radius is in use. #stats-report-time = 360 +# Stats reset time. The period of time statistics kept by main/sec-mod +# processes will be reset. These are the statistics shown by cmd +# 'occtl show stats'. For daily: 86400, weekly: 604800 +# This is unrelated to stats-report-time. +server-stats-reset-time = 604800 + # Keepalive in seconds keepalive = 32400 @@ -161,7 +225,7 @@ dpd = 90 # be higher to prevent such clients being awaken too # often by the DPD messages, and save battery. # The mobile clients are distinguished from the header -# 'X-AnyConnect-Identifier-DeviceType'. +# 'X-AnyConnect-Identifier-Platform'. mobile-dpd = 1800 # If using DTLS, and no UDP traffic is received for this @@ -175,29 +239,6 @@ switch-to-tcp-timeout = 25 # MTU discovery (DPD must be enabled) try-mtu-discovery = false -# The key and the certificates of the server -# The key may be a file, or any URL supported by GnuTLS (e.g., -# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user -# or pkcs11:object=my-vpn-key;object-type=private) -# -# The server-cert file may contain a single certificate, or -# a sorted certificate chain. -# -# There may be multiple server-cert and server-key directives, -# but each key should correspond to the preceding certificate. -# The certificate files will be reloaded when changed allowing for in-place -# certificate renewal (they are checked and reloaded periodically; -# a SIGHUP signal to main server will force reload). - -server-cert = /etc/pki/ocserv/public/server.crt -server-key = /etc/pki/ocserv/private/server.key - -# Diffie-Hellman parameters. Only needed if you require support -# for the DHE ciphersuites (by default this server supports ECDHE). -# Can be generated using: -# certtool --generate-dh-params --outfile /path/to/dh.pem -#dh-params = /path/to/dh.pem - # If you have a certificate from a CA that provides an OCSP # service you may provide a fresh OCSP status response within # the TLS handshake. That will prevent the client from connecting @@ -205,37 +246,18 @@ server-key = /etc/pki/ocserv/private/server.key # You can update this response periodically using: # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response # Make sure that you replace the following file in an atomic way. -#ocsp-response = /path/to/ocsp.der - -# In case PKCS #11, TPM or encrypted keys are used the PINs should be available -# in files. The srk-pin-file is applicable to TPM keys only, and is the -# storage root key. -#pin-file = /path/to/pin.txt -#srk-pin-file = /path/to/srkpin.txt - -# The password or PIN needed to unlock the key in server-key file. -# Only needed if the file is encrypted or a PKCS #11 object. This -# is an alternative method to pin-file. -#key-pin = 1234 - -# The SRK PIN for TPM. -# This is an alternative method to srk-pin-file. -#srk-pin = 1234 - -# The Certificate Authority that will be used to verify -# client certificates (public keys) if certificate authentication -# is set. -ca-cert = /etc/pki/ocserv/cacerts/ca.crt +#ocsp-response = /etc/ocserv/ocsp.der # The object identifier that will be used to read the user ID in the client # certificate. The object identifier should be part of the certificate's DN # Useful OIDs are: -# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1 +# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1, SAN(rfc822name) cert-user-oid = 0.9.2342.19200300.100.1.1 # The object identifier that will be used to read the user group in the -# client certificate. The object identifier should be part of the certificate's -# DN. Useful OIDs are: +# client certificate. The object identifier should be part of the certificate's +# DN. If the user may belong to multiple groups, then use multiple such fields +# in the certificate's DN. Useful OIDs are: # OU (organizational unit) = 2.5.4.11 #cert-group-oid = 2.5.4.11 @@ -243,7 +265,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1 # See the manual to generate an empty CRL initially. The CRL will be reloaded # periodically when ocserv detects a change in the file. To force a reload use # SIGHUP. -#crl = /path/to/crl.pem +#crl = /etc/ocserv/crl.pem # Uncomment this to enable compression negotiation (LZS, LZ4). #compression = true @@ -268,14 +290,9 @@ cert-user-oid = 0.9.2342.19200300.100.1.1 # difference with AES_128_CBC_SHA1 (the default for anyconnect clients) # in your system. -#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" -tls-priorities = "@SYSTEM" - -# More combinations in priority strings are available, check -# http://gnutls.org/manual/html_node/Priority-Strings.html -# E.g., the string below enforces perfect forward secrecy (PFS) -# on the main channel. -#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" +# Note that in Fedora gnutls follows crypto policies so insecure options +# are disabled within it. +tls-priorities = "NORMAL:%SERVER_PRECEDENCE" # That option requires the established DTLS channel to use the same # cipher as the primary TLS channel. This cannot be combined with @@ -294,7 +311,9 @@ auth-timeout = 240 #idle-timeout = 1200 # The time (in seconds) that a client is allowed to stay connected -# Unset to disable. +# Unset to disable. When set a client will be disconnected after being +# continuously connected for this amount of time, and its cookies will +# be invalidated (i.e., re-authentication will be required). #session-timeout = 86400 # The time (in seconds) that a mobile client is allowed to stay idle (no @@ -316,10 +335,10 @@ min-reauth-time = 300 # locally from an HTTP server (i.e., when listen-clear-file is used). # # Set to zero to disable. -max-ban-score = 50 +max-ban-score = 80 # The time (in seconds) that all score kept for a client is reset. -ban-reset-time = 300 +ban-reset-time = 1200 # In case you'd like to change the default points. #ban-points-wrong-password = 10 @@ -328,11 +347,11 @@ ban-reset-time = 300 # Cookie timeout (in seconds) # Once a client is authenticated he's provided a cookie with -# which he can reconnect. That cookie will be invalided if not -# used within this timeout value. On a user disconnection, that -# cookie will also be active for this time amount prior to be -# invalid. That should allow a reasonable amount of time for roaming -# between different networks. +# which he can reconnect. That cookie will be invalidated if not +# used within this timeout value. This cookie remains valid, during +# the user's connected time, and after user disconnection it +# remains active for this amount of time. That setting should allow a +# reasonable amount of time for roaming between different networks. cookie-timeout = 300 # If this is enabled (not recommended) the cookies will stay @@ -362,10 +381,9 @@ rekey-method = ssl # Script to call when a client connects and obtains an IP. # The following parameters are passed on the environment. -# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), -# DEVICE, IP_REAL (the real IP of the client), IP_REAL_LOCAL (the local -# interface IP the client connected), IP_LOCAL (the local IP -# in the P-t-P connection), IP_REMOTE (the VPN IP of the client), +# REASON, VHOST, USERNAME, GROUPNAME, DEVICE, IP_REAL (the real IP of the client), +# IP_REAL_LOCAL (the local interface IP the client connected), IP_LOCAL +# (the local IP in the P-t-P connection), IP_REMOTE (the VPN IP of the client), # IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6 # assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and # ID (a unique numeric ID); REASON may be "connect" or "disconnect". @@ -373,7 +391,8 @@ rekey-method = ssl # client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client), # will contain a space separated list of routes or DNS servers. A version # of these variables with the 4 or 6 suffix will contain only the IPv4 or -# IPv6 values. +# IPv6 values. The connect script must return zero as exit code, or the +# client connection will be refused. # The disconnect script will receive the additional values: STATS_BYTES_IN, # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes @@ -391,7 +410,7 @@ rekey-method = ssl # or via a unix socket). use-occtl = true -# PID file. It can be overriden in the command line. +# PID file. It can be overridden in the command line. pid-file = /var/run/ocserv.pid # Set the protocol-defined priority (SO_PRIORITY) for packets to @@ -424,6 +443,9 @@ default-domain = example.com # these network values should contain a network with at least a single # address that will remain under the full control of ocserv (that is # to be able to assign the local part of the tun device address). +# Note that, you could use addresses from a subnet of your LAN network if you +# enable [proxy arp in the LAN interface](http://ocserv.gitlab.io/www/recipes-ocserv-pseudo-bridge.html); +# in that case it is recommended to set ping-leases to true. #ipv4-network = 192.168.1.0 #ipv4-netmask = 255.255.255.0 @@ -431,7 +453,7 @@ default-domain = example.com #ipv4-network = 192.168.1.0/24 # The IPv6 subnet that leases will be given from. -#ipv6-network = fda9:4efe:7e3b:03ea::/64 +#ipv6-network = fda9:4efe:7e3b:03ea::/48 # Specify the size of the network to provide to clients. It is # generally recommended to provide clients with a /64 network in @@ -462,8 +484,10 @@ default-domain = example.com # IP range for leases. ping-leases = false -# Use this option to enforce an MTU value to the incoming +# Use this option to set a link MTU value to the incoming # connections. Unset to use the default MTU of the TUN device. +# Note that the MTU is negotiated using the value set and the +# value sent by the peer. #mtu = 1420 # Unset to enable bandwidth restrictions (in bytes/sec). The @@ -487,11 +511,15 @@ ping-leases = false #route = 10.10.10.0/255.255.255.0 #route = 192.168.0.0/255.255.0.0 #route = fef4:db8:1000:1001::/64 +#route = default # Subsets of the routes above that will not be routed by # the server. -#no-route = 192.168.5.0/255.255.255.0 +no-route = 192.168.5.0/255.255.255.0 + +# Note the that following two firewalling options currently are available +# in Linux systems with iptables software. # If set, the script /usr/bin/ocserv-fw will be called to restrict # the user to its allowed routes and prevent him from accessing @@ -500,6 +528,15 @@ ping-leases = false # --removeall. This option can be set globally or in the per-user configuration. #restrict-user-to-routes = true +# This option implies restrict-user-to-routes set to true. If set, the +# script /usr/bin/ocserv-fw will be called to restrict the user to +# access specific ports in the network. This option can be set globally +# or in the per-user configuration. +#restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()" + +# You could also use negation, i.e., block the user from accessing these ports only. +#restrict-user-to-ports = "!(tcp(443), tcp(80))" + # When set to true, all client's iroutes are made visible to all # connecting clients except for the ones offering them. This option # only makes sense if config-per-user is set. @@ -527,13 +564,18 @@ ping-leases = false # The options allowed in the configuration files are dns, nbns, # ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, no-route, # explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp, -# user-profile, cgroup, stats-report-time, and session-timeout. +# keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns, +# restrict-user-to-routes, user-profile, cgroup, stats-report-time, +# mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports, +# split-dns and session-timeout. # -# Note that the 'iroute' option allows to add routes on the server +# Note that the 'iroute' option allows one to add routes on the server # based on a user or group. The syntax depends on the input accepted # by the commands route-add-cmd and route-del-cmd (see below). The no-udp # is a boolean option (e.g., no-udp = true), and will prevent a UDP session -# for that specific user or group. +# for that specific user or group. The hostname option will set a +# hostname to override any proposed by the user. Note also, that, any +# routes, no-routes, DNS or NBNS servers present will overwrite the global ones. #config-per-user = /etc/ocserv/config-per-user/ #config-per-group = /etc/ocserv/config-per-group/ @@ -544,15 +586,15 @@ ping-leases = false #default-group-config = /etc/ocserv/defaults/group.conf # The system command to use to setup a route. %{R} will be replaced with the -# route/mask and %{D} with the (tun) device. +# route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device. # -# The following example is from linux systems. %R should be something -# like 192.168.2.0/24 (the argument of iroute). +# The following example is from linux systems. %{R} should be something +# like 192.168.2.0/255.255.255.0 and %{RI} 192.168.2.0/24 (the argument of iroute). #route-add-cmd = "ip route add %{R} dev %{D}" #route-del-cmd = "ip route delete %{R} dev %{D}" -# This option allows to forward a proxy. The special keywords '%{U}' +# This option allows one to forward a proxy. The special keywords '%{U}' # and '%{G}', if present will be replaced by the username and group name. #proxy-url = http://example.com/ #proxy-url = http://example.com/%{U}/ @@ -562,14 +604,36 @@ ping-leases = false # KDC server. That is a translation URL between HTTP and Kerberos. # In MIT kerberos you'll need to add in realms: # EXAMPLE.COM = { -# kdc = https://ocserv.example.com/kerberos +# kdc = https://ocserv.example.com/KdcProxy # http_anchors = FILE:/etc/ocserv-ca.pem # } -# This option is available if ocserv is compiled with GSSAPI support. - -#kkdcp = SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT -#kkdcp = /kerberos EXAMPLE.COM udp@127.0.0.1:88 -#kkdcp = /kerberos-tcp EXAMPLE.COM tcp@127.0.0.1:88 +# In some distributions the krb5-k5tls plugin of kinit is required. +# +# The following option is available in ocserv, when compiled with GSSAPI support. + +#kkdcp = "SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT" +#kkdcp = "/KdcProxy KERBEROS.REALM udp@127.0.0.1:88" +#kkdcp = "/KdcProxy KERBEROS.REALM tcp@127.0.0.1:88" +#kkdcp = "/KdcProxy KERBEROS.REALM tcp@[::1]:88" + +# Client profile xml. This can be used to advertise alternative servers +# to the client. A minimal file can be: +# +# +# +# +# VPN Server name +# localhost +# +# +# +# +# Other fields may be used by some of the CISCO clients. +# This file must be accessible from inside the worker's chroot. +# Note that enabling this option is not recommended as it will allow +# the worker processes to open arbitrary files (when isolate-workers is +# set to true). +#user-profile = profile.xml # # The following options are for (experimental) AnyConnect client @@ -581,24 +645,19 @@ ping-leases = false # and openconnect clients < 7.08. When set to true, it implies dtls-legacy = true. cisco-client-compat = true -# This option allows to disable the DTLS-PSK negotiation (enabled by default). +# This option allows one to disable the DTLS-PSK negotiation (enabled by default). # The DTLS-PSK negotiation was introduced in ocserv 0.11.5 to deprecate # the pre-draft-DTLS negotiation inherited from AnyConnect. It allows the # DTLS channel to negotiate its ciphers and the DTLS protocol version. #dtls-psk = false -# This option allows to disable the legacy DTLS negotiation (enabled by default, +# This option allows one to disable the legacy DTLS negotiation (enabled by default, # but that may change in the future). # The legacy DTLS uses a pre-draft version of the DTLS protocol and was # from AnyConnect protocol. It has several limitations, that are addressed # by the dtls-psk protocol supported by openconnect 7.08+. dtls-legacy = true -# Client profile xml. A sample file exists in doc/profile.xml. -# It is required by some of the CISCO clients. -# This file must be accessible from inside the worker's chroot. -user-profile = profile.xml - #Advanced options # Option to allow sending arbitrary custom headers to the client after @@ -609,3 +668,23 @@ user-profile = profile.xml # and '%{G}', if present will be replaced by the username and group name. #custom-header = "X-My-Header: hi there" + + +## An example virtual host with different authentication methods serviced +## by this server. + +#[vhost:www.example.com] +#auth = "certificate" + +#ca-cert = /etc/ocserv/ca.pem + +# The certificate set here must include a 'dns_name' corresponding to +# the virtual host name. + +#server-cert = /etc/pki/ocserv/public/server.crt +#server-key = /etc/pki/ocserv/private/server.key + +#ipv4-network = 192.168.2.0 +#ipv4-netmask = 255.255.255.0 + +#cert-user-oid = 0.9.2342.19200300.100.1.1 diff --git a/ocserv.spec b/ocserv.spec index 117a2be..fe5bd2f 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 0.12.6 -Release: 1%{?dist} +Release: 2%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -104,7 +104,7 @@ BuildRequires: libseccomp-devel %endif %endif -%endif #use systemd +%endif # no rubygem in epel7 %if 0%{?fedora} From b4cf8ae0e0ad61e74797cd987e99f8c13310639d Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 2 Jan 2020 12:54:02 +0100 Subject: [PATCH 124/177] updated configuration to mark profile as configuration --- ocserv.spec | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ocserv.spec b/ocserv.spec index fe5bd2f..52ffb91 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 0.12.6 -Release: 2%{?dist} +Release: 3%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -230,7 +230,7 @@ install -p -m 755 %{SOURCE8} %{buildroot}/%{_sbindir} mkdir -p %{buildroot}/%{_bindir} install -p -m 755 %{SOURCE9} %{buildroot}/%{_bindir} -%if 0%{?rhel} +%if 0%{?rhel} && 0%{?rhel} <= 7 sed -i 's|expiration_days=-1|expiration_days=9999|' %{buildroot}/%{_sbindir}/ocserv-genkey sed -i 's|tls-priorities = "@SYSTEM"|tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"|' %{buildroot}/%{_sysconfdir}/ocserv/ocserv.conf %if 0%{?rhel} <= 6 @@ -256,6 +256,7 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %config(noreplace) %{_sysconfdir}/ocserv/ocserv.conf %config(noreplace) %{_sysconfdir}/pam.d/ocserv +%config(noreplace) %{_localstatedir}/lib/ocserv/profile.xml %doc AUTHORS ChangeLog NEWS COPYING LICENSE README.md TODO PACKAGE-LICENSING %doc src/ccan/licenses/CC0 src/ccan/licenses/LGPL-2.1 src/ccan/licenses/BSD-MIT From f19405cd011bb3f9201ba8b96eb8baffa9ffa655 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 29 Jan 2020 19:52:52 +0000 Subject: [PATCH 125/177] - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- ocserv.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 52ffb91..740f4cc 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 0.12.6 -Release: 3%{?dist} +Release: 4%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -279,6 +279,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Wed Jan 29 2020 Fedora Release Engineering - 0.12.6-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + * Sat Dec 28 2019 Nikos Mavrogiannopoulos - 0.12.6-1 - Update to upstream 0.12.6 release From 1b15fbdbe8ce0ad8492d19f3b3fcf49dd7083dc9 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 20 Mar 2020 14:27:23 +0100 Subject: [PATCH 126/177] Update to 1.0.0-1 - Update to upstream 1.0.0 release --- .gitignore | 11 +++++++++++ ocserv.spec | 7 +++++-- sources | 6 +++--- 3 files changed, 19 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 6270347..acefa7a 100644 --- a/.gitignore +++ b/.gitignore @@ -203,3 +203,14 @@ /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg /ocserv-0.12.6.tar.xz.sig /ocserv-0.12.6.tar.xz +/ocserv.init +/gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg +/ocserv-script +/ocserv-genkey +/PACKAGE-LICENSING +/ocserv-pamd.conf +/ocserv.service +/ocserv.conf +/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +/ocserv-1.0.0.tar.xz.sig +/ocserv-1.0.0.tar.xz diff --git a/ocserv.spec b/ocserv.spec index 740f4cc..2cdba2e 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated -Version: 0.12.6 -Release: 4%{?dist} +Version: 1.0.0 +Release: 1%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -279,6 +279,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Fri Mar 20 2020 Nikos Mavrogiannopoulos - 1.0.0-1 +- Update to upstream 1.0.0 release + * Wed Jan 29 2020 Fedora Release Engineering - 0.12.6-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild diff --git a/sources b/sources index 7ff8e74..d7ee406 100644 --- a/sources +++ b/sources @@ -5,7 +5,7 @@ SHA512 (ocserv-genkey) = e898144fd977e4c57c4a9a5480b38f6a166c0281c41500c3fa9b7e1 SHA512 (PACKAGE-LICENSING) = eea2a2a4765c90d874c79bb72d754c8b26b58d5e5b3c3cee10c24754fbba6849fd91f7b28e380b5db9789a456f95fc94b3bd8fe8c160a98c8042f404479ecb68 SHA512 (ocserv-pamd.conf) = 3a75f19d89ddd164f3faa9c3579c7f675fc58413a194f43ec28eee7ebced6fee3f4ca305fe9b0ddf76ae39cd669e8d3d63b58afbbf19b84e4ca646ae7f42d61a SHA512 (ocserv.service) = 2b258b2e9d211c9626e9e5c67b6c2573b713e0f490917ed1c84c2bb2708f874026ddb55dceb9585e491f86de5d3c8cd400bba864d12966ae96609cc4ce6413d2 -SHA512 (ocserv.conf) = 5b68a3547c6c69bf7c2b322692d6382162a587c47edad97690223c36f30ed98d3869d1ce063c630740d91888a4d70aadd657ddc6052c10e6e26800fca2e9d0c0 +SHA512 (ocserv.conf) = 95260fb4e9f60ae0de69669f88e786d169f8ccc561cfd4cacb06b32bbfcfadaaa97469192852c53f7b689aa801b8d777568372e69ac758279b0a8b7a89361350 SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 3b1989dc6a64d1140f83a2af0773da2adb03c50d97b6da7357cf09525050651aafa21131f1e3180baa540a8af922119a256f5ff5bcd6602996a806e8e1816bad -SHA512 (ocserv-0.12.6.tar.xz.sig) = 8791479c6f1e6e8c6fd7b6f08857c5e6c1fc81ebc9a11c55231a049c27e2ee9f0bf938ccf1b66fb704eafb26cda6c9595f54edffa265d732dd640e8123538313 -SHA512 (ocserv-0.12.6.tar.xz) = 4d254298dc897304b4676f28a21338c138196cbdb08170c6d536c8c6730fab307642dbf853f96e66335604cb68711262678d3d0be84e6768ec720b9a81ccf813 +SHA512 (ocserv-1.0.0.tar.xz.sig) = f7e9c1c73a6668592b7cf849b0e2ef6555f3c6d3cbc1331da75f78c7fa1ee4d4ce831fba5a90d83df4c5e184d7724961a61a95f579e27464143d5fd241918acd +SHA512 (ocserv-1.0.0.tar.xz) = 6f396c9180004f8d439e094f9de0490016b085dad6bd7a5d17d3433480b37de65c25fc0c52452f5ea408bb7bc997ddcbfcdd80a3bbe454af3267aa14edbb3df9 From 2ed4cf2e996cceb4aec0cbfcef3603f7b8256e66 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 9 Apr 2020 14:28:18 +0200 Subject: [PATCH 127/177] sources: removed unnecessary files --- sources | 9 --------- 1 file changed, 9 deletions(-) diff --git a/sources b/sources index d7ee406..b2918a0 100644 --- a/sources +++ b/sources @@ -1,11 +1,2 @@ -SHA512 (ocserv.init) = 7c3256dd0f7d5882c4e126c95209084e2476f7d8d142af137f46c5987364982eb88044bfa5d587ebc397ebd379edb40f22e5c97c0276764be982a27715a9c601 -SHA512 (gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg) = c664fd9999cbf9912eeea88ee3a2c356df3f70813a664bb7a7f592be258c12bdeb9e99e4aa9a368c1f123ee449eb08e288d1dc3dcf81e849a958ece6eab82d67 -SHA512 (ocserv-script) = 6d77ebe95d23469d96b45b1ac8de7a062cb1360febd0f9664b42debf0494891a522e3da8feec53d22b84e39ad349a1824b7ecd6b6b8f0790edf75aed1087e2d0 -SHA512 (ocserv-genkey) = e898144fd977e4c57c4a9a5480b38f6a166c0281c41500c3fa9b7e142197c4525d3fb90846a738e38d217116dc33c2ba5c16ec3e11de0dbf4d834e204c598eac -SHA512 (PACKAGE-LICENSING) = eea2a2a4765c90d874c79bb72d754c8b26b58d5e5b3c3cee10c24754fbba6849fd91f7b28e380b5db9789a456f95fc94b3bd8fe8c160a98c8042f404479ecb68 -SHA512 (ocserv-pamd.conf) = 3a75f19d89ddd164f3faa9c3579c7f675fc58413a194f43ec28eee7ebced6fee3f4ca305fe9b0ddf76ae39cd669e8d3d63b58afbbf19b84e4ca646ae7f42d61a -SHA512 (ocserv.service) = 2b258b2e9d211c9626e9e5c67b6c2573b713e0f490917ed1c84c2bb2708f874026ddb55dceb9585e491f86de5d3c8cd400bba864d12966ae96609cc4ce6413d2 -SHA512 (ocserv.conf) = 95260fb4e9f60ae0de69669f88e786d169f8ccc561cfd4cacb06b32bbfcfadaaa97469192852c53f7b689aa801b8d777568372e69ac758279b0a8b7a89361350 -SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 3b1989dc6a64d1140f83a2af0773da2adb03c50d97b6da7357cf09525050651aafa21131f1e3180baa540a8af922119a256f5ff5bcd6602996a806e8e1816bad SHA512 (ocserv-1.0.0.tar.xz.sig) = f7e9c1c73a6668592b7cf849b0e2ef6555f3c6d3cbc1331da75f78c7fa1ee4d4ce831fba5a90d83df4c5e184d7724961a61a95f579e27464143d5fd241918acd SHA512 (ocserv-1.0.0.tar.xz) = 6f396c9180004f8d439e094f9de0490016b085dad6bd7a5d17d3433480b37de65c25fc0c52452f5ea408bb7bc997ddcbfcdd80a3bbe454af3267aa14edbb3df9 From ad75870eb95717c3f745841e8ad2a2c1319f8a22 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 9 Apr 2020 23:12:59 +0200 Subject: [PATCH 128/177] Update to 1.0.1-1 - Update to upstream 1.0.1 release --- .gitignore | 11 +++++++++++ ocserv.spec | 5 ++++- sources | 13 +++++++++++-- 3 files changed, 26 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index acefa7a..7bde321 100644 --- a/.gitignore +++ b/.gitignore @@ -214,3 +214,14 @@ /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg /ocserv-1.0.0.tar.xz.sig /ocserv-1.0.0.tar.xz +/ocserv.init +/gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg +/ocserv-script +/ocserv-genkey +/PACKAGE-LICENSING +/ocserv-pamd.conf +/ocserv.service +/ocserv.conf +/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +/ocserv-1.0.1.tar.xz.sig +/ocserv-1.0.1.tar.xz diff --git a/ocserv.spec b/ocserv.spec index 2cdba2e..0f85f1c 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ # This spec file has been automatically updated -Version: 1.0.0 +Version: 1.0.1 Release: 1%{?dist} %global _hardened_build 1 @@ -279,6 +279,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Thu Apr 09 2020 Nikos Mavrogiannopoulos - 1.0.1-1 +- Update to upstream 1.0.1 release + * Fri Mar 20 2020 Nikos Mavrogiannopoulos - 1.0.0-1 - Update to upstream 1.0.0 release diff --git a/sources b/sources index b2918a0..4fe1ae5 100644 --- a/sources +++ b/sources @@ -1,2 +1,11 @@ -SHA512 (ocserv-1.0.0.tar.xz.sig) = f7e9c1c73a6668592b7cf849b0e2ef6555f3c6d3cbc1331da75f78c7fa1ee4d4ce831fba5a90d83df4c5e184d7724961a61a95f579e27464143d5fd241918acd -SHA512 (ocserv-1.0.0.tar.xz) = 6f396c9180004f8d439e094f9de0490016b085dad6bd7a5d17d3433480b37de65c25fc0c52452f5ea408bb7bc997ddcbfcdd80a3bbe454af3267aa14edbb3df9 +SHA512 (ocserv.init) = 7c3256dd0f7d5882c4e126c95209084e2476f7d8d142af137f46c5987364982eb88044bfa5d587ebc397ebd379edb40f22e5c97c0276764be982a27715a9c601 +SHA512 (gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg) = c664fd9999cbf9912eeea88ee3a2c356df3f70813a664bb7a7f592be258c12bdeb9e99e4aa9a368c1f123ee449eb08e288d1dc3dcf81e849a958ece6eab82d67 +SHA512 (ocserv-script) = 6d77ebe95d23469d96b45b1ac8de7a062cb1360febd0f9664b42debf0494891a522e3da8feec53d22b84e39ad349a1824b7ecd6b6b8f0790edf75aed1087e2d0 +SHA512 (ocserv-genkey) = e898144fd977e4c57c4a9a5480b38f6a166c0281c41500c3fa9b7e142197c4525d3fb90846a738e38d217116dc33c2ba5c16ec3e11de0dbf4d834e204c598eac +SHA512 (PACKAGE-LICENSING) = eea2a2a4765c90d874c79bb72d754c8b26b58d5e5b3c3cee10c24754fbba6849fd91f7b28e380b5db9789a456f95fc94b3bd8fe8c160a98c8042f404479ecb68 +SHA512 (ocserv-pamd.conf) = 3a75f19d89ddd164f3faa9c3579c7f675fc58413a194f43ec28eee7ebced6fee3f4ca305fe9b0ddf76ae39cd669e8d3d63b58afbbf19b84e4ca646ae7f42d61a +SHA512 (ocserv.service) = 2b258b2e9d211c9626e9e5c67b6c2573b713e0f490917ed1c84c2bb2708f874026ddb55dceb9585e491f86de5d3c8cd400bba864d12966ae96609cc4ce6413d2 +SHA512 (ocserv.conf) = 95260fb4e9f60ae0de69669f88e786d169f8ccc561cfd4cacb06b32bbfcfadaaa97469192852c53f7b689aa801b8d777568372e69ac758279b0a8b7a89361350 +SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 3b1989dc6a64d1140f83a2af0773da2adb03c50d97b6da7357cf09525050651aafa21131f1e3180baa540a8af922119a256f5ff5bcd6602996a806e8e1816bad +SHA512 (ocserv-1.0.1.tar.xz.sig) = 525e3cd0a649129332496a6f6c18b22f1c7329865d23479a25e774f8d6cfa6b60a46473024544bdc5c1204ed8d982a5ee73847f6838ab44e47f328f087c07601 +SHA512 (ocserv-1.0.1.tar.xz) = 953e1b6084f68f8627b5383e28b5fcde987881e66feac645a40fa37d895f0711b171c9029c3703773dfbd5432d747f92c71af9240c2df3381599902a7d5fe880 From b41463a994418a2dd24b93e4112177aca9b8b6f3 Mon Sep 17 00:00:00 2001 From: Igor Raits Date: Wed, 15 Apr 2020 17:51:43 +0200 Subject: [PATCH 129/177] Rebuild for http-parser 2.9.4 Signed-off-by: Igor Raits --- ocserv.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 0f85f1c..2782492 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 1.0.1 -Release: 1%{?dist} +Release: 2%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -279,6 +279,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Wed Apr 15 2020 Igor Raits - 1.0.1-2 +- Rebuild for http-parser 2.9.4 + * Thu Apr 09 2020 Nikos Mavrogiannopoulos - 1.0.1-1 - Update to upstream 1.0.1 release From 4a1f58542c385391a2fe0e40a19ca367905b22ad Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 1 May 2020 19:48:41 +0200 Subject: [PATCH 130/177] sources: removed unnecessary files Signed-off-by: Nikos Mavrogiannopoulos --- sources | 9 --------- 1 file changed, 9 deletions(-) diff --git a/sources b/sources index 4fe1ae5..8d6f956 100644 --- a/sources +++ b/sources @@ -1,11 +1,2 @@ -SHA512 (ocserv.init) = 7c3256dd0f7d5882c4e126c95209084e2476f7d8d142af137f46c5987364982eb88044bfa5d587ebc397ebd379edb40f22e5c97c0276764be982a27715a9c601 -SHA512 (gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg) = c664fd9999cbf9912eeea88ee3a2c356df3f70813a664bb7a7f592be258c12bdeb9e99e4aa9a368c1f123ee449eb08e288d1dc3dcf81e849a958ece6eab82d67 -SHA512 (ocserv-script) = 6d77ebe95d23469d96b45b1ac8de7a062cb1360febd0f9664b42debf0494891a522e3da8feec53d22b84e39ad349a1824b7ecd6b6b8f0790edf75aed1087e2d0 -SHA512 (ocserv-genkey) = e898144fd977e4c57c4a9a5480b38f6a166c0281c41500c3fa9b7e142197c4525d3fb90846a738e38d217116dc33c2ba5c16ec3e11de0dbf4d834e204c598eac -SHA512 (PACKAGE-LICENSING) = eea2a2a4765c90d874c79bb72d754c8b26b58d5e5b3c3cee10c24754fbba6849fd91f7b28e380b5db9789a456f95fc94b3bd8fe8c160a98c8042f404479ecb68 -SHA512 (ocserv-pamd.conf) = 3a75f19d89ddd164f3faa9c3579c7f675fc58413a194f43ec28eee7ebced6fee3f4ca305fe9b0ddf76ae39cd669e8d3d63b58afbbf19b84e4ca646ae7f42d61a -SHA512 (ocserv.service) = 2b258b2e9d211c9626e9e5c67b6c2573b713e0f490917ed1c84c2bb2708f874026ddb55dceb9585e491f86de5d3c8cd400bba864d12966ae96609cc4ce6413d2 -SHA512 (ocserv.conf) = 95260fb4e9f60ae0de69669f88e786d169f8ccc561cfd4cacb06b32bbfcfadaaa97469192852c53f7b689aa801b8d777568372e69ac758279b0a8b7a89361350 -SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 3b1989dc6a64d1140f83a2af0773da2adb03c50d97b6da7357cf09525050651aafa21131f1e3180baa540a8af922119a256f5ff5bcd6602996a806e8e1816bad SHA512 (ocserv-1.0.1.tar.xz.sig) = 525e3cd0a649129332496a6f6c18b22f1c7329865d23479a25e774f8d6cfa6b60a46473024544bdc5c1204ed8d982a5ee73847f6838ab44e47f328f087c07601 SHA512 (ocserv-1.0.1.tar.xz) = 953e1b6084f68f8627b5383e28b5fcde987881e66feac645a40fa37d895f0711b171c9029c3703773dfbd5432d747f92c71af9240c2df3381599902a7d5fe880 From 67850255cf5499cf964875e1ee96c2cf7914ce0b Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 6 May 2020 19:56:44 +0200 Subject: [PATCH 131/177] Requirements turned to recommendations This enables ocserv being used without these dependencies. --- ocserv.spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ocserv.spec b/ocserv.spec index 2782492..123b5fe 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -111,9 +111,9 @@ BuildRequires: libseccomp-devel BuildRequires: rubygem(ronn) %endif -Requires: gnutls-utils -Requires: iproute -Requires: pam +Recommends: gnutls-utils +Recommends: iproute +Recommends: pam Requires(pre): shadow-utils %if %{use_systemd} Requires(post): systemd From 8c0e03af5de5a5f2db52098fd9a0285a73b582ec Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 16 Jun 2020 19:46:48 +0200 Subject: [PATCH 132/177] updated to 1.1.0 --- .gitignore | 2 ++ ocserv.spec | 11 ++++++++--- sources | 4 ++-- 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 7bde321..00721b2 100644 --- a/.gitignore +++ b/.gitignore @@ -225,3 +225,5 @@ /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg /ocserv-1.0.1.tar.xz.sig /ocserv-1.0.1.tar.xz +/ocserv-1.1.0.tar.xz +/ocserv-1.1.0.tar.xz.sig diff --git a/ocserv.spec b/ocserv.spec index 123b5fe..3eb5c60 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated -Version: 1.0.1 -Release: 2%{?dist} +Version: 1.1.0 +Release: 1%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -57,6 +57,7 @@ BuildRequires: gnutls-devel %endif BuildRequires: pam-devel BuildRequires: iproute +BuildRequires: openconnect %if (0%{?use_local_protobuf} == 0) BuildRequires: protobuf-c-devel @@ -203,7 +204,7 @@ mkdir -p -m 700 %{_sysconfdir}/pki/ocserv/private mkdir -p %{_sysconfdir}/pki/ocserv/cacerts %check -make check %{?_smp_mflags} +make check %{?_smp_mflags} XFAIL_TESTS=test-sighup-key-change %if %{use_systemd} %post @@ -270,6 +271,7 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %{_bindir}/ocserv-fw %{_bindir}/ocserv-script %{_sbindir}/ocserv +%{_sbindir}/ocserv-worker %{_sbindir}/ocserv-genkey %{_localstatedir}/lib/ocserv/profile.xml %if %{use_systemd} @@ -279,6 +281,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Tue Jun 16 2020 Nikos Mavrogiannopoulos - 1.1.0-1 +- Update to upstream 1.1.0 release (introduces ocserv-worker) + * Wed Apr 15 2020 Igor Raits - 1.0.1-2 - Rebuild for http-parser 2.9.4 diff --git a/sources b/sources index 8d6f956..9db8d9c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (ocserv-1.0.1.tar.xz.sig) = 525e3cd0a649129332496a6f6c18b22f1c7329865d23479a25e774f8d6cfa6b60a46473024544bdc5c1204ed8d982a5ee73847f6838ab44e47f328f087c07601 -SHA512 (ocserv-1.0.1.tar.xz) = 953e1b6084f68f8627b5383e28b5fcde987881e66feac645a40fa37d895f0711b171c9029c3703773dfbd5432d747f92c71af9240c2df3381599902a7d5fe880 +SHA512 (ocserv-1.1.0.tar.xz) = 10a589ccf28bf9568e602fc26d9133c78a840205f1a777d62cb52b680221bdaa8c231c37a95587b3494437dafc649b40f71be05a4868646c48efb3d873615861 +SHA512 (ocserv-1.1.0.tar.xz.sig) = 29c4082fa34327663ce6bcd29102c2eba088d79049e6637fabd048c8310fa9ff27853f06ef696c19ef66c146ce9e6e455cecc0261676a6ed343de731142f2022 From babbac89f7dfa322f20cd76a45675a145e305374 Mon Sep 17 00:00:00 2001 From: Adrian Reber Date: Sun, 21 Jun 2020 21:06:36 +0200 Subject: [PATCH 133/177] Rebuilt for protobuf 3.12 --- ocserv.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 3eb5c60..b3e1edb 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 1.1.0 -Release: 1%{?dist} +Release: 2%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -281,6 +281,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Sun Jun 21 2020 Adrian Reber - 1.1.0-2 +- Rebuilt for protobuf 3.12 + * Tue Jun 16 2020 Nikos Mavrogiannopoulos - 1.1.0-1 - Update to upstream 1.1.0 release (introduces ocserv-worker) From 019fa4784fdfdd25cb03a721c3ab6abd60bbeb3d Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Tue, 28 Jul 2020 12:24:17 +0000 Subject: [PATCH 134/177] - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- ocserv.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index b3e1edb..dca7776 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 1.1.0 -Release: 2%{?dist} +Release: 3%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -281,6 +281,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Tue Jul 28 2020 Fedora Release Engineering - 1.1.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + * Sun Jun 21 2020 Adrian Reber - 1.1.0-2 - Rebuilt for protobuf 3.12 From 71f2d63baa1480f2d7cc87fb7e0cabfb0a1cfa82 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 21 Sep 2020 12:37:59 +0200 Subject: [PATCH 135/177] updated to 1.1.1 --- .gitignore | 2 ++ ocserv.conf | 13 +++++++++---- ocserv.spec | 8 +++++--- sources | 4 ++-- 4 files changed, 18 insertions(+), 9 deletions(-) diff --git a/.gitignore b/.gitignore index 00721b2..20cd616 100644 --- a/.gitignore +++ b/.gitignore @@ -227,3 +227,5 @@ /ocserv-1.0.1.tar.xz /ocserv-1.1.0.tar.xz /ocserv-1.1.0.tar.xz.sig +/ocserv-1.1.1.tar.xz +/ocserv-1.1.1.tar.xz.sig diff --git a/ocserv.conf b/ocserv.conf index 59d8e75..5daa176 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -176,9 +176,12 @@ server-key = /etc/pki/ocserv/private/server.key # information at: https://gitlab.com/ocserv/ocserv/issues isolate-workers = true -# A banner to be displayed on clients +# A banner to be displayed on clients after connection #banner = "Welcome" +# A banner to be displayed on clients before connection +#pre-login-banner = "Welcome" + # Limit the number of clients. Unset or set to zero for unlimited. #max-clients = 1024 max-clients = 16 @@ -195,9 +198,11 @@ max-same-clients = 2 # is recommended as it is more efficient in parsing. #listen-proxy-proto = true -# Limit the number of client connections to one every X milliseconds -# (X is the provided value). Set to zero for no limit. -#rate-limit-ms = 100 +# Rate limit the number of incoming connections to one every X milliseconds +# (X is the provided value), as the secmod backlog grows. This +# makes the server more resilient (and prevents connection failures) on +# multiple concurrent connections. Set to zero for no limit. +rate-limit-ms = 100 # Stats report time. The number of seconds after which each # worker process will report its usage statistics (number of diff --git a/ocserv.spec b/ocserv.spec index dca7776..f3305db 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,5 @@ -# This spec file has been automatically updated -Version: 1.1.0 -Release: 3%{?dist} +Version: 1.1.1 +Release: 1%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -281,6 +280,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Thu Sep 21 2020 Nikos Mavrogiannopoulos - 1.1.1-1 +- Update to upstream 1.1.1 release + * Tue Jul 28 2020 Fedora Release Engineering - 1.1.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild diff --git a/sources b/sources index 9db8d9c..b716d8a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (ocserv-1.1.0.tar.xz) = 10a589ccf28bf9568e602fc26d9133c78a840205f1a777d62cb52b680221bdaa8c231c37a95587b3494437dafc649b40f71be05a4868646c48efb3d873615861 -SHA512 (ocserv-1.1.0.tar.xz.sig) = 29c4082fa34327663ce6bcd29102c2eba088d79049e6637fabd048c8310fa9ff27853f06ef696c19ef66c146ce9e6e455cecc0261676a6ed343de731142f2022 +SHA512 (ocserv-1.1.1.tar.xz) = 1173416f0d32f9faf98e539c8e73316a50ac93b519d1ade19374a3df865d10d975e13ac53e0c5a5e77c80f3605d7a810287b18b85b798887d227389761b54220 +SHA512 (ocserv-1.1.1.tar.xz.sig) = 9fe0f3e2ea4daaf1d053c2cdc87d38dc8256feb11c16f93e7e677500457914a82e659901f77f6ec4ca175fceeec74e3f8d001412c969c18dcf486545bac83393 From ea091e0b7b5020168e953fe0ca25c2a5788d83fa Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 21 Sep 2020 12:42:52 +0200 Subject: [PATCH 136/177] documented crypto policies change --- ocserv.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ocserv.spec b/ocserv.spec index f3305db..6c40b4e 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -282,6 +282,8 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %changelog * Thu Sep 21 2020 Nikos Mavrogiannopoulos - 1.1.1-1 - Update to upstream 1.1.1 release +- Set default priorities to NORMAL as using @SYSTEM is no longer necessary + to follow crypto policies. * Tue Jul 28 2020 Fedora Release Engineering - 1.1.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild From 745079e26b223152e834f5c55cab8f34b5524bf6 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 21 Sep 2020 12:51:06 +0200 Subject: [PATCH 137/177] added resumption to XFAIL This test seems to be failing --- ocserv.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 6c40b4e..a88eea4 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -203,7 +203,7 @@ mkdir -p -m 700 %{_sysconfdir}/pki/ocserv/private mkdir -p %{_sysconfdir}/pki/ocserv/cacerts %check -make check %{?_smp_mflags} XFAIL_TESTS=test-sighup-key-change +make check %{?_smp_mflags} XFAIL_TESTS="test-sighup-key-change resumption" %if %{use_systemd} %post From 52adc1c385d8e21f07f97cdb8c113131e168702e Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 21 Sep 2020 12:52:20 +0200 Subject: [PATCH 138/177] ensure gnutls-utils are installed when building This is needed for certain tests --- ocserv.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index a88eea4..c1e65c2 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -57,6 +57,7 @@ BuildRequires: gnutls-devel BuildRequires: pam-devel BuildRequires: iproute BuildRequires: openconnect +BuildRequires: gnutls-utils %if (0%{?use_local_protobuf} == 0) BuildRequires: protobuf-c-devel @@ -203,7 +204,7 @@ mkdir -p -m 700 %{_sysconfdir}/pki/ocserv/private mkdir -p %{_sysconfdir}/pki/ocserv/cacerts %check -make check %{?_smp_mflags} XFAIL_TESTS="test-sighup-key-change resumption" +make check %{?_smp_mflags} XFAIL_TESTS=test-sighup-key-change %if %{use_systemd} %post From df7d3b4c34672216c749880f3c05a46eafa52594 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 21 Sep 2020 13:01:57 +0200 Subject: [PATCH 139/177] removed xfail tests; they no longer fail --- ocserv.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index c1e65c2..41715c1 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -204,7 +204,7 @@ mkdir -p -m 700 %{_sysconfdir}/pki/ocserv/private mkdir -p %{_sysconfdir}/pki/ocserv/cacerts %check -make check %{?_smp_mflags} XFAIL_TESTS=test-sighup-key-change +make check %{?_smp_mflags} %if %{use_systemd} %post From bd9a292f76f01f3cb582f5e22ac6344e0249fbae Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 21 Sep 2020 13:51:50 +0200 Subject: [PATCH 140/177] make check: be verbose --- ocserv.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 41715c1..021a1fa 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -204,7 +204,7 @@ mkdir -p -m 700 %{_sysconfdir}/pki/ocserv/private mkdir -p %{_sysconfdir}/pki/ocserv/cacerts %check -make check %{?_smp_mflags} +make check %{?_smp_mflags} VERBOSE=1 %if %{use_systemd} %post From 184c39d298841228e48067a5f48adb5a9caf6d6f Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 21 Sep 2020 14:51:06 +0200 Subject: [PATCH 141/177] disable socket_wrapper on archs where it causes problems --- ocserv.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ocserv.spec b/ocserv.spec index 021a1fa..764219e 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -92,7 +92,11 @@ BuildRequires: systemd BuildRequires: systemd-devel BuildRequires: liboath-devel BuildRequires: uid_wrapper +# Disable socket_wrapper on certain architectures because it +# introduces new syscalls that the worker cannot handle. +%ifnarch aarch64 %{ix86} %{arm} BuildRequires: socket_wrapper +%endif BuildRequires: gnupg2 %if 0%{?rhel} && 0%{?rhel} >= 7 From b6e52d29bccf07c6abe1cd124f0e81a2240e2e6d Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 21 Sep 2020 15:12:40 +0200 Subject: [PATCH 142/177] corrected bogus date --- ocserv.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 764219e..ef359eb 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -285,7 +285,7 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog -* Thu Sep 21 2020 Nikos Mavrogiannopoulos - 1.1.1-1 +* Mon Sep 21 2020 Nikos Mavrogiannopoulos - 1.1.1-1 - Update to upstream 1.1.1 release - Set default priorities to NORMAL as using @SYSTEM is no longer necessary to follow crypto policies. From 5ee6ad0f36bab8db247295cf86ec98d9fd63fedc Mon Sep 17 00:00:00 2001 From: Adrian Reber Date: Thu, 24 Sep 2020 14:42:40 +0200 Subject: [PATCH 143/177] Rebuilt for protobuf 3.13 --- ocserv.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index ef359eb..16d62c8 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ Version: 1.1.1 -Release: 1%{?dist} +Release: 2%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -285,6 +285,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Thu Sep 24 2020 Adrian Reber - 1.1.1-2 +- Rebuilt for protobuf 3.13 + * Mon Sep 21 2020 Nikos Mavrogiannopoulos - 1.1.1-1 - Update to upstream 1.1.1 release - Set default priorities to NORMAL as using @SYSTEM is no longer necessary From fc6fc1e94fafeade3768a9b25ccd49c262b55049 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 23 Oct 2020 15:00:03 +0200 Subject: [PATCH 144/177] do not treat TODO as document to install --- ocserv.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 16d62c8..4705016 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -263,7 +263,7 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %config(noreplace) %{_sysconfdir}/pam.d/ocserv %config(noreplace) %{_localstatedir}/lib/ocserv/profile.xml -%doc AUTHORS ChangeLog NEWS COPYING LICENSE README.md TODO PACKAGE-LICENSING +%doc AUTHORS ChangeLog NEWS COPYING LICENSE README.md PACKAGE-LICENSING %doc src/ccan/licenses/CC0 src/ccan/licenses/LGPL-2.1 src/ccan/licenses/BSD-MIT %{_mandir}/man8/ocserv.8* From 6326ab472dc5fb98fd8d627243180216c346dc2a Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 29 Oct 2020 09:54:59 +0100 Subject: [PATCH 145/177] rebuild without pcllib --- ocserv.spec | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ocserv.spec b/ocserv.spec index 4705016..011ea59 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ Version: 1.1.1 -Release: 2%{?dist} +Release: 3%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -67,7 +67,6 @@ BuildRequires: libnl3-devel BuildRequires: krb5-devel BuildRequires: libtasn1-devel BuildRequires: gperf -BuildRequires: pcllib-devel BuildRequires: libtalloc-devel BuildRequires: libev-devel %if %{use_http_parser} @@ -156,7 +155,6 @@ rm -rf src/protobuf/protobuf-c/ touch src/*.proto %endif rm -rf src/ccan/talloc -rm -f src/pcl/*.c src/pcl/*.h sed -i 's|/etc/ocserv.conf|/etc/ocserv/ocserv.conf|g' src/config.c sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/data/*.config # GPLv3 in headers is a gnulib bug: @@ -179,6 +177,7 @@ autoreconf -fvi %endif %configure \ + --without-pcl-lib \ %if %{use_systemd} --enable-systemd \ %else @@ -285,6 +284,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Thu Oct 29 2020 Nikos Mavrogiannopoulos - 1.1.1-3 +- Rebuilt without pcllib dependency + * Thu Sep 24 2020 Adrian Reber - 1.1.1-2 - Rebuilt for protobuf 3.13 From 361405c03bd3ce6a4ce282a1861777c94c011828 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 29 Oct 2020 13:20:03 +0100 Subject: [PATCH 146/177] Compile with new glibc --- ocserv-1.1.1-socketwrapper.patch | 19 +++++++++++++++++++ ocserv.spec | 5 ++++- 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 ocserv-1.1.1-socketwrapper.patch diff --git a/ocserv-1.1.1-socketwrapper.patch b/ocserv-1.1.1-socketwrapper.patch new file mode 100644 index 0000000..9f8b3c9 --- /dev/null +++ b/ocserv-1.1.1-socketwrapper.patch @@ -0,0 +1,19 @@ +diff --git a/src/worker-privs.c b/src/worker-privs.c +index ea503cd0..3d4d5fa4 100644 +--- a/src/worker-privs.c ++++ b/src/worker-privs.c +@@ -166,6 +166,14 @@ int disable_system_calls(struct worker_st *ws) + ADD_SYSCALL(fstat, 0); + ADD_SYSCALL(lseek, 0); + ++ /* if running under socketwrapper ensure we allow its calls */ ++ if (getenv("SOCKET_WRAPPER_DIR") != NULL) { ++ ADD_SYSCALL(stat64, 0); ++ ADD_SYSCALL(readlink, 0); ++ ADD_SYSCALL(newfstatat, 0); ++ ADD_SYSCALL(mmap, 0); ++ } ++ + ADD_SYSCALL(getsockopt, 0); + ADD_SYSCALL(setsockopt, 0); + diff --git a/ocserv.spec b/ocserv.spec index 011ea59..cf635cf 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -44,6 +44,7 @@ Source8: ocserv-genkey Source9: ocserv-script Source10: gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg Source11: ocserv.init +Patch0: ocserv-1.1.1-socketwrapper.patch # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 @@ -177,6 +178,7 @@ autoreconf -fvi %endif %configure \ + --with-seccomp-trap \ --without-pcl-lib \ %if %{use_systemd} --enable-systemd \ @@ -285,7 +287,8 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %changelog * Thu Oct 29 2020 Nikos Mavrogiannopoulos - 1.1.1-3 -- Rebuilt without pcllib dependency +- Rebuild without pcllib dependency +- Enhanced seccomp filters for tests to run in all architectures * Thu Sep 24 2020 Adrian Reber - 1.1.1-2 - Rebuilt for protobuf 3.13 From 26ab9a4fb3d7607f4bc5c835218d4cae646d7b4b Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 30 Oct 2020 09:04:58 +0100 Subject: [PATCH 147/177] spec: removed seccomp-trap debugging option --- ocserv.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index cf635cf..3cabcd6 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -178,7 +178,6 @@ autoreconf -fvi %endif %configure \ - --with-seccomp-trap \ --without-pcl-lib \ %if %{use_systemd} --enable-systemd \ From f4653b53904de7c2805ab5719c19e847ecab8136 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 11 Nov 2020 23:18:03 +0100 Subject: [PATCH 148/177] rebuilt for new radcli --- ocserv.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 3cabcd6..c94ee9e 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ Version: 1.1.1 -Release: 3%{?dist} +Release: 4%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -285,6 +285,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Wed Nov 11 2020 Nikos Mavrogiannopoulos - 1.1.1-4 +- Rebuilt for radcli 1.3.0 + * Thu Oct 29 2020 Nikos Mavrogiannopoulos - 1.1.1-3 - Rebuild without pcllib dependency - Enhanced seccomp filters for tests to run in all architectures From 1400361cdd7e280622568f2d1fd4a40c90f6ebb3 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 23 Nov 2020 12:05:38 +0100 Subject: [PATCH 149/177] Rebuilt for ronn successor --- ocserv.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/ocserv.spec b/ocserv.spec index c94ee9e..e7178a9 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ Version: 1.1.1 -Release: 4%{?dist} +Release: 5%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -113,7 +113,7 @@ BuildRequires: libseccomp-devel # no rubygem in epel7 %if 0%{?fedora} -BuildRequires: rubygem(ronn) +BuildRequires: rubygem-ronn-ng %endif Recommends: gnutls-utils @@ -285,6 +285,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Mon Nov 23 2020 Nikos Mavrogiannopoulos - 1.1.1-5 +- Rebuilt for ronn successor + * Wed Nov 11 2020 Nikos Mavrogiannopoulos - 1.1.1-4 - Rebuilt for radcli 1.3.0 From e9d48e920a2233ac3640faa91d5afc25da24dda0 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Sun, 6 Dec 2020 14:11:06 +0100 Subject: [PATCH 150/177] Update to upstream 1.1.2 release --- .gitignore | 2 ++ ocserv-1.1.1-socketwrapper.patch | 19 ------------------- ocserv.conf | 6 ------ ocserv.spec | 8 +++++--- sources | 4 ++-- 5 files changed, 9 insertions(+), 30 deletions(-) delete mode 100644 ocserv-1.1.1-socketwrapper.patch diff --git a/.gitignore b/.gitignore index 20cd616..48fba86 100644 --- a/.gitignore +++ b/.gitignore @@ -229,3 +229,5 @@ /ocserv-1.1.0.tar.xz.sig /ocserv-1.1.1.tar.xz /ocserv-1.1.1.tar.xz.sig +/ocserv-1.1.2.tar.xz +/ocserv-1.1.2.tar.xz.sig diff --git a/ocserv-1.1.1-socketwrapper.patch b/ocserv-1.1.1-socketwrapper.patch deleted file mode 100644 index 9f8b3c9..0000000 --- a/ocserv-1.1.1-socketwrapper.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff --git a/src/worker-privs.c b/src/worker-privs.c -index ea503cd0..3d4d5fa4 100644 ---- a/src/worker-privs.c -+++ b/src/worker-privs.c -@@ -166,6 +166,14 @@ int disable_system_calls(struct worker_st *ws) - ADD_SYSCALL(fstat, 0); - ADD_SYSCALL(lseek, 0); - -+ /* if running under socketwrapper ensure we allow its calls */ -+ if (getenv("SOCKET_WRAPPER_DIR") != NULL) { -+ ADD_SYSCALL(stat64, 0); -+ ADD_SYSCALL(readlink, 0); -+ ADD_SYSCALL(newfstatat, 0); -+ ADD_SYSCALL(mmap, 0); -+ } -+ - ADD_SYSCALL(getsockopt, 0); - ADD_SYSCALL(setsockopt, 0); - diff --git a/ocserv.conf b/ocserv.conf index 5daa176..d5e0814 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -89,12 +89,6 @@ auth = "pam" tcp-port = 443 udp-port = 443 -# Accept connections using a socket file. It accepts HTTP -# connections (i.e., without SSL/TLS unlike its TCP counterpart), -# and uses it as the primary channel. That option cannot be -# combined with certificate authentication. -#listen-clear-file = /var/run/ocserv-conn.socket - # The user the worker processes will be run as. It should be # unique (no other services run as this user). run-as-user = ocserv diff --git a/ocserv.spec b/ocserv.spec index e7178a9..7b9ad2f 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ -Version: 1.1.1 -Release: 5%{?dist} +Version: 1.1.2 +Release: 1%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -44,7 +44,6 @@ Source8: ocserv-genkey Source9: ocserv-script Source10: gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg Source11: ocserv.init -Patch0: ocserv-1.1.1-socketwrapper.patch # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 @@ -285,6 +284,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Sat Dec 6 2020 Nikos Mavrogiannopoulos - 1.1.2-1 +- Update to upstream 1.1.2 release + * Mon Nov 23 2020 Nikos Mavrogiannopoulos - 1.1.1-5 - Rebuilt for ronn successor diff --git a/sources b/sources index b716d8a..9c321dd 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (ocserv-1.1.1.tar.xz) = 1173416f0d32f9faf98e539c8e73316a50ac93b519d1ade19374a3df865d10d975e13ac53e0c5a5e77c80f3605d7a810287b18b85b798887d227389761b54220 -SHA512 (ocserv-1.1.1.tar.xz.sig) = 9fe0f3e2ea4daaf1d053c2cdc87d38dc8256feb11c16f93e7e677500457914a82e659901f77f6ec4ca175fceeec74e3f8d001412c969c18dcf486545bac83393 +SHA512 (ocserv-1.1.2.tar.xz) = 8a145ff729414482c10ab763ac891e21f588fb8f61265fb4e6e61684a9b48c5fcaaafaad1ddcaeaf4ffad85377be45c002b628b27d9a7d08f5b403668f62c3f0 +SHA512 (ocserv-1.1.2.tar.xz.sig) = 3de64d1b4812c836ce809dd31adbf0ba7f2b11f408bb279bdd64f915be7c70b6601f098281e219a986febd0f5ddabaa6eba2448a0b9baf0ae025187b06aec3ce From 4fa9fe0ca251d6b22057375ab23050d9373fc6f9 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Sun, 6 Dec 2020 19:57:21 +0100 Subject: [PATCH 151/177] skip patch that needs root --- ocserv-1.1.2-tests.patch | 42 ++++++++++++++++++++++++++++++++++++++++ ocserv.spec | 5 +++-- 2 files changed, 45 insertions(+), 2 deletions(-) create mode 100644 ocserv-1.1.2-tests.patch diff --git a/ocserv-1.1.2-tests.patch b/ocserv-1.1.2-tests.patch new file mode 100644 index 0000000..0927fa0 --- /dev/null +++ b/ocserv-1.1.2-tests.patch @@ -0,0 +1,42 @@ +From 8d3dc40a5f59be1c91236823b4b4f75adb2e8e7c Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Sun, 6 Dec 2020 19:55:03 +0100 +Subject: [PATCH] tests: drain-server-fail: make sure it runs only when root + +Signed-off-by: Nikos Mavrogiannopoulos +--- + tests/common.sh | 3 +++ + tests/drain-server-fail | 3 ++- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/tests/common.sh b/tests/common.sh +index cd9bc885..d574d2d0 100644 +--- a/tests/common.sh ++++ b/tests/common.sh +@@ -45,6 +45,9 @@ else + echo "Skipping test requiring ldpreload" + exit 77 + fi ++fi ++ ++if test "${NEED_SOCKET_WRAPPER}" = 1 || test "${NO_NEED_ROOT}" = 1;then + SOCKDIR="${srcdir}/tmp/sockwrap.$$.tmp" + mkdir -p $SOCKDIR + export SOCKET_WRAPPER_DIR=$SOCKDIR +diff --git a/tests/drain-server-fail b/tests/drain-server-fail +index 40a2ed01..d61106e6 100755 +--- a/tests/drain-server-fail ++++ b/tests/drain-server-fail +@@ -20,7 +20,8 @@ + SERV="${SERV:-../src/ocserv}" + OCCTL="${OCCTL:-../src/occtl/occtl}" + srcdir=${srcdir:-.} +-NO_NEED_ROOT=1 ++#we cannot use NO_NEED_ROOT here as occtl commands can only be issued by root ++NEED_SOCKET_WRAPPER=1 + PIDFILE=ocserv-pid.$$.tmp + OCCTL_SOCKET=./occtl-drain-$$.socket + +-- +2.28.0 + diff --git a/ocserv.spec b/ocserv.spec index 7b9ad2f..e0f8244 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -44,6 +44,7 @@ Source8: ocserv-genkey Source9: ocserv-script Source10: gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg Source11: ocserv.init +Patch0: ocserv-1.1.2-tests.patch # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 @@ -195,7 +196,7 @@ autoreconf -fvi --without-libwrap %endif -make #%{?_smp_mflags} +make %{?_smp_mflags} %pre getent group ocserv &>/dev/null || groupadd -r ocserv @@ -284,7 +285,7 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog -* Sat Dec 6 2020 Nikos Mavrogiannopoulos - 1.1.2-1 +* Sun Dec 6 2020 Nikos Mavrogiannopoulos - 1.1.2-1 - Update to upstream 1.1.2 release * Mon Nov 23 2020 Nikos Mavrogiannopoulos - 1.1.1-5 From 3a3280275f4f3aee6256e1e1244c7c10aeb6a68e Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 9 Dec 2020 09:44:49 +0100 Subject: [PATCH 152/177] do not special case rhel8 for http-parser The development headers are now shipped. --- ocserv.spec | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/ocserv.spec b/ocserv.spec index e0f8244..b634a1e 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -18,12 +18,6 @@ Release: 1%{?dist} %define use_geoip 1 %endif -%if 0%{?rhel} && 0%{?rhel} == 8 -%define use_http_parser 0 -%else -%define use_http_parser 1 -%endif - %define use_local_protobuf 0 Name: ocserv @@ -70,9 +64,7 @@ BuildRequires: libtasn1-devel BuildRequires: gperf BuildRequires: libtalloc-devel BuildRequires: libev-devel -%if %{use_http_parser} BuildRequires: http-parser-devel -%endif %if %{use_libwrap} BuildRequires: tcp_wrappers-devel @@ -148,9 +140,7 @@ gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} || gpgv2 --keyring %{SOURCE10} %autosetup -p1 -%if %{use_http_parser} rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h -%endif %if (0%{?use_local_protobuf} == 0) rm -rf src/protobuf/protobuf-c/ touch src/*.proto @@ -187,9 +177,6 @@ autoreconf -fvi %if %{use_local_protobuf} --without-protobuf \ %endif -%if ! %{use_http_parser} - --without-http-parser \ -%endif %if %{use_libwrap} --with-libwrap %else From e1cb96f264b5d747ae3f6569237d09cbfc8587a1 Mon Sep 17 00:00:00 2001 From: Tom Stellard Date: Sat, 9 Jan 2021 03:24:47 +0000 Subject: [PATCH 153/177] Add BuildRequires: make https://fedoraproject.org/wiki/Changes/Remove_make_from_BuildRoot --- ocserv.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/ocserv.spec b/ocserv.spec index b634a1e..a55c2cc 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -43,6 +43,7 @@ Patch0: ocserv-1.1.2-tests.patch # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 +BuildRequires: make BuildRequires: gcc %if 0%{?rhel} && 0%{?rhel} <= 6 BuildRequires: gnutls30-devel From 65e0fa740890990db362c7e04830c452d95fa2fc Mon Sep 17 00:00:00 2001 From: Adrian Reber Date: Thu, 14 Jan 2021 08:31:27 +0100 Subject: [PATCH 154/177] Rebuilt for protobuf 3.14 --- ocserv.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index a55c2cc..14877ad 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ Version: 1.1.2 -Release: 1%{?dist} +Release: 2%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -273,6 +273,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Thu Jan 14 08:31:24 CET 2021 Adrian Reber - 1.1.2-2 +- Rebuilt for protobuf 3.14 + * Sun Dec 6 2020 Nikos Mavrogiannopoulos - 1.1.2-1 - Update to upstream 1.1.2 release From 3d30df7cf7bd9c4341b28f88c5cd99c11d8291f9 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Tue, 26 Jan 2021 22:12:48 +0000 Subject: [PATCH 155/177] - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- ocserv.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 14877ad..295f5c5 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ Version: 1.1.2 -Release: 2%{?dist} +Release: 3%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -273,6 +273,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Tue Jan 26 2021 Fedora Release Engineering - 1.1.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + * Thu Jan 14 08:31:24 CET 2021 Adrian Reber - 1.1.2-2 - Rebuilt for protobuf 3.14 From 6f808faf0edbba5590ae35bc2f75421dd18c246b Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 2 Jun 2021 09:12:04 +0200 Subject: [PATCH 156/177] updated to 1.1.3 --- .gitignore | 2 ++ ocserv.spec | 8 +++++--- sources | 4 ++-- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 48fba86..9ab0623 100644 --- a/.gitignore +++ b/.gitignore @@ -231,3 +231,5 @@ /ocserv-1.1.1.tar.xz.sig /ocserv-1.1.2.tar.xz /ocserv-1.1.2.tar.xz.sig +/ocserv-1.1.3.tar.xz +/ocserv-1.1.3.tar.xz.sig diff --git a/ocserv.spec b/ocserv.spec index 295f5c5..5233256 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ -Version: 1.1.2 -Release: 3%{?dist} +Version: 1.1.3 +Release: 1%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -38,7 +38,6 @@ Source8: ocserv-genkey Source9: ocserv-script Source10: gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg Source11: ocserv.init -Patch0: ocserv-1.1.2-tests.patch # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 @@ -273,6 +272,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Wed Jun 2 2021 Nikos Mavrogiannopoulos - 1.1.3-1 +- Updated to latest release + * Tue Jan 26 2021 Fedora Release Engineering - 1.1.2-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild diff --git a/sources b/sources index 9c321dd..6722d35 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (ocserv-1.1.2.tar.xz) = 8a145ff729414482c10ab763ac891e21f588fb8f61265fb4e6e61684a9b48c5fcaaafaad1ddcaeaf4ffad85377be45c002b628b27d9a7d08f5b403668f62c3f0 -SHA512 (ocserv-1.1.2.tar.xz.sig) = 3de64d1b4812c836ce809dd31adbf0ba7f2b11f408bb279bdd64f915be7c70b6601f098281e219a986febd0f5ddabaa6eba2448a0b9baf0ae025187b06aec3ce +SHA512 (ocserv-1.1.3.tar.xz) = 1138bd530e41f215f75e967aa293e80504a0ffc3384184832910b7bf8dc2049a637c1d8bef0221b6abb3e6510e51fba3c45d43901c0d2e4c0f180e72c0804628 +SHA512 (ocserv-1.1.3.tar.xz.sig) = 90c9a0bc35ac970faeeef2e0c32c7f4104c1acecfdcf9d266a647102912e2bf575f2cab365ae0040a69ec857fb616cbfd829316dbfccff079e9cb3cfa4a4ffae From 86658a4f0a66f9e2753b64cfac886f8e03a2adff Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 2 Jun 2021 09:28:31 +0200 Subject: [PATCH 157/177] removed unused file --- ocserv-1.1.2-tests.patch | 42 ---------------------------------------- 1 file changed, 42 deletions(-) delete mode 100644 ocserv-1.1.2-tests.patch diff --git a/ocserv-1.1.2-tests.patch b/ocserv-1.1.2-tests.patch deleted file mode 100644 index 0927fa0..0000000 --- a/ocserv-1.1.2-tests.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 8d3dc40a5f59be1c91236823b4b4f75adb2e8e7c Mon Sep 17 00:00:00 2001 -From: Nikos Mavrogiannopoulos -Date: Sun, 6 Dec 2020 19:55:03 +0100 -Subject: [PATCH] tests: drain-server-fail: make sure it runs only when root - -Signed-off-by: Nikos Mavrogiannopoulos ---- - tests/common.sh | 3 +++ - tests/drain-server-fail | 3 ++- - 2 files changed, 5 insertions(+), 1 deletion(-) - -diff --git a/tests/common.sh b/tests/common.sh -index cd9bc885..d574d2d0 100644 ---- a/tests/common.sh -+++ b/tests/common.sh -@@ -45,6 +45,9 @@ else - echo "Skipping test requiring ldpreload" - exit 77 - fi -+fi -+ -+if test "${NEED_SOCKET_WRAPPER}" = 1 || test "${NO_NEED_ROOT}" = 1;then - SOCKDIR="${srcdir}/tmp/sockwrap.$$.tmp" - mkdir -p $SOCKDIR - export SOCKET_WRAPPER_DIR=$SOCKDIR -diff --git a/tests/drain-server-fail b/tests/drain-server-fail -index 40a2ed01..d61106e6 100755 ---- a/tests/drain-server-fail -+++ b/tests/drain-server-fail -@@ -20,7 +20,8 @@ - SERV="${SERV:-../src/ocserv}" - OCCTL="${OCCTL:-../src/occtl/occtl}" - srcdir=${srcdir:-.} --NO_NEED_ROOT=1 -+#we cannot use NO_NEED_ROOT here as occtl commands can only be issued by root -+NEED_SOCKET_WRAPPER=1 - PIDFILE=ocserv-pid.$$.tmp - OCCTL_SOCKET=./occtl-drain-$$.socket - --- -2.28.0 - From 1412a40612531c442c7ed0091f798b0b337e8aeb Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 22 Jul 2021 16:54:24 +0000 Subject: [PATCH 158/177] - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- ocserv.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 5233256..9485788 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ Version: 1.1.3 -Release: 1%{?dist} +Release: 2%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -272,6 +272,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Thu Jul 22 2021 Fedora Release Engineering - 1.1.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + * Wed Jun 2 2021 Nikos Mavrogiannopoulos - 1.1.3-1 - Updated to latest release From 32af46b9e7464eb4ecc22f1c443be2d47e54aecb Mon Sep 17 00:00:00 2001 From: Adrian Reber Date: Tue, 26 Oct 2021 08:47:45 +0200 Subject: [PATCH 159/177] Rebuilt for protobuf 3.18.1 --- ocserv.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 9485788..9a8f744 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ Version: 1.1.3 -Release: 2%{?dist} +Release: 3%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -272,6 +272,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Tue Oct 26 2021 Adrian Reber - 1.1.3-3 +- Rebuilt for protobuf 3.18.1 + * Thu Jul 22 2021 Fedora Release Engineering - 1.1.3-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild From ecf3bd2df8ce4501f87dbef44891e840aa82fcf1 Mon Sep 17 00:00:00 2001 From: Adrian Reber Date: Sat, 6 Nov 2021 12:59:42 +0100 Subject: [PATCH 160/177] Rebuilt for protobuf 3.19.0 --- ocserv.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 9a8f744..faf0b14 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ Version: 1.1.3 -Release: 3%{?dist} +Release: 4%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -272,6 +272,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Sat Nov 06 2021 Adrian Reber - 1.1.3-4 +- Rebuilt for protobuf 3.19.0 + * Tue Oct 26 2021 Adrian Reber - 1.1.3-3 - Rebuilt for protobuf 3.18.1 From 1230c3d17a52df568984a7936755970477cc46aa Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Sat, 13 Nov 2021 13:06:44 +0100 Subject: [PATCH 161/177] update to 1.1.4 --- .gitignore | 2 ++ ocserv.spec | 7 +++++-- sources | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 9ab0623..ea83165 100644 --- a/.gitignore +++ b/.gitignore @@ -233,3 +233,5 @@ /ocserv-1.1.2.tar.xz.sig /ocserv-1.1.3.tar.xz /ocserv-1.1.3.tar.xz.sig +/ocserv-1.1.4.tar.xz +/ocserv-1.1.4.tar.xz.sig diff --git a/ocserv.spec b/ocserv.spec index faf0b14..5feec6c 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ -Version: 1.1.3 -Release: 4%{?dist} +Version: 1.1.4 +Release: 1%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -272,6 +272,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Sat Nov 13 2021 Nikos Mavrogiannopoulos - 1.1.4-1 +- Update to upstream 1.1.4 release + * Sat Nov 06 2021 Adrian Reber - 1.1.3-4 - Rebuilt for protobuf 3.19.0 diff --git a/sources b/sources index 6722d35..c949381 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (ocserv-1.1.3.tar.xz) = 1138bd530e41f215f75e967aa293e80504a0ffc3384184832910b7bf8dc2049a637c1d8bef0221b6abb3e6510e51fba3c45d43901c0d2e4c0f180e72c0804628 -SHA512 (ocserv-1.1.3.tar.xz.sig) = 90c9a0bc35ac970faeeef2e0c32c7f4104c1acecfdcf9d266a647102912e2bf575f2cab365ae0040a69ec857fb616cbfd829316dbfccff079e9cb3cfa4a4ffae +SHA512 (ocserv-1.1.4.tar.xz) = bbdbf8d4fbe0c2aa3cf03e2b049d42a73918cc0863fa3ad0db79905e7855c7cb875e46c1d817e8c9eb19632bb0ee8a097f45c168046d9442901b56a5fd2a69a8 +SHA512 (ocserv-1.1.4.tar.xz.sig) = 1ca7a2fdd56dc7e628f4331c77b9859c9867af3eeef058357b3c197106a93052b099c278bef495f622a00ce5527f69b3762e9f57001cf6ba9f7b3b219a3e1a0d From 7bbf4483784d3cfe559d6984c8bfab5a5885d3f6 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 20 Jan 2022 22:02:26 +0000 Subject: [PATCH 162/177] - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- ocserv.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 5feec6c..a55d67f 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ Version: 1.1.4 -Release: 1%{?dist} +Release: 2%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -272,6 +272,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Thu Jan 20 2022 Fedora Release Engineering - 1.1.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + * Sat Nov 13 2021 Nikos Mavrogiannopoulos - 1.1.4-1 - Update to upstream 1.1.4 release From 17e5b407a3f0f7f548df4bb45144612290f30fab Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 10 Feb 2022 16:04:44 +0100 Subject: [PATCH 163/177] Fixes for gnutls 3.7.3 and glibc new syscalls --- futex.patch | 12 ++++++++++++ gnutls-3.7.3.patch | 16 ++++++++++++++++ ocserv.spec | 8 +++++++- 3 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 futex.patch create mode 100644 gnutls-3.7.3.patch diff --git a/futex.patch b/futex.patch new file mode 100644 index 0000000..1eecad4 --- /dev/null +++ b/futex.patch @@ -0,0 +1,12 @@ +diff --git a/src/worker-privs.c b/src/worker-privs.c +index ae0b375d..0b285113 100644 +--- a/src/worker-privs.c ++++ b/src/worker-privs.c +@@ -128,6 +128,7 @@ int disable_system_calls(struct worker_st *ws) + ADD_SYSCALL(getrusage, 0); + ADD_SYSCALL(alarm, 0); + ADD_SYSCALL(getpid, 0); ++ ADD_SYSCALL(futex, 0); + + /* memory allocation - both are used by different platforms */ + ADD_SYSCALL(brk, 0); diff --git a/gnutls-3.7.3.patch b/gnutls-3.7.3.patch new file mode 100644 index 0000000..7e99e4e --- /dev/null +++ b/gnutls-3.7.3.patch @@ -0,0 +1,16 @@ +diff --git a/src/sec-mod.c b/src/sec-mod.c +index 03f78276..6492b68a 100644 +--- a/src/sec-mod.c ++++ b/src/sec-mod.c +@@ -834,7 +834,10 @@ static int load_keys(sec_mod_st *sec, unsigned force) + gnutls_privkey_import_x509_raw(p, &data, + GNUTLS_X509_FMT_PEM, + NULL, 0); +- if (ret == GNUTLS_E_DECRYPTION_FAILED && vhost->pins.pin[0]) { ++ /* GnuTLS 3.7.3 introduces a backwards incompatible change and ++ * GNUTLS_E_PKCS11_PIN_ERROR is returned when an encrypted ++ * file is loaded https://gitlab.com/gnutls/gnutls/-/issues/1321 */ ++ if ((ret == GNUTLS_E_DECRYPTION_FAILED || ret == GNUTLS_E_PKCS11_PIN_ERROR) && vhost->pins.pin[0]) { + ret = + gnutls_privkey_import_x509_raw(p, &data, + GNUTLS_X509_FMT_PEM, diff --git a/ocserv.spec b/ocserv.spec index a55d67f..025e5b5 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ Version: 1.1.4 -Release: 2%{?dist} +Release: 3%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -38,6 +38,8 @@ Source8: ocserv-genkey Source9: ocserv-script Source10: gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg Source11: ocserv.init +Patch1: futex.patch +Patch2: gnutls-3.7.3.patch # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 @@ -272,6 +274,10 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Thu Feb 10 2022 Nikos Mavrogiannopoulos - 1.1.4-3 +- Update seccomp rules to allow the futex syscall +- Workaround incompatible API change in GnuTLS 3.7.3. + * Thu Jan 20 2022 Fedora Release Engineering - 1.1.4-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild From 60aa82821baaa0c141513271192a0efd8d270b7e Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 17 Feb 2022 13:07:15 +0100 Subject: [PATCH 164/177] Updated to 1.1.6 --- .gitignore | 2 ++ futex.patch | 12 ------------ gnutls-3.7.3.patch | 16 ---------------- ocserv.spec | 9 +++++---- sources | 4 ++-- 5 files changed, 9 insertions(+), 34 deletions(-) delete mode 100644 futex.patch delete mode 100644 gnutls-3.7.3.patch diff --git a/.gitignore b/.gitignore index ea83165..d8812e1 100644 --- a/.gitignore +++ b/.gitignore @@ -235,3 +235,5 @@ /ocserv-1.1.3.tar.xz.sig /ocserv-1.1.4.tar.xz /ocserv-1.1.4.tar.xz.sig +/ocserv-1.1.6.tar.xz.sig +/ocserv-1.1.6.tar.xz diff --git a/futex.patch b/futex.patch deleted file mode 100644 index 1eecad4..0000000 --- a/futex.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/src/worker-privs.c b/src/worker-privs.c -index ae0b375d..0b285113 100644 ---- a/src/worker-privs.c -+++ b/src/worker-privs.c -@@ -128,6 +128,7 @@ int disable_system_calls(struct worker_st *ws) - ADD_SYSCALL(getrusage, 0); - ADD_SYSCALL(alarm, 0); - ADD_SYSCALL(getpid, 0); -+ ADD_SYSCALL(futex, 0); - - /* memory allocation - both are used by different platforms */ - ADD_SYSCALL(brk, 0); diff --git a/gnutls-3.7.3.patch b/gnutls-3.7.3.patch deleted file mode 100644 index 7e99e4e..0000000 --- a/gnutls-3.7.3.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff --git a/src/sec-mod.c b/src/sec-mod.c -index 03f78276..6492b68a 100644 ---- a/src/sec-mod.c -+++ b/src/sec-mod.c -@@ -834,7 +834,10 @@ static int load_keys(sec_mod_st *sec, unsigned force) - gnutls_privkey_import_x509_raw(p, &data, - GNUTLS_X509_FMT_PEM, - NULL, 0); -- if (ret == GNUTLS_E_DECRYPTION_FAILED && vhost->pins.pin[0]) { -+ /* GnuTLS 3.7.3 introduces a backwards incompatible change and -+ * GNUTLS_E_PKCS11_PIN_ERROR is returned when an encrypted -+ * file is loaded https://gitlab.com/gnutls/gnutls/-/issues/1321 */ -+ if ((ret == GNUTLS_E_DECRYPTION_FAILED || ret == GNUTLS_E_PKCS11_PIN_ERROR) && vhost->pins.pin[0]) { - ret = - gnutls_privkey_import_x509_raw(p, &data, - GNUTLS_X509_FMT_PEM, diff --git a/ocserv.spec b/ocserv.spec index 025e5b5..f24d8a7 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ -Version: 1.1.4 -Release: 3%{?dist} +Version: 1.1.6 +Release: 1%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -38,8 +38,6 @@ Source8: ocserv-genkey Source9: ocserv-script Source10: gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg Source11: ocserv.init -Patch1: futex.patch -Patch2: gnutls-3.7.3.patch # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 @@ -274,6 +272,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Thu Feb 17 2022 Nikos Mavrogiannopoulos - 1.1.6-1 +- Updated to 1.1.6 + * Thu Feb 10 2022 Nikos Mavrogiannopoulos - 1.1.4-3 - Update seccomp rules to allow the futex syscall - Workaround incompatible API change in GnuTLS 3.7.3. diff --git a/sources b/sources index c949381..bb03d35 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (ocserv-1.1.4.tar.xz) = bbdbf8d4fbe0c2aa3cf03e2b049d42a73918cc0863fa3ad0db79905e7855c7cb875e46c1d817e8c9eb19632bb0ee8a097f45c168046d9442901b56a5fd2a69a8 -SHA512 (ocserv-1.1.4.tar.xz.sig) = 1ca7a2fdd56dc7e628f4331c77b9859c9867af3eeef058357b3c197106a93052b099c278bef495f622a00ce5527f69b3762e9f57001cf6ba9f7b3b219a3e1a0d +SHA512 (ocserv-1.1.6.tar.xz.sig) = 2a87768ad63d40053732fa011bbeb3532c9673296b9be299bf8f7d8dd3dd35571eee96c0b4fa9bf5a30633b4c844337ab3d562d6ea2b6ad8efca084eb5e6f502 +SHA512 (ocserv-1.1.6.tar.xz) = d1c5e5cf0e84aab168ed51516534df8b2968194dd1421f33563c61b3e47d5d79ebe9e6ffbf7cbcc9ff1242fae05151024f70ef586d063bec0b3eec00050bfdfa From 3d604603d9734392652f1e20b18c818234eb389c Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Sun, 7 May 2023 14:32:21 +0200 Subject: [PATCH 165/177] updated to 1.1.7 --- .gitignore | 2 ++ ocserv.spec | 7 +++++-- sources | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index d8812e1..1435b3a 100644 --- a/.gitignore +++ b/.gitignore @@ -237,3 +237,5 @@ /ocserv-1.1.4.tar.xz.sig /ocserv-1.1.6.tar.xz.sig /ocserv-1.1.6.tar.xz +/ocserv-1.1.7.tar.xz +/ocserv-1.1.7.tar.xz.sig diff --git a/ocserv.spec b/ocserv.spec index f24d8a7..be817d6 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,4 +1,4 @@ -Version: 1.1.6 +Version: 1.1.7 Release: 1%{?dist} %global _hardened_build 1 @@ -250,7 +250,7 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %config(noreplace) %{_sysconfdir}/pam.d/ocserv %config(noreplace) %{_localstatedir}/lib/ocserv/profile.xml -%doc AUTHORS ChangeLog NEWS COPYING LICENSE README.md PACKAGE-LICENSING +%doc AUTHORS ChangeLog NEWS COPYING COPYING README.md PACKAGE-LICENSING %doc src/ccan/licenses/CC0 src/ccan/licenses/LGPL-2.1 src/ccan/licenses/BSD-MIT %{_mandir}/man8/ocserv.8* @@ -272,6 +272,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Sun May 07 2023 Nikos Mavrogiannopoulos - 1.1.7-1 +- Updated to 1.1.7 + * Thu Feb 17 2022 Nikos Mavrogiannopoulos - 1.1.6-1 - Updated to 1.1.6 diff --git a/sources b/sources index bb03d35..30fa688 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (ocserv-1.1.6.tar.xz.sig) = 2a87768ad63d40053732fa011bbeb3532c9673296b9be299bf8f7d8dd3dd35571eee96c0b4fa9bf5a30633b4c844337ab3d562d6ea2b6ad8efca084eb5e6f502 -SHA512 (ocserv-1.1.6.tar.xz) = d1c5e5cf0e84aab168ed51516534df8b2968194dd1421f33563c61b3e47d5d79ebe9e6ffbf7cbcc9ff1242fae05151024f70ef586d063bec0b3eec00050bfdfa +SHA512 (ocserv-1.1.7.tar.xz) = 5b6182b98c0406a27dae7121ec0d8771b158e0d8ce2056bd35451c8ed087a8b7f7d40035f9db5c19aa9a9a3b2c6b07be8f0bad4b6b96569584815a5358202ba4 +SHA512 (ocserv-1.1.7.tar.xz.sig) = 96d2562fdf918f2b6ea829d747330a3be2e015ab25897e01bd0d387cb69ef3592aacabbeec9612e95eca1fbce6178a176dbf76d553b7626c09d453d216ddd63d From 33bcc9a3c88d1c25c17142e17ca82a59dcf5456d Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 22 Jun 2023 12:27:36 +0200 Subject: [PATCH 166/177] Backported fixes for expired certificates --- expired-certs.patch | 2308 +++++++++++++++++++++++++++++++++++++++++++ ocserv.spec | 9 +- 2 files changed, 2316 insertions(+), 1 deletion(-) create mode 100644 expired-certs.patch diff --git a/expired-certs.patch b/expired-certs.patch new file mode 100644 index 0000000..443bd7b --- /dev/null +++ b/expired-certs.patch @@ -0,0 +1,2308 @@ +diff --git a/tests/Makefile.am b/tests/Makefile.am +index d965eae..ecc417c 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -44,7 +44,8 @@ EXTRA_DIST = certs/ca-key.pem certs/ca.pem ns.sh common.sh certs/server-cert.pem + data/disconnect-user2.config data/ping-leases.config data/haproxy-proxyproto.config \ + data/haproxy-proxyproto.cfg scripts/proxy-connectscript data/haproxy-proxyproto-v1.config \ + data/haproxy-proxyproto-v1.cfg scripts/proxy-connectscript-v1 data/test-multiple-client-ip.config \ +- data/test-client-bypass-protocol.config asan.supp ++ data/test-client-bypass-protocol.config asan.supp certs/ca.tmpl certs/server-cert.tmpl \ ++ certs/user-cert.tmpl + + xfail_scripts = + dist_check_SCRIPTS = ocpasswd-test +@@ -176,6 +177,25 @@ gen_oidc_test_data_CPPFLAGS = $(AM_CPPFLAGS) + gen_oidc_test_data_SOURCES = generate_oidc_test_data.c + gen_oidc_test_data_LDADD = $(LDADD) $(CJOSE_LIBS) $(JANSSON_LIBS) + ++certs/ca.pem: certs/ca-key.pem certs/ca.tmpl ++ certtool --generate-self-signed --template certs/ca.tmpl --load-privkey certs/ca-key.pem --outfile certs/ca.pem ++ ++certs/server-cert-ca.pem: certs/ca.pem certs/server-cert.pem ++ cat certs/server-cert.pem certs/ca.pem > certs/server-cert-ca.pem ++ ++certs/server-cert.pem: certs/server-cert.tmpl certs/ca.pem certs/server-key.pem certs/ca-key.pem ++ certtool --generate-certificate --template certs/server-cert.tmpl --load-privkey certs/server-key.pem --load-ca-certificate certs/ca.pem --load-ca-privkey certs/ca-key.pem --outfile certs/server-cert.pem ++ ++certs/user-cert.pem: certs/user-cert.tmpl certs/ca.pem certs/user-key.pem certs/ca-key.pem ++ certtool --generate-certificate --template certs/user-cert.tmpl --load-privkey certs/user-key.pem --load-ca-certificate certs/ca.pem --load-ca-privkey certs/ca-key.pem --outfile certs/user-cert.pem ++ ++# make the user certificate invalid by signing it with another CA ++certs/user-cert-invalid.pem: certs/user-cert.tmpl ++ certtool --generate-privkey --outfile ca-key.tmp ++ certtool --generate-self-signed --template certs/ca.tmpl --load-privkey ca-key.tmp --outfile ca.tmp ++ certtool --generate-certificate --template certs/user-cert.tmpl --load-privkey certs/user-key.pem --load-ca-certificate ca.tmp --load-ca-privkey ca-key.tmp --outfile certs/user-cert-invalid.pem ++ rm -f ca-key.tmp ca.tmp ++ + if ENABLE_OIDC_AUTH_TESTS + check_PROGRAMS += gen_oidc_test_data + dist_check_SCRIPTS += test-oidc +diff --git a/tests/apple-ios b/tests/apple-ios +index 897d823..45b0cd3 100755 +--- a/tests/apple-ios ++++ b/tests/apple-ios +@@ -54,11 +54,11 @@ wait_server $PID + sleep 2 + + echo " * Connecting to obtain cookie... " +-( echo "!@#$%^&*()<>" | $OPENCONNECT localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null ) || ++( echo "!@#$%^&*()<>" | $OPENCONNECT localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null ) || + fail $PID "Could not receive cookie from server" + + echo " * Re-connect to force script run with platform... " +-echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT --verbose localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true >${TMPFILE} 2>&1 ++echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT --verbose localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >${TMPFILE} 2>&1 + + sleep 5 + +@@ -87,7 +87,7 @@ fi + rm -f ${TMPFILE} + + echo " * Re-connecting to force script run with user agent... " +-echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT --verbose --useragent="Cisco AnyConnect VPN Agent for Apple" localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true >${TMPFILE} 2>&1 ++echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT --verbose --useragent="Cisco AnyConnect VPN Agent for Apple" localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >${TMPFILE} 2>&1 + + sleep 5 + +@@ -114,7 +114,7 @@ fi + sleep 5 + echo " - Check server status" + +-( echo "!@#$%^&*()<>" | $OPENCONNECT localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || ++( echo "!@#$%^&*()<>" | $OPENCONNECT localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || + fail $PID "Could not receive cookie from server" + + echo " - Killing server" +diff --git a/tests/banner b/tests/banner +index 44954e2..08f8f19 100755 +--- a/tests/banner ++++ b/tests/banner +@@ -50,7 +50,7 @@ wait_server $PID + sleep 3 + + echo "Connecting to obtain cookie... " +-( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >${TMPFILE} 2>&1 ) || ++( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >${TMPFILE} 2>&1 ) || + fail $PID "Could not receive cookie from server" + + grep "${BANNER}" ${TMPFILE} >/dev/null +@@ -61,7 +61,7 @@ if test $? != 0;then + fi + + echo "Connecting to obtain cookie with wrong password... " +-( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >${TMPFILE} 2>&1 ) && ++( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >${TMPFILE} 2>&1 ) && + fail $PID "Received cookie when we shouldn't" + + grep "${BANNER}" ${TMPFILE} >/dev/null +diff --git a/tests/certs/ca-key.pem b/tests/certs/ca-key.pem +index 9bd0754..ee5599c 100644 +--- a/tests/certs/ca-key.pem ++++ b/tests/certs/ca-key.pem +@@ -31,25 +31,3 @@ y1hvTfWRAoGZALNT3AbF9EDnJmZlS30MWtBggw83UhszC8XN2tY30AsvsDOS6a0F + UVhyNvBTKo6lPqXqUsVxp16TKeeQKF+DuYuuNZN3pXXsHTiHkRMDCRVEqz7UnZEc + /Bq/Kh2aOkelkX2S27QzTZGL + -----END RSA PRIVATE KEY----- +------BEGIN CERTIFICATE----- +-MIIDtDCCAmygAwIBAgIETeC0yjANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5H +-bnVUTFMgVGVzdCBDQTAeFw0xMTA1MjgwODM5MzlaFw0zODEwMTIwODM5NDBaMC8x +-LTArBgNVBAMTJEdudVRMUyBUZXN0IFNlcnZlciAoUlNBIGNlcnRpZmljYXRlKTCC +-AVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/HsqwfvTYvO1D +-hmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8vxbJl1U1F/Oh +-ckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqIhNyWDrJsHDWq +-58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWlWDuhzSVim5mB +-VAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQpkvKtc+UZBZ03 +-U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzklzz4b7eujbZ3L +-xTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2N6Epn4B5qnUC +-AwEAAaOBjTCBijAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAT +-BgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBR2 +-B1hM6rUp9S2ABoyDSoINCeyT3jAfBgNVHSMEGDAWgBRNVrdqAFjxZ5L0pnVVG45T +-AQPvzzANBgkqhkiG9w0BAQsFAAOCATEAdNWmTsh5uIfngyhOWwm7pK2+vgUMY8nH +-gMoMFHt0yuxuImcUMXu3LRS1dZSoCJACBpTFGi/Dg2U0qvOHQcEmc3OwNqHB90R3 +-LG5jUSCtq/bYW7h/6Gd9KeWCgZczaHbQ9IPTjLH1dLswVPt+fXKB6Eh0ggSrGATE +-/wRZT/XgDCW8t4C+2+TmJ8ZEzvU87KAPQ9rUBS1+p3EUAR/FfMApApsEig1IZ+ZD +-5joaGBW7zh1H0B9mEKidRvD7yuRJyzAcvD25nT15NLW0QR3dEeXosLc720xxJl1h +-h8NJ7YOvn323mOjR9er4i4D6iJlXmJ8tvN9vakCankWvBzb7plFn2sfMQqICFpRc +-w075D8hdQxfpGffL2tEeKSgjyNHXS7x3dFhUpN3IQjUi2x4f2e/ZXg== +------END CERTIFICATE----- +diff --git a/tests/certs/ca.pem b/tests/certs/ca.pem +index c4058ee..02f0b76 100644 +--- a/tests/certs/ca.pem ++++ b/tests/certs/ca.pem +@@ -1,20 +1,20 @@ + -----BEGIN CERTIFICATE----- +-MIIDPzCCAfegAwIBAgIEUdguzDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD +-QTAiGA8yMDEzMDcwNjE0NTA1MloYDzIwMjMwNTE1MTQ1MDUyWjANMQswCQYDVQQD +-EwJDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/Hsqw +-fvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8vxbJ +-l1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqIhNyW +-DrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWlWDuh +-zSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQpkvKt +-c+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzklzz4b +-7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2N6Ep +-n4B5qnUCAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQA +-MB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDANBgkqhkiG9w0BAQsFAAOC +-ATEAa1kdd8E1PkM06Isw0S/thEll0rAYsNHwSX17IDUWocTTQlmVXBXcvLqM04QT +-z7WNG4eushLhRpSn8LJQkf4RgvAxOMIjHM9troDbPVoec6k8fZrJ8jfXurOgoOVP +-g+hScT3VDvxgiOVwgXSe2XBryGDaviRuSOHlfy5GPVirLJLZwpcX6RpsHMX9rrZX +-ghvf8dwm4To9H5wT0Le2FnZRoLOTMmpr49bfKJqy/U7AUHaf4saSdkdEIaGOxkPk +-x+SFlr9TjavnJvL0TApkvfNZ1aOVHRHINgaFYHQJ4U0jQ/g7lPmD+UtZWnvSMNXH +-yct5cKOyP4j7Kla1sKPs+oamOQ7pR1Z/GwBxe48FvO7VDi7EkugLwlzoXC2G+4Jg +-fJbi9Ui2FmXEeKkX34f1ONNj9Q== ++MIIDPDCCAfSgAwIBAgIEUdguzDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD ++QTAgFw0xMzAyMTMxNTMyMTJaGA85OTk5MTIzMTIzNTk1OVowDTELMAkGA1UEAxMC ++Q0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7KsH70 ++2LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8WyZdV ++NRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITclg6y ++bBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7oc0l ++YpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLyrXPl ++GQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+G+3r ++o22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjehKZ+A ++eap1AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0G ++A1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDANBgkqhkiG9w0BAQsFAAOCATEA ++foqPGdiyJYHih4J5YHwFPQxmkOzPHSa13K/q8sDvobE+HFTzrlTbAFC8bS38Bv2f ++9ZrPME4JvnsGdRGYwxS3LUmNdHHWR8LkvGXBE3u/TZsJfPtOR8JwdulQXpRw7hhL ++ew/mR5IEHZrUZgnnI4dg1kJhE1JPTvmtgqcE1CsikVQ14NvG/ehJbJyPgKTq/Zxm ++Ru4B5N+Jef/LaOqZvK4xK8x2ZaZ/L/ANou+7EY4DoWAkOEEoCU8DQHLAFgf6B7La ++oemLQGNHcBpba81jlS5EXXGJccOvfbw0MJTP3ZvyVIlEYu/X4roC7EJP/UkCZUJG ++f79Nc28q2/2D8tuFOqG7UbP7r2cWSa8OO3cI/V1W1k3iWZ63WltqDwFC0c8iqYFL ++9xKfQ96Q7wrYOCjmuaCLbw== + -----END CERTIFICATE----- +diff --git a/tests/certs/ca.tmpl b/tests/certs/ca.tmpl +new file mode 100644 +index 0000000..da5cc3f +--- /dev/null ++++ b/tests/certs/ca.tmpl +@@ -0,0 +1,6 @@ ++cn = CA ++ca ++cert_signing_key ++expiration_days = -1 ++activation_date = "2013-02-13 16:32:12" ++serial = 0x51d82ecc +diff --git a/tests/certs/server-cert-ca.pem b/tests/certs/server-cert-ca.pem +index 818101a..8ffaad3 100644 +--- a/tests/certs/server-cert-ca.pem ++++ b/tests/certs/server-cert-ca.pem +@@ -1,42 +1,42 @@ + -----BEGIN CERTIFICATE----- +-MIIDkTCCAkmgAwIBAgIEUdgu8DANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD +-QTAiGA8yMDEzMDcwNjE0NTEyOVoYDzIwMjMwNTE1MTQ1MTI5WjAUMRIwEAYDVQQD +-Ewlsb2NhbGhvc3QwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQCnOivs +-PxSwLBn28W6QHb+OqfbpcIQJh/NQ81/DlFD6LGTWV4BY4Zb87tC9BBV+X3+lM/j8 +-u5HvN3nDWtv4Ge0DryLW6Tcs6FPCt4srEfCkh5l54LrMmWbhFgkVlN5fTqoY0lnd +-YJx2X8WWldRjeL+8E7nFUcFStWrgi9AzgMFrjsL4pql97YAZRXcMoQXVjbRmzVLZ +-IVumQy7c+tl7Eqz8lx/xS/5Fx9tIRunqNS5jEUs8Nn5E6FvraAcy+eI0gXTGk759 +-KNPYisSqAuFAmmt/XDTTvvOo6dpAseXqtR2/LjZJWOlXdiZ/yjHg5+RKQ5dt3dk5 +-7lAIWER9egIOo/+GAkyek0ZJ5GWU6VxTsFcIl6oy3S7EtB0NCIM7hvhy32QrJ5ZU +-yNncTSf6qMVoedgdAgMBAAGjgY0wgYowDAYDVR0TAQH/BAIwADAUBgNVHREEDTAL +-gglsb2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweg +-ADAdBgNVHQ4EFgQUqCVH9o9E1jUb72ys0de5boT536MwHwYDVR0jBBgwFoAUSCM0 +-UwqJMThKWurKttKm3s4dKxgwDQYJKoZIhvcNAQELBQADggExAK7dBCSwM/OJw+6s +-9MJAb7Ygi9xhHSq30Hg3M7DaPC7J9rZB6+IAVb3poOZAtDDtyTqvXH7qY5UMjJC9 +-GsFmHPI/OSk2xuJJpG+ZJaP54b7kzTtUD6UCHETsgBk2aNuqNhjXR2fYnR9QME0C +-zZWIDV+5DFEBI97ln30N6PcXvIxp7Rsac3qwzvwt3zL+23kTwgM+DoRPoPO0PHr/ +-eQ9hvRU5wA2Vc47zhUXIFy1Jmx7Sf//pw0/wq46VUAjDZ5B09EoCpzBNvOD7P+cF +-FQQ7SId8h8OQ2uOWxT2baeJX0pVbVv+qwOOB1F0q3sjx0dZa/2rxOUZ3wnHG9j8j +-LZSUkZxGpPQffCSpSPma5RhYff8/BncdA8soT0dyEfXIX5V91IXnrlI8XZrADvJM +-zzJKdNg= ++MIIDjjCCAkagAwIBAgIEUdgu8DANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD ++QTAgFw0xMzA2MDYxMjUxMjlaGA85OTk5MTIzMTIzNTk1OVowFDESMBAGA1UEAxMJ ++bG9jYWxob3N0MIIBUjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEApzor7D8U ++sCwZ9vFukB2/jqn26XCECYfzUPNfw5RQ+ixk1leAWOGW/O7QvQQVfl9/pTP4/LuR ++7zd5w1rb+BntA68i1uk3LOhTwreLKxHwpIeZeeC6zJlm4RYJFZTeX06qGNJZ3WCc ++dl/FlpXUY3i/vBO5xVHBUrVq4IvQM4DBa47C+Kapfe2AGUV3DKEF1Y20Zs1S2SFb ++pkMu3PrZexKs/Jcf8Uv+RcfbSEbp6jUuYxFLPDZ+ROhb62gHMvniNIF0xpO+fSjT ++2IrEqgLhQJprf1w0077zqOnaQLHl6rUdvy42SVjpV3Ymf8ox4OfkSkOXbd3ZOe5Q ++CFhEfXoCDqP/hgJMnpNGSeRllOlcU7BXCJeqMt0uxLQdDQiDO4b4ct9kKyeWVMjZ ++3E0n+qjFaHnYHQIDAQABo4GMMIGJMAwGA1UdEwEB/wQCMAAwFAYDVR0RBA0wC4IJ ++bG9jYWxob3N0MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIFoDAd ++BgNVHQ4EFgQUqCVH9o9E1jUb72ys0de5boT536MwHwYDVR0jBBgwFoAUSCM0UwqJ ++MThKWurKttKm3s4dKxgwDQYJKoZIhvcNAQELBQADggExAGQoUMiZVg6+Ibj8kyfq ++l/vfu4QxlUlqAbm/b9PVdOLrhz+T986HMFhL0b2HUGg5Mb0NZcgHjH4VLkei4AIb ++g/1nGdJ2I6EcLiQOvO4h2F3CoU6HkEGVEUXFaBd19tSDm7aM+2h7oPb3Vs3YT9QE ++x7ejmVeA+Qr9+H9xHyModpA1PkKRW31TOYtjUXHdHObT1uar++C1JLHn49ooKDZM ++5p9a4ExQVYd6WMRXKC83py1V4Ne5kBxC/l+3QkVZnMwByChySP7SEMa9yGv4KFM9 ++FT7XvxQsrkqPi5bCllUyGDrVeyTpyPDrb4BKgAu/Cy4tyDxLzBTZ5TXDH7E1IBps ++g1k5llFIyGdO5vQrX8vF61tqK5DBhgVvwu0k/m2lP9esLfaF7I5oGAbUKGhRr8mE ++xs8= + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- +-MIIDPzCCAfegAwIBAgIEUdguzDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD +-QTAiGA8yMDEzMDcwNjE0NTA1MloYDzIwMjMwNTE1MTQ1MDUyWjANMQswCQYDVQQD +-EwJDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/Hsqw +-fvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8vxbJ +-l1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqIhNyW +-DrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWlWDuh +-zSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQpkvKt +-c+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzklzz4b +-7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2N6Ep +-n4B5qnUCAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQA +-MB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDANBgkqhkiG9w0BAQsFAAOC +-ATEAa1kdd8E1PkM06Isw0S/thEll0rAYsNHwSX17IDUWocTTQlmVXBXcvLqM04QT +-z7WNG4eushLhRpSn8LJQkf4RgvAxOMIjHM9troDbPVoec6k8fZrJ8jfXurOgoOVP +-g+hScT3VDvxgiOVwgXSe2XBryGDaviRuSOHlfy5GPVirLJLZwpcX6RpsHMX9rrZX +-ghvf8dwm4To9H5wT0Le2FnZRoLOTMmpr49bfKJqy/U7AUHaf4saSdkdEIaGOxkPk +-x+SFlr9TjavnJvL0TApkvfNZ1aOVHRHINgaFYHQJ4U0jQ/g7lPmD+UtZWnvSMNXH +-yct5cKOyP4j7Kla1sKPs+oamOQ7pR1Z/GwBxe48FvO7VDi7EkugLwlzoXC2G+4Jg +-fJbi9Ui2FmXEeKkX34f1ONNj9Q== ++MIIDPDCCAfSgAwIBAgIEUdguzDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD ++QTAgFw0xMzAyMTMxNTMyMTJaGA85OTk5MTIzMTIzNTk1OVowDTELMAkGA1UEAxMC ++Q0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7KsH70 ++2LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8WyZdV ++NRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITclg6y ++bBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7oc0l ++YpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLyrXPl ++GQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+G+3r ++o22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjehKZ+A ++eap1AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0G ++A1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDANBgkqhkiG9w0BAQsFAAOCATEA ++foqPGdiyJYHih4J5YHwFPQxmkOzPHSa13K/q8sDvobE+HFTzrlTbAFC8bS38Bv2f ++9ZrPME4JvnsGdRGYwxS3LUmNdHHWR8LkvGXBE3u/TZsJfPtOR8JwdulQXpRw7hhL ++ew/mR5IEHZrUZgnnI4dg1kJhE1JPTvmtgqcE1CsikVQ14NvG/ehJbJyPgKTq/Zxm ++Ru4B5N+Jef/LaOqZvK4xK8x2ZaZ/L/ANou+7EY4DoWAkOEEoCU8DQHLAFgf6B7La ++oemLQGNHcBpba81jlS5EXXGJccOvfbw0MJTP3ZvyVIlEYu/X4roC7EJP/UkCZUJG ++f79Nc28q2/2D8tuFOqG7UbP7r2cWSa8OO3cI/V1W1k3iWZ63WltqDwFC0c8iqYFL ++9xKfQ96Q7wrYOCjmuaCLbw== + -----END CERTIFICATE----- +diff --git a/tests/certs/server-cert.pem b/tests/certs/server-cert.pem +index 4acde02..b304b47 100644 +--- a/tests/certs/server-cert.pem ++++ b/tests/certs/server-cert.pem +@@ -1,22 +1,22 @@ + -----BEGIN CERTIFICATE----- +-MIIDkTCCAkmgAwIBAgIEUdgu8DANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD +-QTAiGA8yMDEzMDcwNjE0NTEyOVoYDzIwMjMwNTE1MTQ1MTI5WjAUMRIwEAYDVQQD +-Ewlsb2NhbGhvc3QwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQCnOivs +-PxSwLBn28W6QHb+OqfbpcIQJh/NQ81/DlFD6LGTWV4BY4Zb87tC9BBV+X3+lM/j8 +-u5HvN3nDWtv4Ge0DryLW6Tcs6FPCt4srEfCkh5l54LrMmWbhFgkVlN5fTqoY0lnd +-YJx2X8WWldRjeL+8E7nFUcFStWrgi9AzgMFrjsL4pql97YAZRXcMoQXVjbRmzVLZ +-IVumQy7c+tl7Eqz8lx/xS/5Fx9tIRunqNS5jEUs8Nn5E6FvraAcy+eI0gXTGk759 +-KNPYisSqAuFAmmt/XDTTvvOo6dpAseXqtR2/LjZJWOlXdiZ/yjHg5+RKQ5dt3dk5 +-7lAIWER9egIOo/+GAkyek0ZJ5GWU6VxTsFcIl6oy3S7EtB0NCIM7hvhy32QrJ5ZU +-yNncTSf6qMVoedgdAgMBAAGjgY0wgYowDAYDVR0TAQH/BAIwADAUBgNVHREEDTAL +-gglsb2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweg +-ADAdBgNVHQ4EFgQUqCVH9o9E1jUb72ys0de5boT536MwHwYDVR0jBBgwFoAUSCM0 +-UwqJMThKWurKttKm3s4dKxgwDQYJKoZIhvcNAQELBQADggExAK7dBCSwM/OJw+6s +-9MJAb7Ygi9xhHSq30Hg3M7DaPC7J9rZB6+IAVb3poOZAtDDtyTqvXH7qY5UMjJC9 +-GsFmHPI/OSk2xuJJpG+ZJaP54b7kzTtUD6UCHETsgBk2aNuqNhjXR2fYnR9QME0C +-zZWIDV+5DFEBI97ln30N6PcXvIxp7Rsac3qwzvwt3zL+23kTwgM+DoRPoPO0PHr/ +-eQ9hvRU5wA2Vc47zhUXIFy1Jmx7Sf//pw0/wq46VUAjDZ5B09EoCpzBNvOD7P+cF +-FQQ7SId8h8OQ2uOWxT2baeJX0pVbVv+qwOOB1F0q3sjx0dZa/2rxOUZ3wnHG9j8j +-LZSUkZxGpPQffCSpSPma5RhYff8/BncdA8soT0dyEfXIX5V91IXnrlI8XZrADvJM +-zzJKdNg= ++MIIDjjCCAkagAwIBAgIEUdgu8DANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD ++QTAgFw0xMzA2MDYxMjUxMjlaGA85OTk5MTIzMTIzNTk1OVowFDESMBAGA1UEAxMJ ++bG9jYWxob3N0MIIBUjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEApzor7D8U ++sCwZ9vFukB2/jqn26XCECYfzUPNfw5RQ+ixk1leAWOGW/O7QvQQVfl9/pTP4/LuR ++7zd5w1rb+BntA68i1uk3LOhTwreLKxHwpIeZeeC6zJlm4RYJFZTeX06qGNJZ3WCc ++dl/FlpXUY3i/vBO5xVHBUrVq4IvQM4DBa47C+Kapfe2AGUV3DKEF1Y20Zs1S2SFb ++pkMu3PrZexKs/Jcf8Uv+RcfbSEbp6jUuYxFLPDZ+ROhb62gHMvniNIF0xpO+fSjT ++2IrEqgLhQJprf1w0077zqOnaQLHl6rUdvy42SVjpV3Ymf8ox4OfkSkOXbd3ZOe5Q ++CFhEfXoCDqP/hgJMnpNGSeRllOlcU7BXCJeqMt0uxLQdDQiDO4b4ct9kKyeWVMjZ ++3E0n+qjFaHnYHQIDAQABo4GMMIGJMAwGA1UdEwEB/wQCMAAwFAYDVR0RBA0wC4IJ ++bG9jYWxob3N0MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIFoDAd ++BgNVHQ4EFgQUqCVH9o9E1jUb72ys0de5boT536MwHwYDVR0jBBgwFoAUSCM0UwqJ ++MThKWurKttKm3s4dKxgwDQYJKoZIhvcNAQELBQADggExAGQoUMiZVg6+Ibj8kyfq ++l/vfu4QxlUlqAbm/b9PVdOLrhz+T986HMFhL0b2HUGg5Mb0NZcgHjH4VLkei4AIb ++g/1nGdJ2I6EcLiQOvO4h2F3CoU6HkEGVEUXFaBd19tSDm7aM+2h7oPb3Vs3YT9QE ++x7ejmVeA+Qr9+H9xHyModpA1PkKRW31TOYtjUXHdHObT1uar++C1JLHn49ooKDZM ++5p9a4ExQVYd6WMRXKC83py1V4Ne5kBxC/l+3QkVZnMwByChySP7SEMa9yGv4KFM9 ++FT7XvxQsrkqPi5bCllUyGDrVeyTpyPDrb4BKgAu/Cy4tyDxLzBTZ5TXDH7E1IBps ++g1k5llFIyGdO5vQrX8vF61tqK5DBhgVvwu0k/m2lP9esLfaF7I5oGAbUKGhRr8mE ++xs8= + -----END CERTIFICATE----- +diff --git a/tests/certs/server-cert.tmpl b/tests/certs/server-cert.tmpl +new file mode 100644 +index 0000000..82e34ca +--- /dev/null ++++ b/tests/certs/server-cert.tmpl +@@ -0,0 +1,8 @@ ++cn = localhost ++dns_name = localhost ++tls_www_server ++signing_key ++encryption_key ++expiration_days = -1 ++activation_date = "2013-06-06 14:51:29" ++serial = 0x51d82ef0 +diff --git a/tests/certs/user-cert-invalid.pem b/tests/certs/user-cert-invalid.pem +index 0175bdf..4f5dd96 100644 +--- a/tests/certs/user-cert-invalid.pem ++++ b/tests/certs/user-cert-invalid.pem +@@ -1,107 +1,23 @@ +-X.509 Certificate Information: +- Version: 3 +- Serial Number (hex): 51d82f14 +- Issuer: CN=CA +- Validity: +- Not Before: Sat Jul 06 14:52:05 UTC 2013 +- Not After: Mon May 15 14:52:05 UTC 2023 +- Subject: CN=A user,UID=test +- Subject Public Key Algorithm: RSA +- Algorithm Security Level: Medium (2432 bits) +- Modulus (bits 2432): +- 00:ab:54:98:fc:a9:c6:15:95:9d:a6:c1:94:84:94:91 +- 79:1e:78:db:2d:48:51:99:65:01:02:c0:40:52:49:5d +- eb:70:bc:26:ef:68:39:1e:04:91:e2:db:cb:6f:93:40 +- 45:1e:22:8e:71:5a:58:89:28:79:5e:1a:32:25:3e:8b +- 9d:3b:34:7f:19:f8:d0:2f:37:b7:62:32:b7:53:a5:43 +- 2c:c5:5d:ec:ac:f9:35:fa:14:2b:34:66:f1:d6:a7:a1 +- d0:83:9a:56:f4:19:83:bc:bf:11:74:30:2d:a8:28:5b +- a2:ab:7a:c6:cd:9c:5c:f8:51:e9:a9:0c:48:db:71:bb +- b1:34:77:f7:ee:de:5d:78:c0:48:0a:37:0d:65:1e:3b +- 2b:14:03:89:72:f2:52:ed:5f:00:c5:06:60:ea:80:20 +- d0:43:ec:66:bc:d2:26:db:f0:29:3e:6a:f9:62:20:be +- 58:26:44:ba:d7:8c:6f:76:a6:05:20:e4:98:b7:c4:72 +- 7a:5d:df:4f:0d:23:ec:2e:9c:71:ec:30:f9:14:5f:c8 +- 75:0b:ab:67:f6:7d:fb:4d:76:64:4a:a5:d5:fa:b4:08 +- 50:9d:13:c7:8f:c2:79:b0:b4:3e:2f:89:d3:33:27:4d +- 9f:8b:d3:60:24:07:ab:b2:72:3d:29:a5:c4:4a:ec:3c +- 04:d2:49:3e:26:1b:ec:7a:10:3d:ca:45:5a:80:8b:4d +- 2a:96:63:4f:2d:63:28:0f:3b:47:47:ca:7c:2c:15:41 +- 32:d5:e0:c9:be:a5:55:2c:b3:6b:46:2a:56:b1:1b:ed +- 29 +- Exponent (bits 24): +- 01:00:01 +- Extensions: +- Basic Constraints (critical): +- Certificate Authority (CA): FALSE +- Key Purpose (not critical): +- TLS WWW Client. +- Key Usage (critical): +- Digital signature. +- Key encipherment. +- Subject Key Identifier (not critical): +- 8b01094b3b91ece321b91dec8d6b4c5d9e40805e +- Authority Key Identifier (not critical): +- 482334530a8931384a5aeacab6d2a6dece1d2b18 +- Signature Algorithm: RSA-SHA256 +- Signature: +- 6b:bd:e2:90:d7:11:cf:6c:0d:e3:bd:f4:61:cd:57:83 +- 41:be:2a:92:46:dd:fa:44:6c:60:1c:ef:3e:1e:2f:e1 +- e2:5b:45:88:6a:1e:50:2d:8d:96:c4:c7:80:75:59:7b +- 54:6b:fb:86:b0:f1:6d:45:09:db:48:de:20:0a:87:60 +- 30:5e:35:f0:52:c4:55:44:c1:ff:e1:7c:3d:d6:6d:58 +- ca:1c:fd:bf:04:9a:9b:10:35:05:fc:d1:01:3c:af:bb +- 64:31:5e:59:8f:ef:6f:0d:35:e5:c0:07:77:0e:31:20 +- 8e:e3:2e:f1:a6:4d:f1:be:85:5b:df:04:48:9d:8c:c9 +- c9:c1:b8:e3:e2:d2:4b:55:83:e9:d8:7b:71:2f:8e:89 +- fc:4d:a7:f1:b0:bf:47:9b:97:c4:85:dd:c3:3d:38:15 +- 36:08:73:10:87:08:f6:e6:1c:4e:29:a8:a5:f5:24:b8 +- 0d:e9:d9:b8:19:27:1d:73:35:fe:7b:81:1f:4a:81:6a +- 93:cd:a2:71:d7:60:0e:08:ee:ea:c8:2b:44:1b:e4:45 +- 6c:fe:44:68:d6:86:ad:89:4f:7e:9f:f9:1a:2a:97:0f +- 6b:eb:5d:6e:38:b3:5b:13:b9:e3:4a:10:32:5b:dc:a9 +- b4:a1:4e:b3:f9:4f:91:de:bc:cc:36:91:44:ba:e0:34 +- 74:f7:68:b4:7b:0e:db:4e:ec:28:03:01:cf:0a:63:c4 +- 23:75:0b:4b:41:9d:e0:68:b3:cb:bf:b5:5c:3d:52:93 +- 20:ba:ea:b8:f0:8c:f7:a6:ec:cd:a3:aa:4f:2a:ff:20 +-Other Information: +- SHA1 fingerprint: +- 5509a76b8738216938cdb3ec25048812737170de +- SHA256 fingerprint: +- c93e38ef35f1a9c485a27b161e708f2d45bf8768eb53a23fec841a8f35d6e478 +- Public Key ID: +- 8b01094b3b91ece321b91dec8d6b4c5d9e40805e +- Public key's random art: +- +--[ RSA 2432]----+ +- | o=o | +- |..oE.. | +- |.+=.o | +- |o.*.... | +- | * B +..S | +- |. * o oo . | +- | o . . . | +- | + | +- | . | +- +-----------------+ +- + -----BEGIN CERTIFICATE----- +-MIIDjDCCAkSgAwIBAgIEUdgvFDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD +-QTAiGA8yMDEzMDcwNjE0NTIwNVoYDzIwMjMwNTE1MTQ1MjA1WjAnMQ8wDQYDVQQD +-EwZBIHVzZXIxFDASBgoJkiaJk/IsZAEBEwR0ZXN0MIIBUjANBgkqhkiG9w0BAQEF +-AAOCAT8AMIIBOgKCATEAq1SY/KnGFZWdpsGUhJSReR542y1IUZllAQLAQFJJXetw +-vCbvaDkeBJHi28tvk0BFHiKOcVpYiSh5XhoyJT6LnTs0fxn40C83t2Iyt1OlQyzF +-Xeys+TX6FCs0ZvHWp6HQg5pW9BmDvL8RdDAtqChboqt6xs2cXPhR6akMSNtxu7E0 +-d/fu3l14wEgKNw1lHjsrFAOJcvJS7V8AxQZg6oAg0EPsZrzSJtvwKT5q+WIgvlgm +-RLrXjG92pgUg5Ji3xHJ6Xd9PDSPsLpxx7DD5FF/IdQurZ/Z9+012ZEql1fq0CFCd +-E8ePwnmwtD4vidMzJ02fi9NgJAersnI9KaXESuw8BNJJPiYb7HoQPcpFWoCLTSqW +-Y08tYygPO0dHynwsFUEy1eDJvqVVLLNrRipWsRvtKQIDAQABo3YwdDAMBgNVHRMB +-Af8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA8GA1UdDwEB/wQFAwMHoAAwHQYD +-VR0OBBYEFIsBCUs7kezjIbkd7I1rTF2eQIBeMB8GA1UdIwQYMBaAFEgjNFMKiTE4 +-SlrqyrbSpt7OHSsYMA0GCSqGSIb3DQEBCwUAA4IBMQBrveKQ1xHPbA3jvfRhzVeD +-Qb4qkkbd+kRsYBzvPh4v4eJbRYhqHlAtjZbEx4B1WXtUa/uGsPFtRQnbSN4gCodg +-MF418FLEVUTB/+F8PdZtWMoc/b8EmpsQNQX80QE8r7tkMV5Zj+9vDTXlwAd3DjEg +-juMu8aZN8b6FW98ESJ2MycnBuOPi0ktVg+nYe3Evjon8TafxsL9Hm5fEhd3DPTgV +-NghzEIcI9uYcTimopfUkuA3p2bgZJx1zNf57gR9KgWqTzaJx12AOCO7qyCtEG+RF +-bP5EaNaGrYlPfp/5GiqXD2vrXW44s1sTueNKEDJb3Km0oU6z+U+R3rzMNpFEuuA0 +-dPdotHsO207sKAMBzwpjxCN1C0tBneBos8u/tVw9UpMguuq48Iz3puzNo6pPKv8g ++MIID2TCCAkGgAwIBAgIEUdgvFDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD ++QTAgFw0xMzA2MDYxMjUxMjlaGA85OTk5MTIzMTIzNTk1OVowJzEPMA0GA1UEAxMG ++QSB1c2VyMRQwEgYKCZImiZPyLGQBARMEdGVzdDCCAVIwDQYJKoZIhvcNAQEBBQAD ++ggE/ADCCAToCggExAKtUmPypxhWVnabBlISUkXkeeNstSFGZZQECwEBSSV3rcLwm ++72g5HgSR4tvLb5NARR4ijnFaWIkoeV4aMiU+i507NH8Z+NAvN7diMrdTpUMsxV3s ++rPk1+hQrNGbx1qeh0IOaVvQZg7y/EXQwLagoW6KresbNnFz4UempDEjbcbuxNHf3 ++7t5deMBICjcNZR47KxQDiXLyUu1fAMUGYOqAINBD7Ga80ibb8Ck+avliIL5YJkS6 ++14xvdqYFIOSYt8Ryel3fTw0j7C6cceww+RRfyHULq2f2fftNdmRKpdX6tAhQnRPH ++j8J5sLQ+L4nTMydNn4vTYCQHq7JyPSmlxErsPATSST4mG+x6ED3KRVqAi00qlmNP ++LWMoDztHR8p8LBVBMtXgyb6lVSyza0YqVrEb7SkCAwEAAaN1MHMwDAYDVR0TAQH/ ++BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0O ++BBYEFIsBCUs7kezjIbkd7I1rTF2eQIBeMB8GA1UdIwQYMBaAFAV+KcZC+G2nf/6V ++sElx119oZKWUMA0GCSqGSIb3DQEBCwUAA4IBgQCTOjwtK5sDPFdbWWlScDX9xfNf ++tnqRL22Id6VIRcAiuu6KVAYRNs3Pdv65H9orSaohrBRfWKEqAi51bhvDQvzhbw7u ++881txF+6s0fauArxAUai3e11eCil3gt0JOQVephmPKw6pVq9mMieho5I2SQ8CXoQ ++pSrselGaOTp8CK1r90pn8RGiJrZ3xJu5Yezb3AWCs3IOHhRT1Rc5mFnvs9VVR64h ++Pvlr9yBOf/pBEuylQr00plhsZdLra/nIspsGnOIiuM4eIliP6bQwE06u1LxlCbgB ++CAGTQ86vbO2xT1i8dZeq8TJ72OatmRboUBncaZNIT3rUTZxZYkYhkNtVTKnv/8qq ++LZI23qtcWLEAsc1O0Xva22wjkg5QE06AiWdcwK3f/Qpvj5yO9+PL7X4lP47n5D6m ++t1S6xisKgjo/IP9Wk3mPNaNDN3hZCaFRYEHn4CYrlXHqjg1w7quCKApYzrh5/L1Y ++b9U/qzwF7SatFovndYtf02bjcrHC/TA53IdiQPA= + -----END CERTIFICATE----- +diff --git a/tests/certs/user-cert.pem b/tests/certs/user-cert.pem +index ef5114c..32ab235 100644 +--- a/tests/certs/user-cert.pem ++++ b/tests/certs/user-cert.pem +@@ -1,21 +1,21 @@ + -----BEGIN CERTIFICATE----- +-MIIDjDCCAkSgAwIBAgIEUdgvFDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD +-QTAiGA8yMDEzMDcwNjE0NTIwNVoYDzIwMjMwNTE1MTQ1MjA1WjAnMQ8wDQYDVQQD +-EwZBIHVzZXIxFDASBgoJkiaJk/IsZAEBEwR0ZXN0MIIBUjANBgkqhkiG9w0BAQEF +-AAOCAT8AMIIBOgKCATEAq1SY/KnGFZWdpsGUhJSReR542y1IUZllAQLAQFJJXetw +-vCbvaDkeBJHi28tvk0BFHiKOcVpYiSh5XhoyJT6LnTs0fxn40C83t2Iyt1OlQyzF +-Xeys+TX6FCs0ZvHWp6HQg5pW9BmDvL8RdDAtqChboqt6xs2cXPhR6akMSNtxu7E0 +-d/fu3l14wEgKNw1lHjsrFAOJcvJS7V8AxQZg6oAg0EPsZrzSJtvwKT5q+WIgvlgm +-RLrXjG92pgUg5Ji3xHJ6Xd9PDSPsLpxx7DD5FF/IdQurZ/Z9+012ZEql1fq0CFCd +-E8ePwnmwtD4vidMzJ02fi9NgJAersnI9KaXESuw8BNJJPiYb7HoQPcpFWoCLTSqW +-Y08tYygPO0dHynwsFUEy1eDJvqVVLLNrRipWsRvtKQIDAQABo3YwdDAMBgNVHRMB +-Af8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA8GA1UdDwEB/wQFAwMHoAAwHQYD +-VR0OBBYEFIsBCUs7kezjIbkd7I1rTF2eQIBeMB8GA1UdIwQYMBaAFEgjNFMKiTE4 +-SlrqyrbSpt7OHSsYMA0GCSqGSIb3DQEBCwUAA4IBMQBrveOQ1xHPbA3jvfRhzVeD +-Qb4qkkbd+kRsYBzvPh4v4eJbRYhqHlAtjZbEx4B1WXtUa/uGsPFtRQnbSN4gCodg +-MF418FLEVUTB/+F8PdZtWMoc/b8EmpsQNQX80QE8r7tkMV5Zj+9vDTXlwAd3DjEg +-juMu8aZN8b6FW98ESJ2MycnBuOPi0ktVg+nYe3Evjon8TafxsL9Hm5fEhd3DPTgV +-NghzEIcI9uYcTimopfUkuA3p2bgZJx1zNf57gR9KgWqTzaJx12AOCO7qyCtEG+RF +-bP5EaNaGrYlPfp/5GiqXD2vrXW44s1sTueNKEDJb3Km0oU6z+U+R3rzMNpFEuuA0 +-dPdotHsO207sKAMBzwpjxCN1C0tBneBos8u/tVw9UpMguuq48Iz3puzNo6pPKv8g ++MIIDiTCCAkGgAwIBAgIEUdgvFDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD ++QTAgFw0xMzA2MDYxMjUxMjlaGA85OTk5MTIzMTIzNTk1OVowJzEPMA0GA1UEAxMG ++QSB1c2VyMRQwEgYKCZImiZPyLGQBARMEdGVzdDCCAVIwDQYJKoZIhvcNAQEBBQAD ++ggE/ADCCAToCggExAKtUmPypxhWVnabBlISUkXkeeNstSFGZZQECwEBSSV3rcLwm ++72g5HgSR4tvLb5NARR4ijnFaWIkoeV4aMiU+i507NH8Z+NAvN7diMrdTpUMsxV3s ++rPk1+hQrNGbx1qeh0IOaVvQZg7y/EXQwLagoW6KresbNnFz4UempDEjbcbuxNHf3 ++7t5deMBICjcNZR47KxQDiXLyUu1fAMUGYOqAINBD7Ga80ibb8Ck+avliIL5YJkS6 ++14xvdqYFIOSYt8Ryel3fTw0j7C6cceww+RRfyHULq2f2fftNdmRKpdX6tAhQnRPH ++j8J5sLQ+L4nTMydNn4vTYCQHq7JyPSmlxErsPATSST4mG+x6ED3KRVqAi00qlmNP ++LWMoDztHR8p8LBVBMtXgyb6lVSyza0YqVrEb7SkCAwEAAaN1MHMwDAYDVR0TAQH/ ++BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0O ++BBYEFIsBCUs7kezjIbkd7I1rTF2eQIBeMB8GA1UdIwQYMBaAFEgjNFMKiTE4Slrq ++yrbSpt7OHSsYMA0GCSqGSIb3DQEBCwUAA4IBMQAp51Ks5DDWVlLB6fMM2NJV80sX ++Rx6U1g6ovA7N5BDQiF6FYzVZECMH3d9nyZssHbkzb6qyO1m58P0cNkVurEH27+Z2 ++xdkNw5bbcvNDVhfVSjwa6nyTLfhf7vOTWaIxGGmffP72PIe87N6QmyCCGG0IXIkO ++kcTAE8IgX6k1mEr1Xy2ZtFVgKjPPLxsixIJ7TEktvJR1RqWQfbsOS8f13lvS1Vhh ++vc+UMbIQnz+jl4qNV/AX7GfpEYiBkbrgcjsggl/KMuwcauhEDdvfIQjcyRbQN36p ++KcVEXDpnG54sAfXAs9Z+adbvmu0ONAMCDuxKCT2eG1SGVrtiT5+7kCMso1eKz/5A ++r1XP0RgCKFExIRYb1elFpLc8wmJbN4qof2zisKG8UajFIHzIGateiu53enNn + -----END CERTIFICATE----- +diff --git a/tests/certs/user-cert.tmpl b/tests/certs/user-cert.tmpl +new file mode 100644 +index 0000000..6a60496 +--- /dev/null ++++ b/tests/certs/user-cert.tmpl +@@ -0,0 +1,7 @@ ++dn = "uid=test,cn=A user" ++tls_www_client ++signing_key ++encryption_key ++expiration_days = -1 ++activation_date = "2013-06-06 14:51:29" ++serial = 0x51d82f14 +diff --git a/tests/cipher-common.sh b/tests/cipher-common.sh +index fb9e2ac..07443a0 100755 +--- a/tests/cipher-common.sh ++++ b/tests/cipher-common.sh +@@ -91,14 +91,14 @@ fi + + # Run clients + echo " * Getting cookie from ${ADDRESS}:${PORT}..." +-( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 ${CSTR} --cookieonly ) ++( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= ${CSTR} --cookieonly ) + if test $? != 0;then + echo "Could not get cookie from server" + exit 1 + fi + + echo " * Connecting to ${ADDRESS}:${PORT}..." +-( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 ${CSTR} -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) ++( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= ${CSTR} -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) + if test $? != 0;then + echo "Could not connect to server" + exit 1 +diff --git a/tests/disconnect-user b/tests/disconnect-user +index 67a016e..bf4c7ab 100755 +--- a/tests/disconnect-user ++++ b/tests/disconnect-user +@@ -77,7 +77,7 @@ sleep 3 + + # Run clients + echo " * Getting cookie from ${ADDRESS}:${PORT}..." +-( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --authenticate >${TMPFILE} ) ++( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --authenticate >${TMPFILE} ) + if test $? != 0;then + echo "Could not get cookie from server" + exit 1 +@@ -85,7 +85,7 @@ fi + + eval $(cat ${TMPFILE}) + echo " * Connecting to ${ADDRESS}:${PORT}..." +-( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) ++( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) + if test $? != 0;then + echo "Could not connect to server" + exit 1 +@@ -105,7 +105,7 @@ if test $? != 0;then + fi + + echo " * Re-connecting to obtain cookie after disconnect... " +-( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) ++( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) + if test $? = 0;then + echo "Succeeded using the cookie to connect" + exit 1 +diff --git a/tests/disconnect-user2 b/tests/disconnect-user2 +index ef8c3c1..e00cc67 100755 +--- a/tests/disconnect-user2 ++++ b/tests/disconnect-user2 +@@ -75,7 +75,7 @@ sleep 3 + + # Run clients + echo " * Getting cookie from ${ADDRESS}:${PORT}..." +-( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --authenticate >${TMPFILE} ) ++( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --authenticate >${TMPFILE} ) + if test $? != 0;then + echo "Could not get cookie from server" + exit 1 +@@ -83,7 +83,7 @@ fi + + eval $(cat ${TMPFILE}) + echo " * Connecting to ${ADDRESS}:${PORT}..." +-( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) ++( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) + if test $? != 0;then + echo "Could not connect to server" + exit 1 +@@ -103,7 +103,7 @@ if test $? != 0;then + fi + + echo " * Re-connecting to obtain cookie after disconnect... " +-( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) ++( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) + if test $? = 0;then + echo "Succeeded using the cookie to connect" + exit 1 +diff --git a/tests/drain-server b/tests/drain-server +index be51cd4..808067f 100755 +--- a/tests/drain-server ++++ b/tests/drain-server +@@ -35,7 +35,7 @@ launch_sr_server -d 1 -p ${PIDFILE} -f -c ${CONFIG} & PID=$! + wait_server $PID + + echo "Connecting to obtain cookie... " +-( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) || ++( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) || + fail $PID "Could not receive cookie from server" + + if ! test -f ${PIDFILE};then +@@ -48,7 +48,7 @@ kill -15 $(cat $PIDFILE) + sleep 1 + + echo "Connecting to obtain cookie... " +-( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) && ++( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) && + fail $PID "Server is still listening" + + wait +diff --git a/tests/drain-server-fail b/tests/drain-server-fail +index d61106e..a2c495d 100755 +--- a/tests/drain-server-fail ++++ b/tests/drain-server-fail +@@ -48,7 +48,7 @@ launch_simple_sr_server -d 3 -p ${PIDFILE} -f -c ${CONFIG} & PID=$! + wait_server $PID + + echo "Connecting to obtain cookie... " +-( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) || ++( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) || + fail $PID "Could not receive cookie from server" + + if ! test -f ${PIDFILE};then +diff --git a/tests/flowcontrol b/tests/flowcontrol +index fb60f67..7ef6b70 100755 +--- a/tests/flowcontrol ++++ b/tests/flowcontrol +@@ -37,39 +37,39 @@ launch_sr_server -d 1 -p ${PIDFILE} -f -c ${CONFIG} & PID=$! + wait_server $PID + + echo "Connecting to obtain cookie... " +-( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) || ++( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) || + fail $PID "Could not receive cookie from server" + + echo "Connecting to obtain cookie with wrong password... " +-( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && ++( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && + fail $PID "Received cookie when we shouldn't" + + echo "Connecting to obtain cookie with empty password... " +-( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && ++( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && + fail $PID "Received cookie when we shouldn't" + + echo "Connecting to obtain cookie with wrong username... " +-( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u tost --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && ++( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u tost --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && + fail $PID "Received cookie when we shouldn't" + + # test locked account + + echo "Connecting to obtain cookie with locked account... " +-( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u locked --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && ++( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u locked --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && + fail $PID "Received cookie when we shouldn't" + + #test special characters + + echo "Connecting to obtain cookie with special password... " +-( echo "!@#$%^&*()<>" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || ++( echo "!@#$%^&*()<>" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || + fail $PID "Could not receive cookie from server" + + echo "Connecting to obtain cookie with empty password... " +-( echo "" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "empty" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || ++( echo "" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "empty" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || + fail $PID "Could not receive cookie from server" + + #echo "Normal connection... " +-#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true ) || ++#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true ) || + # fail $PID "Could not connect to server" + + if ! test -f ${PIDFILE};then +diff --git a/tests/haproxy-auth b/tests/haproxy-auth +index b653714..5261860 100755 +--- a/tests/haproxy-auth ++++ b/tests/haproxy-auth +@@ -51,7 +51,7 @@ LD_PRELOAD=libsocket_wrapper.so:libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT + wait_server ${HAPID} + + echo "Connecting to obtain cookie... " +-( echo "test" | LD_PRELOAD=libsocket_wrapper.so ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) ++( echo "test" | LD_PRELOAD=libsocket_wrapper.so ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) + if test $? != 0;then + kill ${HAPID} + fail ${PID} "Could not receive cookie from server" +@@ -66,7 +66,7 @@ LD_PRELOAD=libsocket_wrapper.so:libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT + wait_server ${HAPID} + + echo "Re-connecting to obtain cookie after haproxy restart... " +-( echo "test" | LD_PRELOAD=libsocket_wrapper.so ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) ++( echo "test" | LD_PRELOAD=libsocket_wrapper.so ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) + if test $? != 0;then + kill ${HAPID} + fail ${PID} "Could not receive cookie from server" +diff --git a/tests/haproxy-connect b/tests/haproxy-connect +index c42b76c..662c08f 100755 +--- a/tests/haproxy-connect ++++ b/tests/haproxy-connect +@@ -91,14 +91,14 @@ sleep 3 + + # Run clients + echo " * Getting cookie from ${ADDRESS}:${HAPORT}..." +-( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) ++( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) + if test $? != 0;then + echo "Could not get cookie from server" + exit 1 + fi + + echo " * Connecting to ${ADDRESS}:${HAPORT}..." +-( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) ++( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) + if test $? != 0;then + echo "Could not connect to server" + exit 1 +@@ -135,7 +135,7 @@ set +e + sleep 3 + + echo " * Re-connecting to obtain cookie after haproxy restart... " +-( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) ++( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) + if test $? != 0;then + echo "Could not receive cookie from server on reconnection" + exit 1 +diff --git a/tests/haproxy-proxyproto b/tests/haproxy-proxyproto +index 70c1390..54e413c 100755 +--- a/tests/haproxy-proxyproto ++++ b/tests/haproxy-proxyproto +@@ -94,14 +94,14 @@ sleep 3 + + # Run clients + echo " * Getting cookie from ${ADDRESS}:${HAPORT}..." +-( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) ++( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) + if test $? != 0;then + echo "Could not get cookie from server" + exit 1 + fi + + echo " * Connecting to ${ADDRESS}:${HAPORT}..." +-( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) ++( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) + if test $? != 0;then + echo "Could not connect to server" + exit 1 +diff --git a/tests/haproxy-proxyproto-v1 b/tests/haproxy-proxyproto-v1 +index d274575..f767581 100755 +--- a/tests/haproxy-proxyproto-v1 ++++ b/tests/haproxy-proxyproto-v1 +@@ -94,14 +94,14 @@ sleep 3 + + # Run clients + echo " * Getting cookie from ${ADDRESS}:${HAPORT}..." +-( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) ++( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) + if test $? != 0;then + echo "Could not get cookie from server" + exit 1 + fi + + echo " * Connecting to ${ADDRESS}:${HAPORT}..." +-( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) ++( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) + if test $? != 0;then + echo "Could not connect to server" + exit 1 +diff --git a/tests/ipv6-iface b/tests/ipv6-iface +index d5262e5..9b78d5e 100755 +--- a/tests/ipv6-iface ++++ b/tests/ipv6-iface +@@ -70,7 +70,7 @@ ${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$! + wait_server $PID + + echo -n "Connecting to setup interface... " +-echo "test" | ${CMDNS1} $OPENCONNECT -q $ADDRESS:$PORT -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ++echo "test" | ${CMDNS1} $OPENCONNECT -q $ADDRESS:$PORT -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b + if test $? != 0;then + echo "Could not connect to server" + exit 1 +diff --git a/tests/ipv6-small-net b/tests/ipv6-small-net +index 4fc7260..c87b429 100755 +--- a/tests/ipv6-small-net ++++ b/tests/ipv6-small-net +@@ -70,7 +70,7 @@ ${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$! + wait_server $PID + + echo -n "Connecting to setup interface... " +-echo "test" | ${CMDNS1} $OPENCONNECT -q $ADDRESS:$PORT -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ++echo "test" | ${CMDNS1} $OPENCONNECT -q $ADDRESS:$PORT -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b + if test $? != 0;then + echo "Could not connect to server" + exit 1 +diff --git a/tests/json b/tests/json +index 72dd4bf..24c66d8 100755 +--- a/tests/json ++++ b/tests/json +@@ -78,7 +78,7 @@ ${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$! + sleep 4 + + echo " * Connecting to ${ADDRESS}:${PORT}..." +-( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) ++( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) + if test $? != 0;then + echo "Could not connect to server" + exit 1 +diff --git a/tests/lz4-compression b/tests/lz4-compression +index 76478cf..405b2a2 100755 +--- a/tests/lz4-compression ++++ b/tests/lz4-compression +@@ -81,14 +81,14 @@ sleep 4 + + # Run clients + echo " * Getting cookie from ${ADDRESS}:${PORT}..." +-( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) ++( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) + if test $? != 0;then + echo "Could not get cookie from server" + exit 1 + fi + + echo " * Connecting to ${ADDRESS}:${PORT}..." +-( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) ++( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) + if test $? != 0;then + echo "Could not connect to server" + exit 1 +diff --git a/tests/lzs-compression b/tests/lzs-compression +index c485df2..eef55f0 100755 +--- a/tests/lzs-compression ++++ b/tests/lzs-compression +@@ -81,14 +81,14 @@ sleep 4 + + # Run clients + echo " * Getting cookie from ${ADDRESS}:${PORT}..." +-( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) ++( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) + if test $? != 0;then + echo "Could not get cookie from server" + exit 1 + fi + + echo " * Connecting to ${ADDRESS}:${PORT}..." +-( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) ++( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) + if test $? != 0;then + echo "Could not connect to server" + exit 1 +diff --git a/tests/multiple-routes b/tests/multiple-routes +index b6cc0c5..63c7614 100755 +--- a/tests/multiple-routes ++++ b/tests/multiple-routes +@@ -39,13 +39,13 @@ PID=$! + wait_server $PID + + echo -n "Connecting to obtain cookie (with certificate)... " +-( $OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null ) || ++( $OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null ) || + fail $PID "Could not connect with certificate!" + + echo ok + + echo -n "Re-connecting to get routes... " +-timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE1} 2>&1 ++timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE1} 2>&1 + + echo ok + +diff --git a/tests/no-route-default b/tests/no-route-default +index 0c6f4f2..6cc68f0 100755 +--- a/tests/no-route-default ++++ b/tests/no-route-default +@@ -43,7 +43,7 @@ PID=$! + wait_server $PID + + echo -n "Connecting to get routes... " +-timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE} 2>&1 ++timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE} 2>&1 + + echo ok + +@@ -68,7 +68,7 @@ PID=$! + wait_server $PID + + echo -n "Connecting to get routes... " +-timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE} 2>&1 ++timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE} 2>&1 + + echo ok + +diff --git a/tests/no-route-group b/tests/no-route-group +index 59ec2f0..25cfaa6 100755 +--- a/tests/no-route-group ++++ b/tests/no-route-group +@@ -43,7 +43,7 @@ PID=$! + wait_server $PID + + echo -n "Connecting to get routes... " +-echo "test" | timeout 15s $OPENCONNECT -v localhost:$PORT --authgroup group1 -u test --passwd-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true >${TMPFILE} 2>&1 ++echo "test" | timeout 15s $OPENCONNECT -v localhost:$PORT --authgroup group1 -u test --passwd-on-stdin --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >${TMPFILE} 2>&1 + + echo ok + +@@ -68,7 +68,7 @@ PID=$! + wait_server $PID + + echo -n "Connecting to get routes... " +-echo test | timeout 15s $OPENCONNECT -v localhost:$PORT --authgroup group1 --passwd-on-stdin -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true >${TMPFILE} 2>&1 ++echo test | timeout 15s $OPENCONNECT -v localhost:$PORT --authgroup group1 --passwd-on-stdin -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >${TMPFILE} 2>&1 + + echo ok + +diff --git a/tests/ping-leases b/tests/ping-leases +index d97012e..3a43ac5 100755 +--- a/tests/ping-leases ++++ b/tests/ping-leases +@@ -52,12 +52,12 @@ fi + echo "Server started with PID $PID..." + + echo "Connecting to obtain cookie..." +-( echo "test" | $OPENCONNECT -q localhost:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) || ++( echo "test" | $OPENCONNECT -q localhost:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) || + fail $PID "Could not receive cookie from server" + + + echo "Connecting to ping lease..." +-echo "test" | timeout 10 $OPENCONNECT localhost:$PORT -u "test" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ++echo "test" | timeout 10 $OPENCONNECT localhost:$PORT -u "test" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true + + if test $? != 124;then + fail $PID "Could not connect to server" +diff --git a/tests/radius b/tests/radius +index 859671d..7bc705a 100755 +--- a/tests/radius ++++ b/tests/radius +@@ -98,21 +98,21 @@ sleep 4 + + # Run clients + echo " * Testing wrong username at ${ADDRESS}:${PORT}..." +-( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u xxx --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) ++( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u xxx --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) + if test $? = 0;then + echo "Connected with incorrect username" + exit 1 + fi + + echo " * Testing wrong password at ${ADDRESS}:${PORT}..." +-( echo "xxx" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) ++( echo "xxx" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) + if test $? = 0;then + echo "Connected with incorrect password" + exit 1 + fi + + echo " * Getting cookie from ${ADDRESS}:${PORT}..." +-( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) ++( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) + if test $? != 0;then + echo "Could not get cookie from server" + exit 1 +@@ -120,7 +120,7 @@ fi + + echo " * Connecting to ${ADDRESS}:${PORT} with special IP..." + USERNAME=test-arb +-( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) ++( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) + if test $? != 0;then + echo "Could not connect to server" + exit 1 +@@ -148,7 +148,7 @@ sleep 3 + + echo " * Connecting to ${ADDRESS}:${PORT}..." + USERNAME=test +-( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) ++( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) + if test $? != 0;then + echo "Could not connect to server" + exit 1 +diff --git a/tests/radius-config b/tests/radius-config +index 7285091..af9d3f7 100755 +--- a/tests/radius-config ++++ b/tests/radius-config +@@ -123,7 +123,7 @@ sleep 4 + + echo " * Connecting to ${ADDRESS}:${PORT}..." + USERNAME=testtime +-( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) ++( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) + if test $? != 0;then + echo "Could not connect to server" + exit 1 +diff --git a/tests/radius-group b/tests/radius-group +index 1f28cda..9b85889 100755 +--- a/tests/radius-group ++++ b/tests/radius-group +@@ -100,7 +100,7 @@ sleep 4 + + echo " * Tests the radius group functionality" + USERNAME=test-class +-( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} --authgroup group2 -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) ++( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} --authgroup group2 -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) + if test $? != 0;then + echo "Could not connect to server" + exit 1 +@@ -137,7 +137,7 @@ sleep 4 + + echo " * Tests the alt radius group functionality" + USERNAME=test-class +-( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} --authgroup group1 -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) ++( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} --authgroup group1 -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) + if test $? != 0;then + echo "Could not connect to server" + exit 1 +diff --git a/tests/radius-otp b/tests/radius-otp +index 11c3907..9b4fecb 100755 +--- a/tests/radius-otp ++++ b/tests/radius-otp +@@ -111,7 +111,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do + sleep 0.5 + echo "$USERNAME-stage$COUNT" + done +-} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b >/dev/null 2>&1) ++} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b >/dev/null 2>&1) + if test $? != 0; then + echo "Could not connect to server" + exit 1 +@@ -151,7 +151,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do + sleep 0.5 + echo "$USERNAME-stage" + done +-} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) ++} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) + if test $? == 0; then + echo "Connected with wrong username" + exit 1 +@@ -173,7 +173,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do + echo "$USERNAME-stage$COUNT" + fi + done +-} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) ++} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) + if test $? == 0; then + echo "Connected with wrong OTP" + exit 1 +@@ -197,7 +197,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do + echo "$USERNAME-stage$COUNT" + fi + done +-} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) ++} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) + if test $? == 0; then + echo "Connected with wrong OTP" + exit 1 +@@ -218,7 +218,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do + echo "$USERNAME-stage$COUNT" + fi + done +-} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) ++} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) + if test $? == 0; then + echo "Connected with blank OTP" + exit 1 +@@ -247,7 +247,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do + echo "$USERNAME-stage$COUNT" + fi + done +-} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) ++} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) + if test $? == 0; then + echo "Successful connection with the number of OTP retries greater than allowed by the ban system (default 30)." + ${OCCTL} -s ${OCCTL_SOCKET} show ip ban points +@@ -265,7 +265,7 @@ for (( COUNT=1; COUNT <= 17; COUNT++ )); do + sleep 0.5 + echo "$USERNAME-stage$COUNT" + done +-} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) ++} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) + if test $? == 0; then + echo "Connected to server - MAX_CHALLENGES test failed" + exit 1 +diff --git a/tests/test-append-routes b/tests/test-append-routes +index be71d22..923d0aa 100755 +--- a/tests/test-append-routes ++++ b/tests/test-append-routes +@@ -41,7 +41,7 @@ wait_server $PID + + echo "Checking if routes are appended... " + +-timeout 15s $OPENCONNECT localhost:$PORT -v --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE1} 2>&1 ++timeout 15s $OPENCONNECT localhost:$PORT -v --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE1} 2>&1 + + echo "cat" + cat ${TMPFILE1} +diff --git a/tests/test-ban b/tests/test-ban +index eb6a874..be4695a 100755 +--- a/tests/test-ban ++++ b/tests/test-ban +@@ -59,15 +59,15 @@ ${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$! + sleep 4 + + echo "Connecting with wrong password 5 times... " +-echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 +-echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 +-echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 +-echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 +-echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 ++echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= ++echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= ++echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= ++echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= ++echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= + + echo "" + echo "Connecting with correct password... " +-eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` ++eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` + + if [ -n "$COOKIE" ];then + fail $PID "Obtained cookie although should have been banned" +@@ -90,7 +90,7 @@ sleep 25 + echo "" + + echo "Connecting with correct password after ban time... " +-eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` ++eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` + + if [ -z "$COOKIE" ];then + fail $PID "Could not obtain cookie even though ban should be lifted" +@@ -99,16 +99,16 @@ fi + echo "" + echo "Checking ban reset time... " + +-echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 +-echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 +-echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 +-echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 ++echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= ++echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= ++echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= ++echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= + sleep 11 +-echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 ++echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= + + echo "" + echo "Connecting with correct password after ban reset time... " +-eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` ++eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` + + if [ -z "$COOKIE" ];then + fail $PID "Could not obtain cookie even though ban should be lifted" +diff --git a/tests/test-ban-local b/tests/test-ban-local +index d2a4397..fbe0eb2 100755 +--- a/tests/test-ban-local ++++ b/tests/test-ban-local +@@ -60,15 +60,15 @@ ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$! + sleep 4 + + echo "Connecting with wrong password 5 times... " +-echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 +-echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 +-echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 +-echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 +-echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 ++echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= ++echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= ++echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= ++echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= ++echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= + + echo "" + echo "Connecting with correct password... " +-eval `echo "test" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` ++eval `echo "test" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` + + if [ -z "$COOKIE" ];then + fail $PID "Could not obtain cookie even though client should be exempt" +diff --git a/tests/test-cert b/tests/test-cert +index 41362aa..7967193 100755 +--- a/tests/test-cert ++++ b/tests/test-cert +@@ -49,19 +49,19 @@ PID=$! + wait_server $PID + + echo -n "Connecting to obtain cookie (without certificate)... " +-( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && ++( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) && + fail $PID "Connected without certificate!" + + echo "ok (failed as expected)" + + echo -n "Connecting to obtain cookie (with invalid certificate)... " +-( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert-invalid.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && ++( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert-invalid.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) && + fail $PID "Connected with invalid certificate!" + + echo "ok (failed as expected)" + + echo -n "Connecting to obtain cookie (with certificate)... " +-( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || ++( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || + fail $PID "Could not connect with certificate!" + + echo ok +@@ -80,7 +80,7 @@ kill -HUP $PID + sleep 5 + + echo -n "Connecting to obtain cookie (with DER CRL)... " +-( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || ++( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || + fail $PID "Could not connect with certificate!" + + echo ok +@@ -99,13 +99,13 @@ kill -HUP $PID + sleep 5 + + echo -n "Connecting to obtain cookie (with revoked certificate)... " +-( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && ++( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) && + fail $PID "Connected with revoked certificate!" + + echo "ok (failed as expected)" + + #echo "Normal connection... " +-#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true ) || ++#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true ) || + # fail $PID "Could not connect to server" + + rm -f "${CRLNAME}" "${CRLTMPLNAME}" +diff --git a/tests/test-cert-opt-pass b/tests/test-cert-opt-pass +index 18893d3..0109ef2 100755 +--- a/tests/test-cert-opt-pass ++++ b/tests/test-cert-opt-pass +@@ -34,7 +34,7 @@ opts=$1 + pass=$2 + rm -f ${OUTFILE} + +-echo "$pass" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --authenticate >${OUTFILE} 2>&1 ++echo "$pass" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --authenticate >${OUTFILE} 2>&1 + if test $? != 0;then + cat ${OUTFILE} + return 1 +diff --git a/tests/test-client-bypass-protocol b/tests/test-client-bypass-protocol +index 09f3cb2..14cb5a5 100755 +--- a/tests/test-client-bypass-protocol ++++ b/tests/test-client-bypass-protocol +@@ -43,7 +43,7 @@ PID=$! + wait_server $PID + + echo -n "Connecting... " +-timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE} 2>&1 ++timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE} 2>&1 + + echo ok + +@@ -68,7 +68,7 @@ PID=$! + wait_server $PID + + echo -n "Reconnecting..." +-timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE} 2>&1 ++timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE} 2>&1 + + echo ok + +diff --git a/tests/test-config-per-group b/tests/test-config-per-group +index 4a8bd60..6b8929a 100755 +--- a/tests/test-config-per-group ++++ b/tests/test-config-per-group +@@ -81,7 +81,7 @@ ${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & + sleep 4 + + echo " * Connecting with user NOT in group..." +-( echo "${PASSWORD}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) ++( echo "${PASSWORD}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) + if test $? != 0;then + echo "Could not connect to server" + exit 1 +@@ -129,7 +129,7 @@ sleep 2 + USERNAME=test + PASSWORD=test + echo " * Connecting with user in group to ${ADDRESS}:${PORT}..." +-( echo "${PASSWORD}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) ++( echo "${PASSWORD}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) + if test $? != 0;then + echo "Could not connect to server" + exit 1 +diff --git a/tests/test-cookie-invalidation b/tests/test-cookie-invalidation +index 5f77afa..a6f8cea 100755 +--- a/tests/test-cookie-invalidation ++++ b/tests/test-cookie-invalidation +@@ -35,7 +35,7 @@ launch_server -d 1 -f -c ${CONFIG} & PID=$! + wait_server $PID + + echo "Connecting to obtain cookie... " +-eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` ++eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` + + if [ -z "$COOKIE" ];then + fail $PID "Could not obtain cookie" +@@ -44,7 +44,7 @@ fi + #echo "Cookie: $COOKIE" + + echo "Connecting with cookie... " +-echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE1}" --background >/dev/null 2>&1 ++echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE1}" --background >/dev/null 2>&1 + + sleep 4 + +@@ -58,9 +58,9 @@ if test $? != 0;then + fi + + echo "Terminating and connecting again with same cookie... " +-#( echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || ++#( echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || + # fail $PID "Could not connect to server" +-echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background >/dev/null 2>&1 ++echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background >/dev/null 2>&1 + + sleep 4 + +@@ -82,9 +82,9 @@ rm -f "${PIDFILE2}" + sleep 18 + + echo "Proper termination and connecting again with same (invalidated) cookie... " +-#( echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || ++#( echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || + # fail $PID "Could not connect to server" +-echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background >/dev/null 2>&1 ++echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background >/dev/null 2>&1 + + sleep 4 + +diff --git a/tests/test-cookie-timeout b/tests/test-cookie-timeout +index 08081b2..b8b4dda 100755 +--- a/tests/test-cookie-timeout ++++ b/tests/test-cookie-timeout +@@ -34,7 +34,7 @@ launch_server -d 1 -f -c ${CONFIG} & PID=$! + wait_server $PID + + echo "Connecting to obtain cookie... " +-eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` ++eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` + + if [ -z "$COOKIE" ];then + fail $PID "Could not obtain cookie" +@@ -44,7 +44,7 @@ fi + sleep 16 + echo "" + echo "Connecting with cookie... " +-echo "test" | $OPENCONNECT -q -b localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE}" --background ++echo "test" | $OPENCONNECT -q -b localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE}" --background + + sleep 4 + +@@ -59,7 +59,7 @@ rm -f "${PIDFILE}" + sleep 16 + echo "" + echo "Connecting again with cookie... " +-echo "test" | $OPENCONNECT -b -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE}" --background ++echo "test" | $OPENCONNECT -b -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE}" --background + + sleep 4 + +@@ -74,7 +74,7 @@ rm -f "${PIDFILE}" + sleep 16 + echo "" + echo "Connecting after forced kill with cookie... " +-echo "test" | $OPENCONNECT -b -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE}" --background ++echo "test" | $OPENCONNECT -b -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE}" --background + + sleep 4 + +@@ -90,7 +90,7 @@ rm -f "${PIDFILE}" + sleep 45 + echo "" + echo "Connecting with cookie after expiration... " +-echo "test" | $OPENCONNECT -q -b localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE}" --background ++echo "test" | $OPENCONNECT -q -b localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE}" --background + + sleep 4 + +@@ -104,7 +104,7 @@ fi + # test cookie verification after cookie verification failure. That is to verify whether + # the channel between main and sec-mod is in consistent state. + echo "Connecting (again) to obtain cookie... " +-echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 ++echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= + + if test $? != 0;then + fail $PID "Could not obtain cookie" +diff --git a/tests/test-cookie-timeout-2 b/tests/test-cookie-timeout-2 +index fbeba81..4161eb6 100755 +--- a/tests/test-cookie-timeout-2 ++++ b/tests/test-cookie-timeout-2 +@@ -33,7 +33,7 @@ launch_server -d 1 -f -c ${CONFIG} & PID=$! + wait_server $PID + + echo "Connecting to obtain cookie... " +-eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` ++eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` + + if [ -z "$COOKIE" ];then + fail $PID "Could not obtain cookie" +@@ -43,7 +43,7 @@ fi + sleep 10 + echo "" + echo "Connecting with cookie... " +-echo "test" | $OPENCONNECT -q -b localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file ${srcdir}/pid.$$ --background ++echo "test" | $OPENCONNECT -q -b localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file ${srcdir}/pid.$$ --background + + sleep 4 + +@@ -58,7 +58,7 @@ rm -f "${srcdir}/pid2.$$" + sleep 30 + echo "" + echo "Connecting again with cookie (overriding first session)... " +-echo "test" | $OPENCONNECT -b -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file ${srcdir}/pid2.$$ --background ++echo "test" | $OPENCONNECT -b -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file ${srcdir}/pid2.$$ --background + + sleep 6 + +diff --git a/tests/test-enc-key b/tests/test-enc-key +index 0ca6249..5d65b62 100755 +--- a/tests/test-enc-key ++++ b/tests/test-enc-key +@@ -33,7 +33,7 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! + wait_server $PID + + echo "Connecting to obtain cookie... " +-( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || ++( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || + fail $PID "Could not receive cookie from server" + + cleanup +@@ -48,7 +48,7 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! + wait_server $PID + + echo "Connecting to obtain cookie... " +-( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || ++( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || + fail $PID "Could not receive cookie from server" + + cleanup +diff --git a/tests/test-explicit-ip b/tests/test-explicit-ip +index bfd1a9d..41d4665 100755 +--- a/tests/test-explicit-ip ++++ b/tests/test-explicit-ip +@@ -31,13 +31,13 @@ connect() + opts=$1 + pass=$2 + COOKIE='' +-eval `echo "$pass" | $OPENCONNECT -q localhost:$PORT $opts --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --authenticate` ++eval `echo "$pass" | $OPENCONNECT -q localhost:$PORT $opts --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --authenticate` + if [ -z "$COOKIE" ];then + return 1 + fi + + rm -f $TMPFILE +-echo "$pass" | $OPENCONNECT -q localhost:$PORT $opts -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file ${srcdir}/pidx >$TMPFILE 2>&1 & ++echo "$pass" | $OPENCONNECT -q localhost:$PORT $opts -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file ${srcdir}/pidx >$TMPFILE 2>&1 & + CPID=$! + + sleep 3 +diff --git a/tests/test-group-pass b/tests/test-group-pass +index 1530f43..7a78237 100755 +--- a/tests/test-group-pass ++++ b/tests/test-group-pass +@@ -33,19 +33,19 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! + wait_server $PID + + echo "Connecting to obtain cookie... " +-( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group1 --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || ++( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group1 --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || + fail $PID "Could not receive cookie from server" + + echo "Connecting to obtain cookie... " +-( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group2 --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || ++( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group2 --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || + fail $PID "Could not receive cookie from server" + + echo "Connecting to obtain cookie... " +-( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group2 --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || ++( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group2 --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || + fail $PID "Could not receive cookie from server" + + echo "Connecting to obtain cookie with wrong groupname... " +-( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group4 --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && ++( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group4 --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && + fail $PID "Received cookie when we shouldn't" + + cleanup +diff --git a/tests/test-gssapi-opt-cert b/tests/test-gssapi-opt-cert +index 0ef2d55..5cf1105 100755 +--- a/tests/test-gssapi-opt-cert ++++ b/tests/test-gssapi-opt-cert +@@ -29,7 +29,7 @@ opts=$1 + pass=$2 + rm -f ${OUTFILE} + +-echo "$pass" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --authenticate >${OUTFILE} 2>&1 ++echo "$pass" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --authenticate >${OUTFILE} 2>&1 + if test $? != 0;then + cat ${OUTFILE} + return 1 +diff --git a/tests/test-gssapi-opt-pass b/tests/test-gssapi-opt-pass +index 8999d30..b6ebd11 100755 +--- a/tests/test-gssapi-opt-pass ++++ b/tests/test-gssapi-opt-pass +@@ -29,7 +29,7 @@ opts=$1 + pass=$2 + rm -f ${OUTFILE} + +-echo "$pass" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --authenticate >${OUTFILE} 2>&1 ++echo "$pass" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --authenticate >${OUTFILE} 2>&1 + if test $? != 0;then + cat ${OUTFILE} + return 1 +diff --git a/tests/test-iroute b/tests/test-iroute +index d7b5f52..caf0a92 100755 +--- a/tests/test-iroute ++++ b/tests/test-iroute +@@ -34,13 +34,13 @@ launch_server -d 1 -f -c "${CONFIG}" & PID=$! + wait_server $PID + + echo -n "Connecting to obtain cookie (with certificate)... " +-( $OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || ++( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || + fail $PID "Could not connect with certificate!" + + echo ok +@@ -47,7 +47,7 @@ kill -USR2 $PID + sleep 5 + + echo -n "Connecting to obtain cookie (with certificate)... " +-( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || ++( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || + fail $PID "Could not connect with certificate!" + + echo ok +@@ -58,7 +58,7 @@ kill -USR2 $PID + sleep 5 + + echo -n "Connecting to obtain cookie (with certificate)... " +-( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || ++( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || + fail $PID "Could not connect with certificate!" + + echo ok +diff --git a/tests/test-max-same-1 b/tests/test-max-same-1 +index 5146483..ec19c0d 100755 +--- a/tests/test-max-same-1 ++++ b/tests/test-max-same-1 +@@ -47,7 +47,7 @@ launch_server -d 1 -f -c ${CONFIG} & PID=$! + wait_server $PID + + echo "Connecting to obtain cookie... " +-eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` ++eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` + + if [ -z "$COOKIE" ];then + echo "Could not obtain cookie" +@@ -57,12 +57,12 @@ fi + #echo "Cookie: $COOKIE" + + echo "Connecting with cookie... " +-echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE1}" --background ++echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE1}" --background + + sleep 4 + + echo "Connecting again with same cookie... " +-echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background ++echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background + + sleep 4 + +diff --git a/tests/test-multi-cookie b/tests/test-multi-cookie +index 83c9cb5..7581f9c 100755 +--- a/tests/test-multi-cookie ++++ b/tests/test-multi-cookie +@@ -47,7 +47,7 @@ launch_server -d 1 -f -c "${CONFIG}" & PID=$! + wait_server $PID + + echo "Connecting to obtain cookie... " +-eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` ++eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` + + if [ -z "$COOKIE" ];then + echo "Could not obtain cookie" +@@ -57,12 +57,12 @@ fi + #echo "Cookie: $COOKIE" + + echo "Connecting with cookie... " +-echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE1}" --background ++echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE1}" --background + + sleep 4 + + echo "Connecting again with same cookie... " +-echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background ++echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background + + sleep 4 + +diff --git a/tests/test-multiple-client-ip b/tests/test-multiple-client-ip +index 0e799e0..76099fe 100755 +--- a/tests/test-multiple-client-ip ++++ b/tests/test-multiple-client-ip +@@ -84,14 +84,14 @@ sleep 4 + + # Run client 1 + echo " * Getting cookie from ${ADDRESS}:${PORT}..." +-( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) ++( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) + if test $? != 0;then + echo "Could not get cookie from server" + exit 1 + fi + + echo " * Connecting to ${ADDRESS}:${PORT}..." +-( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) ++( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) + if test $? != 0;then + echo "Could not connect to server" + exit 1 +@@ -99,14 +99,14 @@ fi + + # Run client 2 + echo " * Getting cookie from ${ADDRESS}:${PORT}..." +-( echo "test" | ${CMDNS3} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) ++( echo "test" | ${CMDNS3} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) + if test $? != 0;then + echo "Could not get cookie from server" + exit 1 + fi + + echo " * Connecting to ${ADDRESS}:${PORT}..." +-( echo "test" | ${CMDNS3} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID2} --passwd-on-stdin -b ) ++( echo "test" | ${CMDNS3} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID2} --passwd-on-stdin -b ) + if test $? != 0;then + echo "Could not connect to server" + exit 1 +diff --git a/tests/test-namespace-listen b/tests/test-namespace-listen +index 9691b28..81c3e86 100755 +--- a/tests/test-namespace-listen ++++ b/tests/test-namespace-listen +@@ -77,7 +77,7 @@ if test $? != 0; then + fi + + echo " connecting to server" +-(echo "test" | ${CMDNS3} $OPENCONNECT $ADDRESS:$PORT -u "test" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --pid-file=${CLIPID} -b) || ++(echo "test" | ${CMDNS3} $OPENCONNECT $ADDRESS:$PORT -u "test" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --pid-file=${CLIPID} -b) || + fail $PID "could not connect to server" + sleep 5 + +diff --git a/tests/test-otp b/tests/test-otp +index 5209b0a..ed1fe94 100755 +--- a/tests/test-otp ++++ b/tests/test-otp +@@ -45,27 +45,27 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! + wait_server $PID + + echo -n "Connecting with wrong username... " +-( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u falsetest --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && ++( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u falsetest --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && + fail $PID "Connected with wrong username!" + echo ok + + echo -n "Connecting with wrong OTP... " +-( echo -e "test\n999482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && ++( echo -e "test\n999482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && + fail $PID "Should not have connected with wrong OTP!" + echo ok + + echo -n "Connecting with correct password and OTP... " +-( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || ++( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || + fail $PID "Could not connect with OTP!" + echo ok + + echo -n "Connecting with empty password and wrong OTP... " +-( echo -e "999999\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && ++( echo -e "999999\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && + fail $PID "Should have not connected with wrong OTP!" + echo ok + + echo -n "Connecting with empty password and OTP... " +-( echo -e "328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || ++( echo -e "328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || + fail $PID "Could not connect with OTP-only!" + echo ok + +diff --git a/tests/test-otp-cert b/tests/test-otp-cert +index c8dc12c..61a71db 100755 +--- a/tests/test-otp-cert ++++ b/tests/test-otp-cert +@@ -45,22 +45,22 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! + wait_server $PID + + echo -n "Connecting to obtain cookie (without certificate)... " +-( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && ++( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && + fail $PID "Connected without certificate!" + echo ok + + echo -n "Connecting to obtain cookie (with incorrect certificate)... " +-( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-wrong.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && ++( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-wrong.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && + fail $PID "Should not have connected with wrong certificate!" + echo ok + + echo -n "Connecting to obtain cookie (with certificate)... " +-( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || ++( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || + fail $PID "Could not connect with certificate!" + echo ok + + echo -n "Connecting to obtain cookie (with no pass and certificate)... " +-( echo -e "328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || ++( echo -e "328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || + fail $PID "Could not connect with certificate!" + echo ok + +diff --git a/tests/test-pam b/tests/test-pam +index 8ec787a..561a140 100755 +--- a/tests/test-pam ++++ b/tests/test-pam +@@ -37,22 +37,22 @@ wait_server $PID + + echo "" + echo "Connecting with wrong password... " +-( echo -e "testuser\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && ++( echo -e "testuser\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && + fail $PID "Received cookie with wrong cred" + + echo "" + echo "Connecting with empty password... " +-( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && ++( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && + fail $PID "Received cookie with wrong cred" + + echo "" + echo "Connecting with wrong username... " +-( echo -e "testuser123\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && ++( echo -e "testuser123\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && + fail $PID "Received cookie with wrong cred" + + echo "" + echo "Connecting with correct password... " +-( echo -e "testuser123\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) ||#>/dev/null 2>&1 ) || ++( echo -e "testuser123\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) ||#>/dev/null 2>&1 ) || + fail $PID "Could not receive cookie from server" + + cleanup +diff --git a/tests/test-pam-noauth b/tests/test-pam-noauth +index dc8dd3d..1f67371 100755 +--- a/tests/test-pam-noauth ++++ b/tests/test-pam-noauth +@@ -35,19 +35,19 @@ launch_sr_pam_server -d 1 -f -c ${CONFIG} & PID=$! + wait_server $PID + + echo "Connecting with correct password but no PAM user... " +-( echo -e "test\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u xtest --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && ++( echo -e "test\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u xtest --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && + fail $PID "Received cookie with non existing user" + + echo "Connecting with incorrect password (correct in PAM) and existing user... " +-( echo -e "testuser123\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && ++( echo -e "testuser123\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && + fail $PID "Received cookie with non existing user" + + echo "Connecting with empty password (correct in PAM) and existing user... " +-( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && ++( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && + fail $PID "Received cookie with non existing user" + + echo "Connecting with correct password and existing user... " +-( echo -e "test\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) ||#>/dev/null 2>&1 ) || ++( echo -e "test\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) ||#>/dev/null 2>&1 ) || + fail $PID "Could not receive cookie from server" + + cleanup +diff --git a/tests/test-pass b/tests/test-pass +index 9d5484a..5aaaf48 100755 +--- a/tests/test-pass ++++ b/tests/test-pass +@@ -34,39 +34,39 @@ launch_sr_server -d 1 -p ${PIDFILE} -f -c ${CONFIG} & PID=$! + wait_server $PID + + echo "Connecting to obtain cookie... " +-( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) || ++( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) || + fail $PID "Could not receive cookie from server" + + echo "Connecting to obtain cookie with wrong password... " +-( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && ++( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && + fail $PID "Received cookie when we shouldn't" + + echo "Connecting to obtain cookie with empty password... " +-( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && ++( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && + fail $PID "Received cookie when we shouldn't" + + echo "Connecting to obtain cookie with wrong username... " +-( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u tost --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && ++( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u tost --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && + fail $PID "Received cookie when we shouldn't" + + # test locked account + + echo "Connecting to obtain cookie with locked account... " +-( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u locked --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && ++( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u locked --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && + fail $PID "Received cookie when we shouldn't" + + #test special characters + + echo "Connecting to obtain cookie with special password... " +-( echo "!@#$%^&*()<>" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || ++( echo "!@#$%^&*()<>" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || + fail $PID "Could not receive cookie from server" + + echo "Connecting to obtain cookie with empty password... " +-( echo "" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "empty" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || ++( echo "" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "empty" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || + fail $PID "Could not receive cookie from server" + + #echo "Normal connection... " +-#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true ) || ++#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true ) || + # fail $PID "Could not connect to server" + + if ! test -f ${PIDFILE};then +diff --git a/tests/test-pass-cert b/tests/test-pass-cert +index 8050788..8d284b8 100755 +--- a/tests/test-pass-cert ++++ b/tests/test-pass-cert +@@ -34,26 +34,26 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! + wait_server $PID + + echo -n "Connecting to obtain cookie (without certificate)... " +-( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && ++( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && + fail $PID "Connected without certificate!" + + echo ok + + echo -n "Connecting to obtain cookie (with certificate)... " +-( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || ++( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || + fail $PID "Could not connect with certificate!" + + echo ok + + echo -n "Connecting to obtain cookie (with incorrect certificate)... " +-( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-wrong.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && ++( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-wrong.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && + fail $PID "Should not have connected with wrong certificate!" + + echo ok + + + #echo "Normal connection... " +-#( echo "test" | $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true ) || ++#( echo "test" | $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true ) || + # fail $PID "Could not connect to server" + + cleanup +diff --git a/tests/test-pass-group-cert b/tests/test-pass-group-cert +index ff64993..e559ac6 100755 +--- a/tests/test-pass-group-cert ++++ b/tests/test-pass-group-cert +@@ -33,37 +33,37 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! + wait_server $PID + + echo -n "Connecting to obtain cookie (without certificate)... " +-( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && ++( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && + fail $PID "Connected without certificate!" + + echo ok + + echo -n "Connecting to obtain cookie - group1 (with certificate)... " +-( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || ++( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || + fail $PID "Could not connect with certificate!" + + echo ok + + echo -n "Connecting to obtain cookie - DEFAULT (with certificate)... " +-( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup DEFAULT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || ++( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup DEFAULT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || + fail $PID "Could not connect with certificate!" + + echo ok + + echo -n "Connecting to obtain cookie - group2 (with certificate)... " +-( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group2 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || ++( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group2 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || + fail $PID "Could not connect with certificate!" + + echo ok + + echo -n "Connecting to obtain cookie - group3 (hidden) (with certificate)... " +-( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group3 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || ++( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group3 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || + fail $PID "Could not connect with certificate!" + + echo ok + + echo -n "Connecting to obtain cookie - group4 (with certificate)... " +-( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group4 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && ++( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group4 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && + fail $PID "Got cookie when it shouldn't!" + + echo ok +diff --git a/tests/test-pass-group-cert-no-pass b/tests/test-pass-group-cert-no-pass +index bc39b45..401b24f 100755 +--- a/tests/test-pass-group-cert-no-pass ++++ b/tests/test-pass-group-cert-no-pass +@@ -33,25 +33,25 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! + wait_server $PID + + echo -n "Connecting to obtain cookie (without certificate)... " +-LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 && ++LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 && + fail $PID "Connected without certificate!" + + echo ok + + echo -n "Connecting to obtain cookie - group1 (with certificate)... " +-LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 || ++LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 || + fail $PID "Could not connect with certificate!" + + echo ok + + echo -n "Connecting to obtain cookie - group2 (with certificate)... " +-LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group2 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 || ++LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group2 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 || + fail $PID "Could not connect with certificate!" + + echo ok + + echo -n "Connecting to obtain cookie - group3 (hidden) (with certificate)... " +-LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group3 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 || ++LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group3 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 || + fail $PID "Could not connect with certificate!" + + echo ok +diff --git a/tests/test-pass-opt-cert b/tests/test-pass-opt-cert +index ac9adc1..1836538 100755 +--- a/tests/test-pass-opt-cert ++++ b/tests/test-pass-opt-cert +@@ -38,7 +38,7 @@ connect() + { + opts=$1 + pass=$2 +-echo ${pass} | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --passwd-on-stdin --authenticate >${TMPFILE} ++echo ${pass} | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --passwd-on-stdin --authenticate >${TMPFILE} + if test $? != 0;then + cat ${TMPFILE} + return 1 +diff --git a/tests/test-pass-script b/tests/test-pass-script +index 89a4094..0f18551 100755 +--- a/tests/test-pass-script ++++ b/tests/test-pass-script +@@ -67,7 +67,7 @@ launch_server -d 1 -f -c "${CONFIG}" & PID=$! + wait_server $PID + + echo " * Connecting to obtain cookie with wrong username... " +-( echo "tost" | $OPENCONNECT -q localhost:$PORT -u tost --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && ++( echo "tost" | $OPENCONNECT -q localhost:$PORT -u tost --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && + fail $PID "Received cookie when we shouldn't" + + rm -f ${builddir}/connect.ok +@@ -76,11 +76,11 @@ rm -f ${builddir}/host-update.ok + #test special characters + + echo " * Connecting to obtain cookie... " +-( echo "!@#$%^&*()<>" | $OPENCONNECT -q localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || ++( echo "!@#$%^&*()<>" | $OPENCONNECT -q localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || + fail $PID "Could not receive cookie from server" + + echo " * Re-connecting to force script run... " +-echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT -q --local-hostname='mylocalname' localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ++echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT -q --local-hostname='mylocalname' localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true + + TIMEOUT=5 + while ! test -f ${builddir}/disconnect.ok; do +@@ -112,7 +112,7 @@ rm -f ${builddir}/disconnect.ok + rm -f ${builddir}/host-update.ok + + echo " * Re-connecting to get cookie... " +-echo "test2" | $OPENCONNECT -q localhost:$PORT -u "test2" --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true >${PARAMSFILE} ++echo "test2" | $OPENCONNECT -q localhost:$PORT -u "test2" --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >${PARAMSFILE} + if test $? != 0;then + echo "Could not connect" + cat ${PARAMSFILE} +@@ -127,7 +127,7 @@ fi + + echo " * Re-connecting to force session stealing... " + eval "$(grep COOKIE ${PARAMSFILE})" +-echo ${COOKIE}| $OPENCONNECT --local-hostname='mylocalname' localhost:$PORT -u "test2" --reconnect-timeout 0 --cookie-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true --pid-file=${OPIDFILE} -b ++echo ${COOKIE}| $OPENCONNECT --local-hostname='mylocalname' localhost:$PORT -u "test2" --reconnect-timeout 0 --cookie-on-stdin --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true --pid-file=${OPIDFILE} -b + + echo " - Pausing client" + TIMEOUT=4 +@@ -156,7 +156,7 @@ rm -f ${builddir}/connect.ok + rm -f ${builddir}/disconnect.ok + + echo " * Re-connecting to steal previous IP address... " +-echo ${COOKIE} | $OPENCONNECT -q --local-hostname='mylocalname' localhost:$PORT -u "test2" --reconnect-timeout 0 --cookie-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true --pid-file=${OPIDFILE2} -b ++echo ${COOKIE} | $OPENCONNECT -q --local-hostname='mylocalname' localhost:$PORT -u "test2" --reconnect-timeout 0 --cookie-on-stdin --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true --pid-file=${OPIDFILE2} -b + + echo " - Resuming (disconnected) client" + kill -s CONT $(cat ${OPIDFILE}) +@@ -205,7 +205,7 @@ done + sleep 5 + echo " - Check server status" + +-( echo "!@#$%^&*()<>" | $OPENCONNECT --local-hostname='mylocalname' -q localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || ++( echo "!@#$%^&*()<>" | $OPENCONNECT --local-hostname='mylocalname' -q localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || + fail $PID "Could not receive cookie from server" + + echo " - Killing server" +diff --git a/tests/test-replay b/tests/test-replay +index b8aa848..0533893 100755 +--- a/tests/test-replay ++++ b/tests/test-replay +@@ -60,7 +60,7 @@ launch_server -d 9999 -f -c ${CONFIG} & PID=$! + wait_server $PID + + echo "Connecting to obtain cookie... " +-eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` ++eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` + + if [ -z "$COOKIE" ];then + echo "Could not obtain cookie" +@@ -70,7 +70,7 @@ fi + #echo "Cookie: $COOKIE" + + echo "Connecting with cookie... " +-echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --verbose --pid-file "${PIDFILE1}" --background ++echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --verbose --pid-file "${PIDFILE1}" --background + + sleep 4 + +diff --git a/tests/test-san-cert b/tests/test-san-cert +index a5040ae..a41c331 100755 +--- a/tests/test-san-cert ++++ b/tests/test-san-cert +@@ -49,25 +49,25 @@ PID=$! + wait_server $PID + + echo -n "Connecting to obtain cookie (without certificate)... " +-( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && ++( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) && + fail $PID "Connected without certificate!" + + echo "ok (failed as expected)" + + echo -n "Connecting to obtain cookie (with invalid certificate)... " +-( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert-invalid.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && ++( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert-invalid.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) && + fail $PID "Connected with invalid certificate!" + + echo "ok (failed as expected)" + + echo -n "Connecting to obtain cookie (with certificate - no SAN)... " +-( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && ++( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) && + fail $PID "Connected with invalid certificate!" + + echo "ok (failed as expected)" + + echo -n "Connecting to obtain cookie (with certificate - SAN)... " +-( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-san-cert.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || ++( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-san-cert.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || + fail $PID "Failed to connect with certificate!" + + echo ok +diff --git a/tests/test-script-multi-user b/tests/test-script-multi-user +index 6327a26..c0bfa3d 100755 +--- a/tests/test-script-multi-user ++++ b/tests/test-script-multi-user +@@ -47,16 +47,16 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! + wait_server $PID + + echo "Connecting to force script block... " +-echo "!@#$%^&*()<>" | timeout 60 $OPENCONNECT -q localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true & ++echo "!@#$%^&*()<>" | timeout 60 $OPENCONNECT -q localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true & + + sleep 3 + + echo "Connecting to obtain cookie... " +-( echo "${USERNAME}" | $OPENCONNECT -q localhost:$PORT -u "${USERNAME}" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || ++( echo "${USERNAME}" | $OPENCONNECT -q localhost:$PORT -u "${USERNAME}" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || + fail $PID "Could not receive cookie from server" + + echo "Connecting in background... " +-( echo "${USERNAME}" | timeout 15 $OPENCONNECT -q localhost:$PORT -u "${USERNAME}" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --background >/dev/null 2>&1 ) || ++( echo "${USERNAME}" | timeout 15 $OPENCONNECT -q localhost:$PORT -u "${USERNAME}" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --background >/dev/null 2>&1 ) || + fail $PID "Could not connect to server; probably blocked" + + sleep 3 +diff --git a/tests/test-sighup b/tests/test-sighup +index add538f..dd424e5 100755 +--- a/tests/test-sighup ++++ b/tests/test-sighup +@@ -34,7 +34,7 @@ PID=$! + wait_server $PID + + echo -n "Connecting to obtain cookie (with certificate)... " +-( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || ++( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || + fail $PID "Could not connect with certificate!" + + echo ok +@@ -44,7 +44,7 @@ kill -HUP $PID + sleep 5 + + echo -n "Connecting to obtain cookie (with certificate)... " +-( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || ++( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || + fail $PID "Could not connect with certificate!" + + echo ok +@@ -57,7 +57,7 @@ kill -HUP $PID + sleep 5 + + echo -n "Connecting to obtain cookie (with certificate)... " +-( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && ++( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) && + fail $PID "Could not connect with certificate!" + + echo ok +diff --git a/tests/test-stress b/tests/test-stress +index 3816604..a2db96e 100755 +--- a/tests/test-stress ++++ b/tests/test-stress +@@ -33,7 +33,7 @@ run_client() { + PASS=$1; + shift; + +- ( echo $PASS | $OPENCONNECT -q $HOST -u $USER --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true >/dev/null 2>&1 ) || ++ ( echo $PASS | $OPENCONNECT -q $HOST -u $USER --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >/dev/null 2>&1 ) || + echo "$USER: Could not connect to server" + } + +diff --git a/tests/test-udp-listen-host b/tests/test-udp-listen-host +index f3e6623..956938b 100755 +--- a/tests/test-udp-listen-host ++++ b/tests/test-udp-listen-host +@@ -111,7 +111,7 @@ ${CMDNS2} ${HAPROXY} -f ${HACONFIG} -d & HAPID=$! + sleep 3 + + echo " * Connecting to haproxy and using dtls ... " +-echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} --user test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${CLIPID}" --background ++echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} --user test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${CLIPID}" --background + + wait_file "${CLIPID}" 11 + +@@ -134,7 +134,7 @@ echo "restart ocsev with udp-listen-host set to 127.0.0.1" + ${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG_UDP_LISTEN_LOCAL} ${DEBUG} & PID=$! + + echo " * Connecting to haproxy and using dtls again ... " +-echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} --user test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${CLIPID2}" --background ++echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} --user test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${CLIPID2}" --background + + wait_file "${CLIPID2}" 11 + +diff --git a/tests/test-user-config b/tests/test-user-config +index 1c7f518..f8573ce 100755 +--- a/tests/test-user-config ++++ b/tests/test-user-config +@@ -42,20 +42,20 @@ PID=$! + wait_server $PID + + echo -n "Connecting to obtain cookie (with certificate)... " +-( $OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null ) || ++( $OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null ) || + fail $PID "Could not connect with certificate!" + + echo ok + + echo -n "Re-connecting to force script run... " +-$OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true /dev/null & ++$OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true /dev/null & + kpid1=$! + echo ok + + sleep 2 + + echo -n "Re-connecting to check the iroutes... " +-$OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE1} 2>&1 & ++$OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE1} 2>&1 & + kpid2=$! + + echo ok +@@ -63,7 +63,7 @@ sleep 3 + + echo -n "Checking if max-same-clients is considered... " + +-timeout 15s $OPENCONNECT localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE2} 2>&1 ++timeout 15s $OPENCONNECT localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE2} 2>&1 + if test $? = 124;then + fail $PID "Max-same-clients directive was ignored" + fi +@@ -155,7 +155,7 @@ rm -f ${TMPFILE1} + rm -f ${TMPFILE2} + + echo -n "Re-connecting to check the ipv4-network... " +-$OPENCONNECT -v localhost:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert-testipnet.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE1} 2>&1 & kpid3=$! ++$OPENCONNECT -v localhost:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert-testipnet.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE1} 2>&1 & kpid3=$! + + echo ok + sleep 3 +diff --git a/tests/test-vhost b/tests/test-vhost +index 902f011..1a57e60 100755 +--- a/tests/test-vhost ++++ b/tests/test-vhost +@@ -62,7 +62,7 @@ PID=$! + wait_server $PID + + echo -n "Connecting to default host to obtain cookie (user without certificate)... " +-connect "default.example.com" "-u test" "test" "d66b507ae074d03b02eafca40d35f87dd81049d3" ++connect "default.example.com" "-u test" "test" "pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=" + if test $? != 0;then + fail $PID "Failed to connect with user without certificate!" + fi +@@ -111,7 +111,7 @@ fi + echo ok + + echo -n "Connecting to default host to obtain cookie (with certificate)... " +-connect "default.example.com" "-u test --sslkey ./certs/user-key.pem -c ./certs/user-cert.pem" "" "d66b507ae074d03b02eafca40d35f87dd81049d3" ++connect "default.example.com" "-u test --sslkey ./certs/user-key.pem -c ./certs/user-cert.pem" "" "pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=" + if test $? = 0;then + fail $PID "Connected to wrong host with certificate!" + fi +@@ -136,7 +136,7 @@ kill -HUP $PID + sleep 5 + + echo -n "Sanity check to default host..." +-connect "default.example.com" "-u test" "test" "d66b507ae074d03b02eafca40d35f87dd81049d3" ++connect "default.example.com" "-u test" "test" "pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=" + if test $? != 0;then + fail $PID "Failed to connect with user without certificate!" + fi +diff --git a/tests/traffic b/tests/traffic +index 3ea962f..1f0fcaf 100755 +--- a/tests/traffic ++++ b/tests/traffic +@@ -79,14 +79,14 @@ sleep 4 + + # Run clients + echo " * Getting cookie from ${ADDRESS}:${PORT}..." +-( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) ++( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) + if test $? != 0;then + echo "Could not get cookie from server" + exit 1 + fi + + echo " * Connecting to ${ADDRESS}:${PORT}..." +-( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) ++( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) + if test $? != 0;then + echo "Could not connect to server" + exit 1 diff --git a/ocserv.spec b/ocserv.spec index be817d6..eb5dcf6 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ Version: 1.1.7 -Release: 1%{?dist} +Release: 2%{?dist} %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -38,6 +38,8 @@ Source8: ocserv-genkey Source9: ocserv-script Source10: gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg Source11: ocserv.init +# When removed remove the autoreconf step +Patch0: expired-certs.patch # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 @@ -139,6 +141,8 @@ gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} || gpgv2 --keyring %{SOURCE10} %endif %autosetup -p1 +# temporarily needed to apply patches +autoreconf -fvi rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h %if (0%{?use_local_protobuf} == 0) @@ -272,6 +276,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Thu Jun 22 2023 Nikos Mavrogiannopoulos - 1.1.7-2 +- Backported fixes for expired certificates + * Sun May 07 2023 Nikos Mavrogiannopoulos - 1.1.7-1 - Updated to 1.1.7 From 025342a309b68f3e3b1512dd92c49e58d0ce45f8 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 11 Jul 2023 17:12:11 +0200 Subject: [PATCH 167/177] use %autorelease and %autochangelog --- ocserv.spec | 355 +--------------------------------------------------- 1 file changed, 2 insertions(+), 353 deletions(-) diff --git a/ocserv.spec b/ocserv.spec index eb5dcf6..8f2b22b 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ Version: 1.1.7 -Release: 2%{?dist} +Release: %autorelease %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -276,355 +276,4 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog -* Thu Jun 22 2023 Nikos Mavrogiannopoulos - 1.1.7-2 -- Backported fixes for expired certificates - -* Sun May 07 2023 Nikos Mavrogiannopoulos - 1.1.7-1 -- Updated to 1.1.7 - -* Thu Feb 17 2022 Nikos Mavrogiannopoulos - 1.1.6-1 -- Updated to 1.1.6 - -* Thu Feb 10 2022 Nikos Mavrogiannopoulos - 1.1.4-3 -- Update seccomp rules to allow the futex syscall -- Workaround incompatible API change in GnuTLS 3.7.3. - -* Thu Jan 20 2022 Fedora Release Engineering - 1.1.4-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Sat Nov 13 2021 Nikos Mavrogiannopoulos - 1.1.4-1 -- Update to upstream 1.1.4 release - -* Sat Nov 06 2021 Adrian Reber - 1.1.3-4 -- Rebuilt for protobuf 3.19.0 - -* Tue Oct 26 2021 Adrian Reber - 1.1.3-3 -- Rebuilt for protobuf 3.18.1 - -* Thu Jul 22 2021 Fedora Release Engineering - 1.1.3-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Wed Jun 2 2021 Nikos Mavrogiannopoulos - 1.1.3-1 -- Updated to latest release - -* Tue Jan 26 2021 Fedora Release Engineering - 1.1.2-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Thu Jan 14 08:31:24 CET 2021 Adrian Reber - 1.1.2-2 -- Rebuilt for protobuf 3.14 - -* Sun Dec 6 2020 Nikos Mavrogiannopoulos - 1.1.2-1 -- Update to upstream 1.1.2 release - -* Mon Nov 23 2020 Nikos Mavrogiannopoulos - 1.1.1-5 -- Rebuilt for ronn successor - -* Wed Nov 11 2020 Nikos Mavrogiannopoulos - 1.1.1-4 -- Rebuilt for radcli 1.3.0 - -* Thu Oct 29 2020 Nikos Mavrogiannopoulos - 1.1.1-3 -- Rebuild without pcllib dependency -- Enhanced seccomp filters for tests to run in all architectures - -* Thu Sep 24 2020 Adrian Reber - 1.1.1-2 -- Rebuilt for protobuf 3.13 - -* Mon Sep 21 2020 Nikos Mavrogiannopoulos - 1.1.1-1 -- Update to upstream 1.1.1 release -- Set default priorities to NORMAL as using @SYSTEM is no longer necessary - to follow crypto policies. - -* Tue Jul 28 2020 Fedora Release Engineering - 1.1.0-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Sun Jun 21 2020 Adrian Reber - 1.1.0-2 -- Rebuilt for protobuf 3.12 - -* Tue Jun 16 2020 Nikos Mavrogiannopoulos - 1.1.0-1 -- Update to upstream 1.1.0 release (introduces ocserv-worker) - -* Wed Apr 15 2020 Igor Raits - 1.0.1-2 -- Rebuild for http-parser 2.9.4 - -* Thu Apr 09 2020 Nikos Mavrogiannopoulos - 1.0.1-1 -- Update to upstream 1.0.1 release - -* Fri Mar 20 2020 Nikos Mavrogiannopoulos - 1.0.0-1 -- Update to upstream 1.0.0 release - -* Wed Jan 29 2020 Fedora Release Engineering - 0.12.6-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Sat Dec 28 2019 Nikos Mavrogiannopoulos - 0.12.6-1 -- Update to upstream 0.12.6 release - -* Wed Oct 16 2019 Nikos Mavrogiannopoulos - 0.12.5-1 -- Update to upstream 0.12.5 release - -* Thu Jul 25 2019 Fedora Release Engineering - 0.12.4-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Wed Jul 03 2019 Nikos Mavrogiannopoulos - 0.12.4-1 -- Update to upstream 0.12.4 release - -* Tue Mar 12 2019 Nikos Mavrogiannopoulos - 0.12.3-1 -- Update to upstream 0.12.3 release - -* Sun Feb 17 2019 Igor Gnatenko - 0.12.2-4 -- Rebuild for readline 8.0 - -* Fri Feb 01 2019 Fedora Release Engineering - 0.12.2-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Mon Jan 14 2019 Björn Esser - 0.12.2-2 -- Rebuilt for libcrypt.so.2 (#1666033) - -* Thu Jan 10 2019 Nikos Mavrogiannopoulos - 0.12.2-1 -- Update to upstream 0.12.2 release - -* Tue Jul 24 2018 Nikos Mavrogiannopoulos - 0.12.1-3 -- Added gcc as build-dependency - -* Fri Jul 13 2018 Fedora Release Engineering - 0.12.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Sat May 12 2018 Nikos Mavrogiannopoulos - 0.12.1-1 -- Update to upstream 0.12.1 release - -* Mon Apr 23 2018 Nikos Mavrogiannopoulos - 0.12.0-1 -- Update to upstream 0.12.0 release - -* Thu Apr 12 2018 Nikos Mavrogiannopoulos - 0.11.11-2 -- Update to upstream 0.11.11 release -- include crypt.h to use crypt() - -* Mon Mar 05 2018 Nikos Mavrogiannopoulos - 0.11.11-1 -- Update to upstream 0.11.11 release - -* Thu Feb 08 2018 Fedora Release Engineering - 0.11.10-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Sat Jan 20 2018 Björn Esser - 0.11.10-2 -- Rebuilt for switch to libxcrypt - -* Mon Jan 08 2018 Nikos Mavrogiannopoulos - 0.11.10-1 -- Update to upstream 0.11.10 release - -* Tue Nov 21 2017 Nikos Mavrogiannopoulos - 0.11.9-3 -- Update to upstream 0.11.9 release - -* Thu Nov 16 2017 Nikos Mavrogiannopoulos - 0.11.9-2 -- Do not enable libwrap - -* Tue Oct 10 2017 Nikos Mavrogiannopoulos - 0.11.9-1 -- Update to upstream 0.11.9 release - -* Thu Aug 03 2017 Fedora Release Engineering - 0.11.8-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Thu Jul 27 2017 Fedora Release Engineering - 0.11.8-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Wed May 03 2017 Nikos Mavrogiannopoulos - 0.11.8-1 -- Update to upstream 0.11.8 release - -* Mon Feb 13 2017 Nikos Mavrogiannopoulos - 0.11.7-1 -- Update to upstream 0.11.7 release - -* Sat Feb 11 2017 Fedora Release Engineering - 0.11.6-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Thu Jan 12 2017 Igor Gnatenko - 0.11.6-3 -- Rebuild for readline 7.x - -* Tue Nov 15 2016 Nikos Mavrogiannopoulos - 0.11.6-2 -- Removed gpgkeys from sources - -* Tue Nov 15 2016 Nikos Mavrogiannopoulos - 0.11.6-1 -- New upstream release - -* Wed Sep 14 2016 Nikos Mavrogiannopoulos - 0.11.4-3 -- Added getrandom to the list of allowed syscalls (#1375851) - -* Thu Sep 8 2016 Nikos Mavrogiannopoulos - 0.11.4-2 -- Rebuild to address http-parser breakage (#1374081) - -* Fri Aug 5 2016 Nikos Mavrogiannopoulos - 0.11.4-1 -- New upstream release - -* Thu Jun 16 2016 Nikos Mavrogiannopoulos - 0.11.3-1 -- New upstream release - -* Tue Apr 26 2016 Nikos Mavrogiannopoulos - 0.11.2-1 -- New upstream release -- Added automatic verification of signature during build - -* Mon Mar 21 2016 Nikos Mavrogiannopoulos - 0.11.1-1 -- new upstream release - -* Fri Feb 19 2016 Nikos Mavrogiannopoulos - 0.11.0-1 -- new upstream release - -* Thu Feb 04 2016 Fedora Release Engineering - 0.10.11-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Mon Jan 11 2016 Nikos Mavrogiannopoulos - 0.10.11-1 -- new upstream release - -* Mon Nov 30 2015 Nikos Mavrogiannopoulos - 0.10.10-1 -- new upstream release - -* Thu Oct 8 2015 Nikos Mavrogiannopoulos - 0.10.9-1 -- new upstream release (#1269479) - -* Thu Sep 17 2015 Nikos Mavrogiannopoulos - 0.10.8-2 -- compile ocserv using radcli - -* Mon Sep 7 2015 Nikos Mavrogiannopoulos - 0.10.8-1 -- new upstream release (#1260327) - -* Fri Aug 7 2015 Nikos Mavrogiannopoulos - 0.10.7-1 -- new upstream release (#1251305) - -* Thu Jul 9 2015 Nikos Mavrogiannopoulos - 0.10.6-2 -- corrected JSON output - -* Thu Jul 2 2015 Nikos Mavrogiannopoulos - 0.10.6-1 -- new upstream release (#1238499) - -* Wed Jun 17 2015 Fedora Release Engineering - 0.10.5-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - -* Mon May 25 2015 Nikos Mavrogiannopoulos - 0.10.5-1 -- new upstream release (#1215326) - -* Mon Apr 27 2015 Nikos Mavrogiannopoulos - 0.10.4-1 -- new upstream release - -* Mon Mar 30 2015 Nikos Mavrogiannopoulos - 0.10.2-1 -- new upstream release - -* Mon Mar 16 2015 Nikos Mavrogiannopoulos - 0.10.1-1 -- new upstream release - -* Wed Mar 11 2015 Nikos Mavrogiannopoulos - 0.10.0-1 -- new upstream release - -* Wed Feb 18 2015 Nikos Mavrogiannopoulos - 0.9.2-1 -- new upstream release -- enabled lz4 compression - -* Mon Feb 16 2015 Peter Robinson 0.9.1-2 -- aarch64 (and ARMv7) now has seccomp support - -* Mon Feb 16 2015 Nikos Mavrogiannopoulos - 0.9.1-1 -- new upstream release - -* Thu Jan 29 2015 Nikos Mavrogiannopoulos - 0.9.0-2 -- only enable seccomp in x86-64. It seems to be broken in x86: - http://sourceforge.net/p/libseccomp/mailman/message/33275762/ - -* Thu Jan 22 2015 Nikos Mavrogiannopoulos - 0.9.0-1 -- new upstream release - -* Fri Jan 9 2015 Nikos Mavrogiannopoulos - 0.8.9-4 -- enable PIE - -* Tue Jan 6 2015 Nikos Mavrogiannopoulos - 0.8.9-3 -- Comply with system-wide crypto policies (#1179332) - -* Mon Jan 5 2015 Nikos Mavrogiannopoulos - 0.8.9-2 -- ocserv.service: depend on network-online.target (#1178760) -- enable seccomp (on platforms it is available) - -* Thu Dec 11 2014 Nikos Mavrogiannopoulos - 0.8.9-1 -- New upstream release - -* Wed Nov 26 2014 Nikos Mavrogiannopoulos - 0.8.8-1 -- New upstream release - -* Mon Oct 27 2014 Nikos Mavrogiannopoulos - 0.8.7-1 -- New upstream release - -* Tue Sep 09 2014 Nikos Mavrogiannopoulos - 0.8.4-2 -- Ship a default ocserv-script, which will put connecting clients - into the internal firewall zone. - -* Thu Aug 28 2014 Nikos Mavrogiannopoulos - 0.8.4-1 -- New upstream release - -* Sun Aug 17 2014 Fedora Release Engineering - 0.8.2-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - -* Fri Aug 08 2014 Nikos Mavrogiannopoulos - 0.8.2-3 -- Rebuilt - -* Tue Aug 05 2014 Nikos Mavrogiannopoulos - 0.8.2-2 -- Rebuilt for new protobuf-c - -* Mon Jul 28 2014 Nikos Mavrogiannopoulos - 0.8.2-1 -- New upstream release - -* Mon Jun 30 2014 Nikos Mavrogiannopoulos - 0.8.1-1 -- New upstream release - -* Fri Jun 06 2014 Nikos Mavrogiannopoulos - 0.8.0-2 -- Generate certificates and private keys before the first run -- Corrected chroot path - -* Mon Jun 02 2014 Nikos Mavrogiannopoulos - 0.8.0-1 -- New upstream release - -* Mon May 26 2014 Nikos Mavrogiannopoulos - 0.8.0pre0-1 -- New upstream release - -* Fri May 09 2014 Nikos Mavrogiannopoulos - 0.3.5-1 -- New upstream release - -* Fri May 02 2014 Nikos Mavrogiannopoulos - 0.3.4-1 -- New upstream release - -* Thu Apr 10 2014 Nikos Mavrogiannopoulos - 0.3.3-1 -- New upstream release - -* Fri Mar 14 2014 Nikos Mavrogiannopoulos - 0.3.2-1 -- New upstream release - -* Mon Feb 17 2014 Nikos Mavrogiannopoulos - 0.3.1-2 -- new upstream release - -* Wed Jan 29 2014 Nikos Mavrogiannopoulos - 0.3.0-2 -- Generated certificates no longer carry an expiration date. - -* Mon Jan 27 2014 Nikos Mavrogiannopoulos - 0.3.0-1 -- Updated to latest upstream version (0.3.0). -- Certificates and private keys are auto-generated. - -* Mon Dec 16 2013 Nikos Mavrogiannopoulos - 0.2.3-1 -- Updated to latest upstream version (0.2.3). -- Corrected the chroot directory in config file. - -* Fri Dec 6 2013 Nikos Mavrogiannopoulos - 0.2.1-6 -- Added exception for the bundling of CCAN components. - -* Wed Nov 13 2013 Nikos Mavrogiannopoulos - 0.2.1-5 -- Updated the way PACKAGE-LICENSING is handled. - -* Tue Nov 12 2013 Nikos Mavrogiannopoulos - 0.2.1-4 -- Replaced gnulib's GPLv3+ license with GPLv2+. According to - http://lists.gnu.org/archive/html/bug-gnulib/2013-11/msg00062.html - it was a gnulib bug. -- Reduced the number of applicable licenses by upgrading LGPLv2+ - components to GPLv2+. -- Added PACKAGE-LICENSING. - -* Mon Nov 11 2013 Nikos Mavrogiannopoulos - 0.2.1-3 -- Updated spec to add http-parser and pcllib as dependencies. -- Bundled library files are removed. -- Updated license information. - -* Fri Nov 8 2013 Nikos Mavrogiannopoulos - 0.2.1-2 -- Updated spec to account improvements suggested by Alec Leamas. - -* Thu Nov 7 2013 Nikos Mavrogiannopoulos - 0.2.1-1 -- Initial version of the package +%autochangelog From 6894bf2ad7180e3d27d4d1350ae855a9e30c040a Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 11 Jul 2023 17:31:45 +0200 Subject: [PATCH 168/177] Updated to 1.2.0 --- .gitignore | 2 + expired-certs.patch | 2308 ------------------------------------------- ocserv.conf | 138 ++- ocserv.spec | 14 +- sources | 4 +- 5 files changed, 115 insertions(+), 2351 deletions(-) delete mode 100644 expired-certs.patch diff --git a/.gitignore b/.gitignore index 1435b3a..2113177 100644 --- a/.gitignore +++ b/.gitignore @@ -239,3 +239,5 @@ /ocserv-1.1.6.tar.xz /ocserv-1.1.7.tar.xz /ocserv-1.1.7.tar.xz.sig +/ocserv-1.2.0.tar.xz +/ocserv-1.2.0.tar.xz.sig diff --git a/expired-certs.patch b/expired-certs.patch deleted file mode 100644 index 443bd7b..0000000 --- a/expired-certs.patch +++ /dev/null @@ -1,2308 +0,0 @@ -diff --git a/tests/Makefile.am b/tests/Makefile.am -index d965eae..ecc417c 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -44,7 +44,8 @@ EXTRA_DIST = certs/ca-key.pem certs/ca.pem ns.sh common.sh certs/server-cert.pem - data/disconnect-user2.config data/ping-leases.config data/haproxy-proxyproto.config \ - data/haproxy-proxyproto.cfg scripts/proxy-connectscript data/haproxy-proxyproto-v1.config \ - data/haproxy-proxyproto-v1.cfg scripts/proxy-connectscript-v1 data/test-multiple-client-ip.config \ -- data/test-client-bypass-protocol.config asan.supp -+ data/test-client-bypass-protocol.config asan.supp certs/ca.tmpl certs/server-cert.tmpl \ -+ certs/user-cert.tmpl - - xfail_scripts = - dist_check_SCRIPTS = ocpasswd-test -@@ -176,6 +177,25 @@ gen_oidc_test_data_CPPFLAGS = $(AM_CPPFLAGS) - gen_oidc_test_data_SOURCES = generate_oidc_test_data.c - gen_oidc_test_data_LDADD = $(LDADD) $(CJOSE_LIBS) $(JANSSON_LIBS) - -+certs/ca.pem: certs/ca-key.pem certs/ca.tmpl -+ certtool --generate-self-signed --template certs/ca.tmpl --load-privkey certs/ca-key.pem --outfile certs/ca.pem -+ -+certs/server-cert-ca.pem: certs/ca.pem certs/server-cert.pem -+ cat certs/server-cert.pem certs/ca.pem > certs/server-cert-ca.pem -+ -+certs/server-cert.pem: certs/server-cert.tmpl certs/ca.pem certs/server-key.pem certs/ca-key.pem -+ certtool --generate-certificate --template certs/server-cert.tmpl --load-privkey certs/server-key.pem --load-ca-certificate certs/ca.pem --load-ca-privkey certs/ca-key.pem --outfile certs/server-cert.pem -+ -+certs/user-cert.pem: certs/user-cert.tmpl certs/ca.pem certs/user-key.pem certs/ca-key.pem -+ certtool --generate-certificate --template certs/user-cert.tmpl --load-privkey certs/user-key.pem --load-ca-certificate certs/ca.pem --load-ca-privkey certs/ca-key.pem --outfile certs/user-cert.pem -+ -+# make the user certificate invalid by signing it with another CA -+certs/user-cert-invalid.pem: certs/user-cert.tmpl -+ certtool --generate-privkey --outfile ca-key.tmp -+ certtool --generate-self-signed --template certs/ca.tmpl --load-privkey ca-key.tmp --outfile ca.tmp -+ certtool --generate-certificate --template certs/user-cert.tmpl --load-privkey certs/user-key.pem --load-ca-certificate ca.tmp --load-ca-privkey ca-key.tmp --outfile certs/user-cert-invalid.pem -+ rm -f ca-key.tmp ca.tmp -+ - if ENABLE_OIDC_AUTH_TESTS - check_PROGRAMS += gen_oidc_test_data - dist_check_SCRIPTS += test-oidc -diff --git a/tests/apple-ios b/tests/apple-ios -index 897d823..45b0cd3 100755 ---- a/tests/apple-ios -+++ b/tests/apple-ios -@@ -54,11 +54,11 @@ wait_server $PID - sleep 2 - - echo " * Connecting to obtain cookie... " --( echo "!@#$%^&*()<>" | $OPENCONNECT localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null ) || -+( echo "!@#$%^&*()<>" | $OPENCONNECT localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null ) || - fail $PID "Could not receive cookie from server" - - echo " * Re-connect to force script run with platform... " --echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT --verbose localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true >${TMPFILE} 2>&1 -+echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT --verbose localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >${TMPFILE} 2>&1 - - sleep 5 - -@@ -87,7 +87,7 @@ fi - rm -f ${TMPFILE} - - echo " * Re-connecting to force script run with user agent... " --echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT --verbose --useragent="Cisco AnyConnect VPN Agent for Apple" localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true >${TMPFILE} 2>&1 -+echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT --verbose --useragent="Cisco AnyConnect VPN Agent for Apple" localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >${TMPFILE} 2>&1 - - sleep 5 - -@@ -114,7 +114,7 @@ fi - sleep 5 - echo " - Check server status" - --( echo "!@#$%^&*()<>" | $OPENCONNECT localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "!@#$%^&*()<>" | $OPENCONNECT localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - echo " - Killing server" -diff --git a/tests/banner b/tests/banner -index 44954e2..08f8f19 100755 ---- a/tests/banner -+++ b/tests/banner -@@ -50,7 +50,7 @@ wait_server $PID - sleep 3 - - echo "Connecting to obtain cookie... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >${TMPFILE} 2>&1 ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >${TMPFILE} 2>&1 ) || - fail $PID "Could not receive cookie from server" - - grep "${BANNER}" ${TMPFILE} >/dev/null -@@ -61,7 +61,7 @@ if test $? != 0;then - fi - - echo "Connecting to obtain cookie with wrong password... " --( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >${TMPFILE} 2>&1 ) && -+( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >${TMPFILE} 2>&1 ) && - fail $PID "Received cookie when we shouldn't" - - grep "${BANNER}" ${TMPFILE} >/dev/null -diff --git a/tests/certs/ca-key.pem b/tests/certs/ca-key.pem -index 9bd0754..ee5599c 100644 ---- a/tests/certs/ca-key.pem -+++ b/tests/certs/ca-key.pem -@@ -31,25 +31,3 @@ y1hvTfWRAoGZALNT3AbF9EDnJmZlS30MWtBggw83UhszC8XN2tY30AsvsDOS6a0F - UVhyNvBTKo6lPqXqUsVxp16TKeeQKF+DuYuuNZN3pXXsHTiHkRMDCRVEqz7UnZEc - /Bq/Kh2aOkelkX2S27QzTZGL - -----END RSA PRIVATE KEY----- -------BEGIN CERTIFICATE----- --MIIDtDCCAmygAwIBAgIETeC0yjANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5H --bnVUTFMgVGVzdCBDQTAeFw0xMTA1MjgwODM5MzlaFw0zODEwMTIwODM5NDBaMC8x --LTArBgNVBAMTJEdudVRMUyBUZXN0IFNlcnZlciAoUlNBIGNlcnRpZmljYXRlKTCC --AVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/HsqwfvTYvO1D --hmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8vxbJl1U1F/Oh --ckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqIhNyWDrJsHDWq --58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWlWDuhzSVim5mB --VAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQpkvKtc+UZBZ03 --U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzklzz4b7eujbZ3L --xTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2N6Epn4B5qnUC --AwEAAaOBjTCBijAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAT --BgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBR2 --B1hM6rUp9S2ABoyDSoINCeyT3jAfBgNVHSMEGDAWgBRNVrdqAFjxZ5L0pnVVG45T --AQPvzzANBgkqhkiG9w0BAQsFAAOCATEAdNWmTsh5uIfngyhOWwm7pK2+vgUMY8nH --gMoMFHt0yuxuImcUMXu3LRS1dZSoCJACBpTFGi/Dg2U0qvOHQcEmc3OwNqHB90R3 --LG5jUSCtq/bYW7h/6Gd9KeWCgZczaHbQ9IPTjLH1dLswVPt+fXKB6Eh0ggSrGATE --/wRZT/XgDCW8t4C+2+TmJ8ZEzvU87KAPQ9rUBS1+p3EUAR/FfMApApsEig1IZ+ZD --5joaGBW7zh1H0B9mEKidRvD7yuRJyzAcvD25nT15NLW0QR3dEeXosLc720xxJl1h --h8NJ7YOvn323mOjR9er4i4D6iJlXmJ8tvN9vakCankWvBzb7plFn2sfMQqICFpRc --w075D8hdQxfpGffL2tEeKSgjyNHXS7x3dFhUpN3IQjUi2x4f2e/ZXg== -------END CERTIFICATE----- -diff --git a/tests/certs/ca.pem b/tests/certs/ca.pem -index c4058ee..02f0b76 100644 ---- a/tests/certs/ca.pem -+++ b/tests/certs/ca.pem -@@ -1,20 +1,20 @@ - -----BEGIN CERTIFICATE----- --MIIDPzCCAfegAwIBAgIEUdguzDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD --QTAiGA8yMDEzMDcwNjE0NTA1MloYDzIwMjMwNTE1MTQ1MDUyWjANMQswCQYDVQQD --EwJDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/Hsqw --fvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8vxbJ --l1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqIhNyW --DrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWlWDuh --zSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQpkvKt --c+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzklzz4b --7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2N6Ep --n4B5qnUCAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQA --MB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDANBgkqhkiG9w0BAQsFAAOC --ATEAa1kdd8E1PkM06Isw0S/thEll0rAYsNHwSX17IDUWocTTQlmVXBXcvLqM04QT --z7WNG4eushLhRpSn8LJQkf4RgvAxOMIjHM9troDbPVoec6k8fZrJ8jfXurOgoOVP --g+hScT3VDvxgiOVwgXSe2XBryGDaviRuSOHlfy5GPVirLJLZwpcX6RpsHMX9rrZX --ghvf8dwm4To9H5wT0Le2FnZRoLOTMmpr49bfKJqy/U7AUHaf4saSdkdEIaGOxkPk --x+SFlr9TjavnJvL0TApkvfNZ1aOVHRHINgaFYHQJ4U0jQ/g7lPmD+UtZWnvSMNXH --yct5cKOyP4j7Kla1sKPs+oamOQ7pR1Z/GwBxe48FvO7VDi7EkugLwlzoXC2G+4Jg --fJbi9Ui2FmXEeKkX34f1ONNj9Q== -+MIIDPDCCAfSgAwIBAgIEUdguzDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD -+QTAgFw0xMzAyMTMxNTMyMTJaGA85OTk5MTIzMTIzNTk1OVowDTELMAkGA1UEAxMC -+Q0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7KsH70 -+2LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8WyZdV -+NRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITclg6y -+bBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7oc0l -+YpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLyrXPl -+GQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+G+3r -+o22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjehKZ+A -+eap1AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0G -+A1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDANBgkqhkiG9w0BAQsFAAOCATEA -+foqPGdiyJYHih4J5YHwFPQxmkOzPHSa13K/q8sDvobE+HFTzrlTbAFC8bS38Bv2f -+9ZrPME4JvnsGdRGYwxS3LUmNdHHWR8LkvGXBE3u/TZsJfPtOR8JwdulQXpRw7hhL -+ew/mR5IEHZrUZgnnI4dg1kJhE1JPTvmtgqcE1CsikVQ14NvG/ehJbJyPgKTq/Zxm -+Ru4B5N+Jef/LaOqZvK4xK8x2ZaZ/L/ANou+7EY4DoWAkOEEoCU8DQHLAFgf6B7La -+oemLQGNHcBpba81jlS5EXXGJccOvfbw0MJTP3ZvyVIlEYu/X4roC7EJP/UkCZUJG -+f79Nc28q2/2D8tuFOqG7UbP7r2cWSa8OO3cI/V1W1k3iWZ63WltqDwFC0c8iqYFL -+9xKfQ96Q7wrYOCjmuaCLbw== - -----END CERTIFICATE----- -diff --git a/tests/certs/ca.tmpl b/tests/certs/ca.tmpl -new file mode 100644 -index 0000000..da5cc3f ---- /dev/null -+++ b/tests/certs/ca.tmpl -@@ -0,0 +1,6 @@ -+cn = CA -+ca -+cert_signing_key -+expiration_days = -1 -+activation_date = "2013-02-13 16:32:12" -+serial = 0x51d82ecc -diff --git a/tests/certs/server-cert-ca.pem b/tests/certs/server-cert-ca.pem -index 818101a..8ffaad3 100644 ---- a/tests/certs/server-cert-ca.pem -+++ b/tests/certs/server-cert-ca.pem -@@ -1,42 +1,42 @@ - -----BEGIN CERTIFICATE----- --MIIDkTCCAkmgAwIBAgIEUdgu8DANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD --QTAiGA8yMDEzMDcwNjE0NTEyOVoYDzIwMjMwNTE1MTQ1MTI5WjAUMRIwEAYDVQQD --Ewlsb2NhbGhvc3QwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQCnOivs --PxSwLBn28W6QHb+OqfbpcIQJh/NQ81/DlFD6LGTWV4BY4Zb87tC9BBV+X3+lM/j8 --u5HvN3nDWtv4Ge0DryLW6Tcs6FPCt4srEfCkh5l54LrMmWbhFgkVlN5fTqoY0lnd --YJx2X8WWldRjeL+8E7nFUcFStWrgi9AzgMFrjsL4pql97YAZRXcMoQXVjbRmzVLZ --IVumQy7c+tl7Eqz8lx/xS/5Fx9tIRunqNS5jEUs8Nn5E6FvraAcy+eI0gXTGk759 --KNPYisSqAuFAmmt/XDTTvvOo6dpAseXqtR2/LjZJWOlXdiZ/yjHg5+RKQ5dt3dk5 --7lAIWER9egIOo/+GAkyek0ZJ5GWU6VxTsFcIl6oy3S7EtB0NCIM7hvhy32QrJ5ZU --yNncTSf6qMVoedgdAgMBAAGjgY0wgYowDAYDVR0TAQH/BAIwADAUBgNVHREEDTAL --gglsb2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweg --ADAdBgNVHQ4EFgQUqCVH9o9E1jUb72ys0de5boT536MwHwYDVR0jBBgwFoAUSCM0 --UwqJMThKWurKttKm3s4dKxgwDQYJKoZIhvcNAQELBQADggExAK7dBCSwM/OJw+6s --9MJAb7Ygi9xhHSq30Hg3M7DaPC7J9rZB6+IAVb3poOZAtDDtyTqvXH7qY5UMjJC9 --GsFmHPI/OSk2xuJJpG+ZJaP54b7kzTtUD6UCHETsgBk2aNuqNhjXR2fYnR9QME0C --zZWIDV+5DFEBI97ln30N6PcXvIxp7Rsac3qwzvwt3zL+23kTwgM+DoRPoPO0PHr/ --eQ9hvRU5wA2Vc47zhUXIFy1Jmx7Sf//pw0/wq46VUAjDZ5B09EoCpzBNvOD7P+cF --FQQ7SId8h8OQ2uOWxT2baeJX0pVbVv+qwOOB1F0q3sjx0dZa/2rxOUZ3wnHG9j8j --LZSUkZxGpPQffCSpSPma5RhYff8/BncdA8soT0dyEfXIX5V91IXnrlI8XZrADvJM --zzJKdNg= -+MIIDjjCCAkagAwIBAgIEUdgu8DANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD -+QTAgFw0xMzA2MDYxMjUxMjlaGA85OTk5MTIzMTIzNTk1OVowFDESMBAGA1UEAxMJ -+bG9jYWxob3N0MIIBUjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEApzor7D8U -+sCwZ9vFukB2/jqn26XCECYfzUPNfw5RQ+ixk1leAWOGW/O7QvQQVfl9/pTP4/LuR -+7zd5w1rb+BntA68i1uk3LOhTwreLKxHwpIeZeeC6zJlm4RYJFZTeX06qGNJZ3WCc -+dl/FlpXUY3i/vBO5xVHBUrVq4IvQM4DBa47C+Kapfe2AGUV3DKEF1Y20Zs1S2SFb -+pkMu3PrZexKs/Jcf8Uv+RcfbSEbp6jUuYxFLPDZ+ROhb62gHMvniNIF0xpO+fSjT -+2IrEqgLhQJprf1w0077zqOnaQLHl6rUdvy42SVjpV3Ymf8ox4OfkSkOXbd3ZOe5Q -+CFhEfXoCDqP/hgJMnpNGSeRllOlcU7BXCJeqMt0uxLQdDQiDO4b4ct9kKyeWVMjZ -+3E0n+qjFaHnYHQIDAQABo4GMMIGJMAwGA1UdEwEB/wQCMAAwFAYDVR0RBA0wC4IJ -+bG9jYWxob3N0MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIFoDAd -+BgNVHQ4EFgQUqCVH9o9E1jUb72ys0de5boT536MwHwYDVR0jBBgwFoAUSCM0UwqJ -+MThKWurKttKm3s4dKxgwDQYJKoZIhvcNAQELBQADggExAGQoUMiZVg6+Ibj8kyfq -+l/vfu4QxlUlqAbm/b9PVdOLrhz+T986HMFhL0b2HUGg5Mb0NZcgHjH4VLkei4AIb -+g/1nGdJ2I6EcLiQOvO4h2F3CoU6HkEGVEUXFaBd19tSDm7aM+2h7oPb3Vs3YT9QE -+x7ejmVeA+Qr9+H9xHyModpA1PkKRW31TOYtjUXHdHObT1uar++C1JLHn49ooKDZM -+5p9a4ExQVYd6WMRXKC83py1V4Ne5kBxC/l+3QkVZnMwByChySP7SEMa9yGv4KFM9 -+FT7XvxQsrkqPi5bCllUyGDrVeyTpyPDrb4BKgAu/Cy4tyDxLzBTZ5TXDH7E1IBps -+g1k5llFIyGdO5vQrX8vF61tqK5DBhgVvwu0k/m2lP9esLfaF7I5oGAbUKGhRr8mE -+xs8= - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- --MIIDPzCCAfegAwIBAgIEUdguzDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD --QTAiGA8yMDEzMDcwNjE0NTA1MloYDzIwMjMwNTE1MTQ1MDUyWjANMQswCQYDVQQD --EwJDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/Hsqw --fvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8vxbJ --l1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqIhNyW --DrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWlWDuh --zSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQpkvKt --c+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzklzz4b --7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2N6Ep --n4B5qnUCAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQA --MB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDANBgkqhkiG9w0BAQsFAAOC --ATEAa1kdd8E1PkM06Isw0S/thEll0rAYsNHwSX17IDUWocTTQlmVXBXcvLqM04QT --z7WNG4eushLhRpSn8LJQkf4RgvAxOMIjHM9troDbPVoec6k8fZrJ8jfXurOgoOVP --g+hScT3VDvxgiOVwgXSe2XBryGDaviRuSOHlfy5GPVirLJLZwpcX6RpsHMX9rrZX --ghvf8dwm4To9H5wT0Le2FnZRoLOTMmpr49bfKJqy/U7AUHaf4saSdkdEIaGOxkPk --x+SFlr9TjavnJvL0TApkvfNZ1aOVHRHINgaFYHQJ4U0jQ/g7lPmD+UtZWnvSMNXH --yct5cKOyP4j7Kla1sKPs+oamOQ7pR1Z/GwBxe48FvO7VDi7EkugLwlzoXC2G+4Jg --fJbi9Ui2FmXEeKkX34f1ONNj9Q== -+MIIDPDCCAfSgAwIBAgIEUdguzDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD -+QTAgFw0xMzAyMTMxNTMyMTJaGA85OTk5MTIzMTIzNTk1OVowDTELMAkGA1UEAxMC -+Q0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7KsH70 -+2LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8WyZdV -+NRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITclg6y -+bBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7oc0l -+YpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLyrXPl -+GQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+G+3r -+o22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjehKZ+A -+eap1AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0G -+A1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDANBgkqhkiG9w0BAQsFAAOCATEA -+foqPGdiyJYHih4J5YHwFPQxmkOzPHSa13K/q8sDvobE+HFTzrlTbAFC8bS38Bv2f -+9ZrPME4JvnsGdRGYwxS3LUmNdHHWR8LkvGXBE3u/TZsJfPtOR8JwdulQXpRw7hhL -+ew/mR5IEHZrUZgnnI4dg1kJhE1JPTvmtgqcE1CsikVQ14NvG/ehJbJyPgKTq/Zxm -+Ru4B5N+Jef/LaOqZvK4xK8x2ZaZ/L/ANou+7EY4DoWAkOEEoCU8DQHLAFgf6B7La -+oemLQGNHcBpba81jlS5EXXGJccOvfbw0MJTP3ZvyVIlEYu/X4roC7EJP/UkCZUJG -+f79Nc28q2/2D8tuFOqG7UbP7r2cWSa8OO3cI/V1W1k3iWZ63WltqDwFC0c8iqYFL -+9xKfQ96Q7wrYOCjmuaCLbw== - -----END CERTIFICATE----- -diff --git a/tests/certs/server-cert.pem b/tests/certs/server-cert.pem -index 4acde02..b304b47 100644 ---- a/tests/certs/server-cert.pem -+++ b/tests/certs/server-cert.pem -@@ -1,22 +1,22 @@ - -----BEGIN CERTIFICATE----- --MIIDkTCCAkmgAwIBAgIEUdgu8DANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD --QTAiGA8yMDEzMDcwNjE0NTEyOVoYDzIwMjMwNTE1MTQ1MTI5WjAUMRIwEAYDVQQD --Ewlsb2NhbGhvc3QwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQCnOivs --PxSwLBn28W6QHb+OqfbpcIQJh/NQ81/DlFD6LGTWV4BY4Zb87tC9BBV+X3+lM/j8 --u5HvN3nDWtv4Ge0DryLW6Tcs6FPCt4srEfCkh5l54LrMmWbhFgkVlN5fTqoY0lnd --YJx2X8WWldRjeL+8E7nFUcFStWrgi9AzgMFrjsL4pql97YAZRXcMoQXVjbRmzVLZ --IVumQy7c+tl7Eqz8lx/xS/5Fx9tIRunqNS5jEUs8Nn5E6FvraAcy+eI0gXTGk759 --KNPYisSqAuFAmmt/XDTTvvOo6dpAseXqtR2/LjZJWOlXdiZ/yjHg5+RKQ5dt3dk5 --7lAIWER9egIOo/+GAkyek0ZJ5GWU6VxTsFcIl6oy3S7EtB0NCIM7hvhy32QrJ5ZU --yNncTSf6qMVoedgdAgMBAAGjgY0wgYowDAYDVR0TAQH/BAIwADAUBgNVHREEDTAL --gglsb2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweg --ADAdBgNVHQ4EFgQUqCVH9o9E1jUb72ys0de5boT536MwHwYDVR0jBBgwFoAUSCM0 --UwqJMThKWurKttKm3s4dKxgwDQYJKoZIhvcNAQELBQADggExAK7dBCSwM/OJw+6s --9MJAb7Ygi9xhHSq30Hg3M7DaPC7J9rZB6+IAVb3poOZAtDDtyTqvXH7qY5UMjJC9 --GsFmHPI/OSk2xuJJpG+ZJaP54b7kzTtUD6UCHETsgBk2aNuqNhjXR2fYnR9QME0C --zZWIDV+5DFEBI97ln30N6PcXvIxp7Rsac3qwzvwt3zL+23kTwgM+DoRPoPO0PHr/ --eQ9hvRU5wA2Vc47zhUXIFy1Jmx7Sf//pw0/wq46VUAjDZ5B09EoCpzBNvOD7P+cF --FQQ7SId8h8OQ2uOWxT2baeJX0pVbVv+qwOOB1F0q3sjx0dZa/2rxOUZ3wnHG9j8j --LZSUkZxGpPQffCSpSPma5RhYff8/BncdA8soT0dyEfXIX5V91IXnrlI8XZrADvJM --zzJKdNg= -+MIIDjjCCAkagAwIBAgIEUdgu8DANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD -+QTAgFw0xMzA2MDYxMjUxMjlaGA85OTk5MTIzMTIzNTk1OVowFDESMBAGA1UEAxMJ -+bG9jYWxob3N0MIIBUjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEApzor7D8U -+sCwZ9vFukB2/jqn26XCECYfzUPNfw5RQ+ixk1leAWOGW/O7QvQQVfl9/pTP4/LuR -+7zd5w1rb+BntA68i1uk3LOhTwreLKxHwpIeZeeC6zJlm4RYJFZTeX06qGNJZ3WCc -+dl/FlpXUY3i/vBO5xVHBUrVq4IvQM4DBa47C+Kapfe2AGUV3DKEF1Y20Zs1S2SFb -+pkMu3PrZexKs/Jcf8Uv+RcfbSEbp6jUuYxFLPDZ+ROhb62gHMvniNIF0xpO+fSjT -+2IrEqgLhQJprf1w0077zqOnaQLHl6rUdvy42SVjpV3Ymf8ox4OfkSkOXbd3ZOe5Q -+CFhEfXoCDqP/hgJMnpNGSeRllOlcU7BXCJeqMt0uxLQdDQiDO4b4ct9kKyeWVMjZ -+3E0n+qjFaHnYHQIDAQABo4GMMIGJMAwGA1UdEwEB/wQCMAAwFAYDVR0RBA0wC4IJ -+bG9jYWxob3N0MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIFoDAd -+BgNVHQ4EFgQUqCVH9o9E1jUb72ys0de5boT536MwHwYDVR0jBBgwFoAUSCM0UwqJ -+MThKWurKttKm3s4dKxgwDQYJKoZIhvcNAQELBQADggExAGQoUMiZVg6+Ibj8kyfq -+l/vfu4QxlUlqAbm/b9PVdOLrhz+T986HMFhL0b2HUGg5Mb0NZcgHjH4VLkei4AIb -+g/1nGdJ2I6EcLiQOvO4h2F3CoU6HkEGVEUXFaBd19tSDm7aM+2h7oPb3Vs3YT9QE -+x7ejmVeA+Qr9+H9xHyModpA1PkKRW31TOYtjUXHdHObT1uar++C1JLHn49ooKDZM -+5p9a4ExQVYd6WMRXKC83py1V4Ne5kBxC/l+3QkVZnMwByChySP7SEMa9yGv4KFM9 -+FT7XvxQsrkqPi5bCllUyGDrVeyTpyPDrb4BKgAu/Cy4tyDxLzBTZ5TXDH7E1IBps -+g1k5llFIyGdO5vQrX8vF61tqK5DBhgVvwu0k/m2lP9esLfaF7I5oGAbUKGhRr8mE -+xs8= - -----END CERTIFICATE----- -diff --git a/tests/certs/server-cert.tmpl b/tests/certs/server-cert.tmpl -new file mode 100644 -index 0000000..82e34ca ---- /dev/null -+++ b/tests/certs/server-cert.tmpl -@@ -0,0 +1,8 @@ -+cn = localhost -+dns_name = localhost -+tls_www_server -+signing_key -+encryption_key -+expiration_days = -1 -+activation_date = "2013-06-06 14:51:29" -+serial = 0x51d82ef0 -diff --git a/tests/certs/user-cert-invalid.pem b/tests/certs/user-cert-invalid.pem -index 0175bdf..4f5dd96 100644 ---- a/tests/certs/user-cert-invalid.pem -+++ b/tests/certs/user-cert-invalid.pem -@@ -1,107 +1,23 @@ --X.509 Certificate Information: -- Version: 3 -- Serial Number (hex): 51d82f14 -- Issuer: CN=CA -- Validity: -- Not Before: Sat Jul 06 14:52:05 UTC 2013 -- Not After: Mon May 15 14:52:05 UTC 2023 -- Subject: CN=A user,UID=test -- Subject Public Key Algorithm: RSA -- Algorithm Security Level: Medium (2432 bits) -- Modulus (bits 2432): -- 00:ab:54:98:fc:a9:c6:15:95:9d:a6:c1:94:84:94:91 -- 79:1e:78:db:2d:48:51:99:65:01:02:c0:40:52:49:5d -- eb:70:bc:26:ef:68:39:1e:04:91:e2:db:cb:6f:93:40 -- 45:1e:22:8e:71:5a:58:89:28:79:5e:1a:32:25:3e:8b -- 9d:3b:34:7f:19:f8:d0:2f:37:b7:62:32:b7:53:a5:43 -- 2c:c5:5d:ec:ac:f9:35:fa:14:2b:34:66:f1:d6:a7:a1 -- d0:83:9a:56:f4:19:83:bc:bf:11:74:30:2d:a8:28:5b -- a2:ab:7a:c6:cd:9c:5c:f8:51:e9:a9:0c:48:db:71:bb -- b1:34:77:f7:ee:de:5d:78:c0:48:0a:37:0d:65:1e:3b -- 2b:14:03:89:72:f2:52:ed:5f:00:c5:06:60:ea:80:20 -- d0:43:ec:66:bc:d2:26:db:f0:29:3e:6a:f9:62:20:be -- 58:26:44:ba:d7:8c:6f:76:a6:05:20:e4:98:b7:c4:72 -- 7a:5d:df:4f:0d:23:ec:2e:9c:71:ec:30:f9:14:5f:c8 -- 75:0b:ab:67:f6:7d:fb:4d:76:64:4a:a5:d5:fa:b4:08 -- 50:9d:13:c7:8f:c2:79:b0:b4:3e:2f:89:d3:33:27:4d -- 9f:8b:d3:60:24:07:ab:b2:72:3d:29:a5:c4:4a:ec:3c -- 04:d2:49:3e:26:1b:ec:7a:10:3d:ca:45:5a:80:8b:4d -- 2a:96:63:4f:2d:63:28:0f:3b:47:47:ca:7c:2c:15:41 -- 32:d5:e0:c9:be:a5:55:2c:b3:6b:46:2a:56:b1:1b:ed -- 29 -- Exponent (bits 24): -- 01:00:01 -- Extensions: -- Basic Constraints (critical): -- Certificate Authority (CA): FALSE -- Key Purpose (not critical): -- TLS WWW Client. -- Key Usage (critical): -- Digital signature. -- Key encipherment. -- Subject Key Identifier (not critical): -- 8b01094b3b91ece321b91dec8d6b4c5d9e40805e -- Authority Key Identifier (not critical): -- 482334530a8931384a5aeacab6d2a6dece1d2b18 -- Signature Algorithm: RSA-SHA256 -- Signature: -- 6b:bd:e2:90:d7:11:cf:6c:0d:e3:bd:f4:61:cd:57:83 -- 41:be:2a:92:46:dd:fa:44:6c:60:1c:ef:3e:1e:2f:e1 -- e2:5b:45:88:6a:1e:50:2d:8d:96:c4:c7:80:75:59:7b -- 54:6b:fb:86:b0:f1:6d:45:09:db:48:de:20:0a:87:60 -- 30:5e:35:f0:52:c4:55:44:c1:ff:e1:7c:3d:d6:6d:58 -- ca:1c:fd:bf:04:9a:9b:10:35:05:fc:d1:01:3c:af:bb -- 64:31:5e:59:8f:ef:6f:0d:35:e5:c0:07:77:0e:31:20 -- 8e:e3:2e:f1:a6:4d:f1:be:85:5b:df:04:48:9d:8c:c9 -- c9:c1:b8:e3:e2:d2:4b:55:83:e9:d8:7b:71:2f:8e:89 -- fc:4d:a7:f1:b0:bf:47:9b:97:c4:85:dd:c3:3d:38:15 -- 36:08:73:10:87:08:f6:e6:1c:4e:29:a8:a5:f5:24:b8 -- 0d:e9:d9:b8:19:27:1d:73:35:fe:7b:81:1f:4a:81:6a -- 93:cd:a2:71:d7:60:0e:08:ee:ea:c8:2b:44:1b:e4:45 -- 6c:fe:44:68:d6:86:ad:89:4f:7e:9f:f9:1a:2a:97:0f -- 6b:eb:5d:6e:38:b3:5b:13:b9:e3:4a:10:32:5b:dc:a9 -- b4:a1:4e:b3:f9:4f:91:de:bc:cc:36:91:44:ba:e0:34 -- 74:f7:68:b4:7b:0e:db:4e:ec:28:03:01:cf:0a:63:c4 -- 23:75:0b:4b:41:9d:e0:68:b3:cb:bf:b5:5c:3d:52:93 -- 20:ba:ea:b8:f0:8c:f7:a6:ec:cd:a3:aa:4f:2a:ff:20 --Other Information: -- SHA1 fingerprint: -- 5509a76b8738216938cdb3ec25048812737170de -- SHA256 fingerprint: -- c93e38ef35f1a9c485a27b161e708f2d45bf8768eb53a23fec841a8f35d6e478 -- Public Key ID: -- 8b01094b3b91ece321b91dec8d6b4c5d9e40805e -- Public key's random art: -- +--[ RSA 2432]----+ -- | o=o | -- |..oE.. | -- |.+=.o | -- |o.*.... | -- | * B +..S | -- |. * o oo . | -- | o . . . | -- | + | -- | . | -- +-----------------+ -- - -----BEGIN CERTIFICATE----- --MIIDjDCCAkSgAwIBAgIEUdgvFDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD --QTAiGA8yMDEzMDcwNjE0NTIwNVoYDzIwMjMwNTE1MTQ1MjA1WjAnMQ8wDQYDVQQD --EwZBIHVzZXIxFDASBgoJkiaJk/IsZAEBEwR0ZXN0MIIBUjANBgkqhkiG9w0BAQEF --AAOCAT8AMIIBOgKCATEAq1SY/KnGFZWdpsGUhJSReR542y1IUZllAQLAQFJJXetw --vCbvaDkeBJHi28tvk0BFHiKOcVpYiSh5XhoyJT6LnTs0fxn40C83t2Iyt1OlQyzF --Xeys+TX6FCs0ZvHWp6HQg5pW9BmDvL8RdDAtqChboqt6xs2cXPhR6akMSNtxu7E0 --d/fu3l14wEgKNw1lHjsrFAOJcvJS7V8AxQZg6oAg0EPsZrzSJtvwKT5q+WIgvlgm --RLrXjG92pgUg5Ji3xHJ6Xd9PDSPsLpxx7DD5FF/IdQurZ/Z9+012ZEql1fq0CFCd --E8ePwnmwtD4vidMzJ02fi9NgJAersnI9KaXESuw8BNJJPiYb7HoQPcpFWoCLTSqW --Y08tYygPO0dHynwsFUEy1eDJvqVVLLNrRipWsRvtKQIDAQABo3YwdDAMBgNVHRMB --Af8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA8GA1UdDwEB/wQFAwMHoAAwHQYD --VR0OBBYEFIsBCUs7kezjIbkd7I1rTF2eQIBeMB8GA1UdIwQYMBaAFEgjNFMKiTE4 --SlrqyrbSpt7OHSsYMA0GCSqGSIb3DQEBCwUAA4IBMQBrveKQ1xHPbA3jvfRhzVeD --Qb4qkkbd+kRsYBzvPh4v4eJbRYhqHlAtjZbEx4B1WXtUa/uGsPFtRQnbSN4gCodg --MF418FLEVUTB/+F8PdZtWMoc/b8EmpsQNQX80QE8r7tkMV5Zj+9vDTXlwAd3DjEg --juMu8aZN8b6FW98ESJ2MycnBuOPi0ktVg+nYe3Evjon8TafxsL9Hm5fEhd3DPTgV --NghzEIcI9uYcTimopfUkuA3p2bgZJx1zNf57gR9KgWqTzaJx12AOCO7qyCtEG+RF --bP5EaNaGrYlPfp/5GiqXD2vrXW44s1sTueNKEDJb3Km0oU6z+U+R3rzMNpFEuuA0 --dPdotHsO207sKAMBzwpjxCN1C0tBneBos8u/tVw9UpMguuq48Iz3puzNo6pPKv8g -+MIID2TCCAkGgAwIBAgIEUdgvFDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD -+QTAgFw0xMzA2MDYxMjUxMjlaGA85OTk5MTIzMTIzNTk1OVowJzEPMA0GA1UEAxMG -+QSB1c2VyMRQwEgYKCZImiZPyLGQBARMEdGVzdDCCAVIwDQYJKoZIhvcNAQEBBQAD -+ggE/ADCCAToCggExAKtUmPypxhWVnabBlISUkXkeeNstSFGZZQECwEBSSV3rcLwm -+72g5HgSR4tvLb5NARR4ijnFaWIkoeV4aMiU+i507NH8Z+NAvN7diMrdTpUMsxV3s -+rPk1+hQrNGbx1qeh0IOaVvQZg7y/EXQwLagoW6KresbNnFz4UempDEjbcbuxNHf3 -+7t5deMBICjcNZR47KxQDiXLyUu1fAMUGYOqAINBD7Ga80ibb8Ck+avliIL5YJkS6 -+14xvdqYFIOSYt8Ryel3fTw0j7C6cceww+RRfyHULq2f2fftNdmRKpdX6tAhQnRPH -+j8J5sLQ+L4nTMydNn4vTYCQHq7JyPSmlxErsPATSST4mG+x6ED3KRVqAi00qlmNP -+LWMoDztHR8p8LBVBMtXgyb6lVSyza0YqVrEb7SkCAwEAAaN1MHMwDAYDVR0TAQH/ -+BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0O -+BBYEFIsBCUs7kezjIbkd7I1rTF2eQIBeMB8GA1UdIwQYMBaAFAV+KcZC+G2nf/6V -+sElx119oZKWUMA0GCSqGSIb3DQEBCwUAA4IBgQCTOjwtK5sDPFdbWWlScDX9xfNf -+tnqRL22Id6VIRcAiuu6KVAYRNs3Pdv65H9orSaohrBRfWKEqAi51bhvDQvzhbw7u -+881txF+6s0fauArxAUai3e11eCil3gt0JOQVephmPKw6pVq9mMieho5I2SQ8CXoQ -+pSrselGaOTp8CK1r90pn8RGiJrZ3xJu5Yezb3AWCs3IOHhRT1Rc5mFnvs9VVR64h -+Pvlr9yBOf/pBEuylQr00plhsZdLra/nIspsGnOIiuM4eIliP6bQwE06u1LxlCbgB -+CAGTQ86vbO2xT1i8dZeq8TJ72OatmRboUBncaZNIT3rUTZxZYkYhkNtVTKnv/8qq -+LZI23qtcWLEAsc1O0Xva22wjkg5QE06AiWdcwK3f/Qpvj5yO9+PL7X4lP47n5D6m -+t1S6xisKgjo/IP9Wk3mPNaNDN3hZCaFRYEHn4CYrlXHqjg1w7quCKApYzrh5/L1Y -+b9U/qzwF7SatFovndYtf02bjcrHC/TA53IdiQPA= - -----END CERTIFICATE----- -diff --git a/tests/certs/user-cert.pem b/tests/certs/user-cert.pem -index ef5114c..32ab235 100644 ---- a/tests/certs/user-cert.pem -+++ b/tests/certs/user-cert.pem -@@ -1,21 +1,21 @@ - -----BEGIN CERTIFICATE----- --MIIDjDCCAkSgAwIBAgIEUdgvFDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD --QTAiGA8yMDEzMDcwNjE0NTIwNVoYDzIwMjMwNTE1MTQ1MjA1WjAnMQ8wDQYDVQQD --EwZBIHVzZXIxFDASBgoJkiaJk/IsZAEBEwR0ZXN0MIIBUjANBgkqhkiG9w0BAQEF --AAOCAT8AMIIBOgKCATEAq1SY/KnGFZWdpsGUhJSReR542y1IUZllAQLAQFJJXetw --vCbvaDkeBJHi28tvk0BFHiKOcVpYiSh5XhoyJT6LnTs0fxn40C83t2Iyt1OlQyzF --Xeys+TX6FCs0ZvHWp6HQg5pW9BmDvL8RdDAtqChboqt6xs2cXPhR6akMSNtxu7E0 --d/fu3l14wEgKNw1lHjsrFAOJcvJS7V8AxQZg6oAg0EPsZrzSJtvwKT5q+WIgvlgm --RLrXjG92pgUg5Ji3xHJ6Xd9PDSPsLpxx7DD5FF/IdQurZ/Z9+012ZEql1fq0CFCd --E8ePwnmwtD4vidMzJ02fi9NgJAersnI9KaXESuw8BNJJPiYb7HoQPcpFWoCLTSqW --Y08tYygPO0dHynwsFUEy1eDJvqVVLLNrRipWsRvtKQIDAQABo3YwdDAMBgNVHRMB --Af8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA8GA1UdDwEB/wQFAwMHoAAwHQYD --VR0OBBYEFIsBCUs7kezjIbkd7I1rTF2eQIBeMB8GA1UdIwQYMBaAFEgjNFMKiTE4 --SlrqyrbSpt7OHSsYMA0GCSqGSIb3DQEBCwUAA4IBMQBrveOQ1xHPbA3jvfRhzVeD --Qb4qkkbd+kRsYBzvPh4v4eJbRYhqHlAtjZbEx4B1WXtUa/uGsPFtRQnbSN4gCodg --MF418FLEVUTB/+F8PdZtWMoc/b8EmpsQNQX80QE8r7tkMV5Zj+9vDTXlwAd3DjEg --juMu8aZN8b6FW98ESJ2MycnBuOPi0ktVg+nYe3Evjon8TafxsL9Hm5fEhd3DPTgV --NghzEIcI9uYcTimopfUkuA3p2bgZJx1zNf57gR9KgWqTzaJx12AOCO7qyCtEG+RF --bP5EaNaGrYlPfp/5GiqXD2vrXW44s1sTueNKEDJb3Km0oU6z+U+R3rzMNpFEuuA0 --dPdotHsO207sKAMBzwpjxCN1C0tBneBos8u/tVw9UpMguuq48Iz3puzNo6pPKv8g -+MIIDiTCCAkGgAwIBAgIEUdgvFDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD -+QTAgFw0xMzA2MDYxMjUxMjlaGA85OTk5MTIzMTIzNTk1OVowJzEPMA0GA1UEAxMG -+QSB1c2VyMRQwEgYKCZImiZPyLGQBARMEdGVzdDCCAVIwDQYJKoZIhvcNAQEBBQAD -+ggE/ADCCAToCggExAKtUmPypxhWVnabBlISUkXkeeNstSFGZZQECwEBSSV3rcLwm -+72g5HgSR4tvLb5NARR4ijnFaWIkoeV4aMiU+i507NH8Z+NAvN7diMrdTpUMsxV3s -+rPk1+hQrNGbx1qeh0IOaVvQZg7y/EXQwLagoW6KresbNnFz4UempDEjbcbuxNHf3 -+7t5deMBICjcNZR47KxQDiXLyUu1fAMUGYOqAINBD7Ga80ibb8Ck+avliIL5YJkS6 -+14xvdqYFIOSYt8Ryel3fTw0j7C6cceww+RRfyHULq2f2fftNdmRKpdX6tAhQnRPH -+j8J5sLQ+L4nTMydNn4vTYCQHq7JyPSmlxErsPATSST4mG+x6ED3KRVqAi00qlmNP -+LWMoDztHR8p8LBVBMtXgyb6lVSyza0YqVrEb7SkCAwEAAaN1MHMwDAYDVR0TAQH/ -+BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0O -+BBYEFIsBCUs7kezjIbkd7I1rTF2eQIBeMB8GA1UdIwQYMBaAFEgjNFMKiTE4Slrq -+yrbSpt7OHSsYMA0GCSqGSIb3DQEBCwUAA4IBMQAp51Ks5DDWVlLB6fMM2NJV80sX -+Rx6U1g6ovA7N5BDQiF6FYzVZECMH3d9nyZssHbkzb6qyO1m58P0cNkVurEH27+Z2 -+xdkNw5bbcvNDVhfVSjwa6nyTLfhf7vOTWaIxGGmffP72PIe87N6QmyCCGG0IXIkO -+kcTAE8IgX6k1mEr1Xy2ZtFVgKjPPLxsixIJ7TEktvJR1RqWQfbsOS8f13lvS1Vhh -+vc+UMbIQnz+jl4qNV/AX7GfpEYiBkbrgcjsggl/KMuwcauhEDdvfIQjcyRbQN36p -+KcVEXDpnG54sAfXAs9Z+adbvmu0ONAMCDuxKCT2eG1SGVrtiT5+7kCMso1eKz/5A -+r1XP0RgCKFExIRYb1elFpLc8wmJbN4qof2zisKG8UajFIHzIGateiu53enNn - -----END CERTIFICATE----- -diff --git a/tests/certs/user-cert.tmpl b/tests/certs/user-cert.tmpl -new file mode 100644 -index 0000000..6a60496 ---- /dev/null -+++ b/tests/certs/user-cert.tmpl -@@ -0,0 +1,7 @@ -+dn = "uid=test,cn=A user" -+tls_www_client -+signing_key -+encryption_key -+expiration_days = -1 -+activation_date = "2013-06-06 14:51:29" -+serial = 0x51d82f14 -diff --git a/tests/cipher-common.sh b/tests/cipher-common.sh -index fb9e2ac..07443a0 100755 ---- a/tests/cipher-common.sh -+++ b/tests/cipher-common.sh -@@ -91,14 +91,14 @@ fi - - # Run clients - echo " * Getting cookie from ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 ${CSTR} --cookieonly ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= ${CSTR} --cookieonly ) - if test $? != 0;then - echo "Could not get cookie from server" - exit 1 - fi - - echo " * Connecting to ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 ${CSTR} -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= ${CSTR} -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -diff --git a/tests/disconnect-user b/tests/disconnect-user -index 67a016e..bf4c7ab 100755 ---- a/tests/disconnect-user -+++ b/tests/disconnect-user -@@ -77,7 +77,7 @@ sleep 3 - - # Run clients - echo " * Getting cookie from ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --authenticate >${TMPFILE} ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --authenticate >${TMPFILE} ) - if test $? != 0;then - echo "Could not get cookie from server" - exit 1 -@@ -85,7 +85,7 @@ fi - - eval $(cat ${TMPFILE}) - echo " * Connecting to ${ADDRESS}:${PORT}..." --( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) -+( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -@@ -105,7 +105,7 @@ if test $? != 0;then - fi - - echo " * Re-connecting to obtain cookie after disconnect... " --( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) -+( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) - if test $? = 0;then - echo "Succeeded using the cookie to connect" - exit 1 -diff --git a/tests/disconnect-user2 b/tests/disconnect-user2 -index ef8c3c1..e00cc67 100755 ---- a/tests/disconnect-user2 -+++ b/tests/disconnect-user2 -@@ -75,7 +75,7 @@ sleep 3 - - # Run clients - echo " * Getting cookie from ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --authenticate >${TMPFILE} ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --authenticate >${TMPFILE} ) - if test $? != 0;then - echo "Could not get cookie from server" - exit 1 -@@ -83,7 +83,7 @@ fi - - eval $(cat ${TMPFILE}) - echo " * Connecting to ${ADDRESS}:${PORT}..." --( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) -+( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -@@ -103,7 +103,7 @@ if test $? != 0;then - fi - - echo " * Re-connecting to obtain cookie after disconnect... " --( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) -+( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) - if test $? = 0;then - echo "Succeeded using the cookie to connect" - exit 1 -diff --git a/tests/drain-server b/tests/drain-server -index be51cd4..808067f 100755 ---- a/tests/drain-server -+++ b/tests/drain-server -@@ -35,7 +35,7 @@ launch_sr_server -d 1 -p ${PIDFILE} -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo "Connecting to obtain cookie... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) || - fail $PID "Could not receive cookie from server" - - if ! test -f ${PIDFILE};then -@@ -48,7 +48,7 @@ kill -15 $(cat $PIDFILE) - sleep 1 - - echo "Connecting to obtain cookie... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) && -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) && - fail $PID "Server is still listening" - - wait -diff --git a/tests/drain-server-fail b/tests/drain-server-fail -index d61106e..a2c495d 100755 ---- a/tests/drain-server-fail -+++ b/tests/drain-server-fail -@@ -48,7 +48,7 @@ launch_simple_sr_server -d 3 -p ${PIDFILE} -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo "Connecting to obtain cookie... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) || - fail $PID "Could not receive cookie from server" - - if ! test -f ${PIDFILE};then -diff --git a/tests/flowcontrol b/tests/flowcontrol -index fb60f67..7ef6b70 100755 ---- a/tests/flowcontrol -+++ b/tests/flowcontrol -@@ -37,39 +37,39 @@ launch_sr_server -d 1 -p ${PIDFILE} -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo "Connecting to obtain cookie... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) || - fail $PID "Could not receive cookie from server" - - echo "Connecting to obtain cookie with wrong password... " --( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie when we shouldn't" - - echo "Connecting to obtain cookie with empty password... " --( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie when we shouldn't" - - echo "Connecting to obtain cookie with wrong username... " --( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u tost --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u tost --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie when we shouldn't" - - # test locked account - - echo "Connecting to obtain cookie with locked account... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u locked --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u locked --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie when we shouldn't" - - #test special characters - - echo "Connecting to obtain cookie with special password... " --( echo "!@#$%^&*()<>" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "!@#$%^&*()<>" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - echo "Connecting to obtain cookie with empty password... " --( echo "" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "empty" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "empty" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - #echo "Normal connection... " --#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true ) || -+#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true ) || - # fail $PID "Could not connect to server" - - if ! test -f ${PIDFILE};then -diff --git a/tests/haproxy-auth b/tests/haproxy-auth -index b653714..5261860 100755 ---- a/tests/haproxy-auth -+++ b/tests/haproxy-auth -@@ -51,7 +51,7 @@ LD_PRELOAD=libsocket_wrapper.so:libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT - wait_server ${HAPID} - - echo "Connecting to obtain cookie... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) - if test $? != 0;then - kill ${HAPID} - fail ${PID} "Could not receive cookie from server" -@@ -66,7 +66,7 @@ LD_PRELOAD=libsocket_wrapper.so:libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT - wait_server ${HAPID} - - echo "Re-connecting to obtain cookie after haproxy restart... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) - if test $? != 0;then - kill ${HAPID} - fail ${PID} "Could not receive cookie from server" -diff --git a/tests/haproxy-connect b/tests/haproxy-connect -index c42b76c..662c08f 100755 ---- a/tests/haproxy-connect -+++ b/tests/haproxy-connect -@@ -91,14 +91,14 @@ sleep 3 - - # Run clients - echo " * Getting cookie from ${ADDRESS}:${HAPORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) - if test $? != 0;then - echo "Could not get cookie from server" - exit 1 - fi - - echo " * Connecting to ${ADDRESS}:${HAPORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -@@ -135,7 +135,7 @@ set +e - sleep 3 - - echo " * Re-connecting to obtain cookie after haproxy restart... " --( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) - if test $? != 0;then - echo "Could not receive cookie from server on reconnection" - exit 1 -diff --git a/tests/haproxy-proxyproto b/tests/haproxy-proxyproto -index 70c1390..54e413c 100755 ---- a/tests/haproxy-proxyproto -+++ b/tests/haproxy-proxyproto -@@ -94,14 +94,14 @@ sleep 3 - - # Run clients - echo " * Getting cookie from ${ADDRESS}:${HAPORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) - if test $? != 0;then - echo "Could not get cookie from server" - exit 1 - fi - - echo " * Connecting to ${ADDRESS}:${HAPORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -diff --git a/tests/haproxy-proxyproto-v1 b/tests/haproxy-proxyproto-v1 -index d274575..f767581 100755 ---- a/tests/haproxy-proxyproto-v1 -+++ b/tests/haproxy-proxyproto-v1 -@@ -94,14 +94,14 @@ sleep 3 - - # Run clients - echo " * Getting cookie from ${ADDRESS}:${HAPORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) - if test $? != 0;then - echo "Could not get cookie from server" - exit 1 - fi - - echo " * Connecting to ${ADDRESS}:${HAPORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -diff --git a/tests/ipv6-iface b/tests/ipv6-iface -index d5262e5..9b78d5e 100755 ---- a/tests/ipv6-iface -+++ b/tests/ipv6-iface -@@ -70,7 +70,7 @@ ${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$! - wait_server $PID - - echo -n "Connecting to setup interface... " --echo "test" | ${CMDNS1} $OPENCONNECT -q $ADDRESS:$PORT -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b -+echo "test" | ${CMDNS1} $OPENCONNECT -q $ADDRESS:$PORT -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b - if test $? != 0;then - echo "Could not connect to server" - exit 1 -diff --git a/tests/ipv6-small-net b/tests/ipv6-small-net -index 4fc7260..c87b429 100755 ---- a/tests/ipv6-small-net -+++ b/tests/ipv6-small-net -@@ -70,7 +70,7 @@ ${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$! - wait_server $PID - - echo -n "Connecting to setup interface... " --echo "test" | ${CMDNS1} $OPENCONNECT -q $ADDRESS:$PORT -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b -+echo "test" | ${CMDNS1} $OPENCONNECT -q $ADDRESS:$PORT -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b - if test $? != 0;then - echo "Could not connect to server" - exit 1 -diff --git a/tests/json b/tests/json -index 72dd4bf..24c66d8 100755 ---- a/tests/json -+++ b/tests/json -@@ -78,7 +78,7 @@ ${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$! - sleep 4 - - echo " * Connecting to ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -diff --git a/tests/lz4-compression b/tests/lz4-compression -index 76478cf..405b2a2 100755 ---- a/tests/lz4-compression -+++ b/tests/lz4-compression -@@ -81,14 +81,14 @@ sleep 4 - - # Run clients - echo " * Getting cookie from ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) - if test $? != 0;then - echo "Could not get cookie from server" - exit 1 - fi - - echo " * Connecting to ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -diff --git a/tests/lzs-compression b/tests/lzs-compression -index c485df2..eef55f0 100755 ---- a/tests/lzs-compression -+++ b/tests/lzs-compression -@@ -81,14 +81,14 @@ sleep 4 - - # Run clients - echo " * Getting cookie from ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) - if test $? != 0;then - echo "Could not get cookie from server" - exit 1 - fi - - echo " * Connecting to ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -diff --git a/tests/multiple-routes b/tests/multiple-routes -index b6cc0c5..63c7614 100755 ---- a/tests/multiple-routes -+++ b/tests/multiple-routes -@@ -39,13 +39,13 @@ PID=$! - wait_server $PID - - echo -n "Connecting to obtain cookie (with certificate)... " --( $OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null ) || -+( $OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null ) || - fail $PID "Could not connect with certificate!" - - echo ok - - echo -n "Re-connecting to get routes... " --timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE1} 2>&1 -+timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE1} 2>&1 - - echo ok - -diff --git a/tests/no-route-default b/tests/no-route-default -index 0c6f4f2..6cc68f0 100755 ---- a/tests/no-route-default -+++ b/tests/no-route-default -@@ -43,7 +43,7 @@ PID=$! - wait_server $PID - - echo -n "Connecting to get routes... " --timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE} 2>&1 -+timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE} 2>&1 - - echo ok - -@@ -68,7 +68,7 @@ PID=$! - wait_server $PID - - echo -n "Connecting to get routes... " --timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE} 2>&1 -+timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE} 2>&1 - - echo ok - -diff --git a/tests/no-route-group b/tests/no-route-group -index 59ec2f0..25cfaa6 100755 ---- a/tests/no-route-group -+++ b/tests/no-route-group -@@ -43,7 +43,7 @@ PID=$! - wait_server $PID - - echo -n "Connecting to get routes... " --echo "test" | timeout 15s $OPENCONNECT -v localhost:$PORT --authgroup group1 -u test --passwd-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true >${TMPFILE} 2>&1 -+echo "test" | timeout 15s $OPENCONNECT -v localhost:$PORT --authgroup group1 -u test --passwd-on-stdin --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >${TMPFILE} 2>&1 - - echo ok - -@@ -68,7 +68,7 @@ PID=$! - wait_server $PID - - echo -n "Connecting to get routes... " --echo test | timeout 15s $OPENCONNECT -v localhost:$PORT --authgroup group1 --passwd-on-stdin -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true >${TMPFILE} 2>&1 -+echo test | timeout 15s $OPENCONNECT -v localhost:$PORT --authgroup group1 --passwd-on-stdin -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >${TMPFILE} 2>&1 - - echo ok - -diff --git a/tests/ping-leases b/tests/ping-leases -index d97012e..3a43ac5 100755 ---- a/tests/ping-leases -+++ b/tests/ping-leases -@@ -52,12 +52,12 @@ fi - echo "Server started with PID $PID..." - - echo "Connecting to obtain cookie..." --( echo "test" | $OPENCONNECT -q localhost:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) || -+( echo "test" | $OPENCONNECT -q localhost:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) || - fail $PID "Could not receive cookie from server" - - - echo "Connecting to ping lease..." --echo "test" | timeout 10 $OPENCONNECT localhost:$PORT -u "test" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true -+echo "test" | timeout 10 $OPENCONNECT localhost:$PORT -u "test" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true - - if test $? != 124;then - fail $PID "Could not connect to server" -diff --git a/tests/radius b/tests/radius -index 859671d..7bc705a 100755 ---- a/tests/radius -+++ b/tests/radius -@@ -98,21 +98,21 @@ sleep 4 - - # Run clients - echo " * Testing wrong username at ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u xxx --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u xxx --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) - if test $? = 0;then - echo "Connected with incorrect username" - exit 1 - fi - - echo " * Testing wrong password at ${ADDRESS}:${PORT}..." --( echo "xxx" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) -+( echo "xxx" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) - if test $? = 0;then - echo "Connected with incorrect password" - exit 1 - fi - - echo " * Getting cookie from ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) - if test $? != 0;then - echo "Could not get cookie from server" - exit 1 -@@ -120,7 +120,7 @@ fi - - echo " * Connecting to ${ADDRESS}:${PORT} with special IP..." - USERNAME=test-arb --( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -@@ -148,7 +148,7 @@ sleep 3 - - echo " * Connecting to ${ADDRESS}:${PORT}..." - USERNAME=test --( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -diff --git a/tests/radius-config b/tests/radius-config -index 7285091..af9d3f7 100755 ---- a/tests/radius-config -+++ b/tests/radius-config -@@ -123,7 +123,7 @@ sleep 4 - - echo " * Connecting to ${ADDRESS}:${PORT}..." - USERNAME=testtime --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -diff --git a/tests/radius-group b/tests/radius-group -index 1f28cda..9b85889 100755 ---- a/tests/radius-group -+++ b/tests/radius-group -@@ -100,7 +100,7 @@ sleep 4 - - echo " * Tests the radius group functionality" - USERNAME=test-class --( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} --authgroup group2 -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} --authgroup group2 -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -@@ -137,7 +137,7 @@ sleep 4 - - echo " * Tests the alt radius group functionality" - USERNAME=test-class --( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} --authgroup group1 -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} --authgroup group1 -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -diff --git a/tests/radius-otp b/tests/radius-otp -index 11c3907..9b4fecb 100755 ---- a/tests/radius-otp -+++ b/tests/radius-otp -@@ -111,7 +111,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do - sleep 0.5 - echo "$USERNAME-stage$COUNT" - done --} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b >/dev/null 2>&1) -+} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b >/dev/null 2>&1) - if test $? != 0; then - echo "Could not connect to server" - exit 1 -@@ -151,7 +151,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do - sleep 0.5 - echo "$USERNAME-stage" - done --} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) -+} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) - if test $? == 0; then - echo "Connected with wrong username" - exit 1 -@@ -173,7 +173,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do - echo "$USERNAME-stage$COUNT" - fi - done --} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) -+} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) - if test $? == 0; then - echo "Connected with wrong OTP" - exit 1 -@@ -197,7 +197,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do - echo "$USERNAME-stage$COUNT" - fi - done --} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) -+} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) - if test $? == 0; then - echo "Connected with wrong OTP" - exit 1 -@@ -218,7 +218,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do - echo "$USERNAME-stage$COUNT" - fi - done --} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) -+} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) - if test $? == 0; then - echo "Connected with blank OTP" - exit 1 -@@ -247,7 +247,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do - echo "$USERNAME-stage$COUNT" - fi - done --} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) -+} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) - if test $? == 0; then - echo "Successful connection with the number of OTP retries greater than allowed by the ban system (default 30)." - ${OCCTL} -s ${OCCTL_SOCKET} show ip ban points -@@ -265,7 +265,7 @@ for (( COUNT=1; COUNT <= 17; COUNT++ )); do - sleep 0.5 - echo "$USERNAME-stage$COUNT" - done --} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) -+} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) - if test $? == 0; then - echo "Connected to server - MAX_CHALLENGES test failed" - exit 1 -diff --git a/tests/test-append-routes b/tests/test-append-routes -index be71d22..923d0aa 100755 ---- a/tests/test-append-routes -+++ b/tests/test-append-routes -@@ -41,7 +41,7 @@ wait_server $PID - - echo "Checking if routes are appended... " - --timeout 15s $OPENCONNECT localhost:$PORT -v --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE1} 2>&1 -+timeout 15s $OPENCONNECT localhost:$PORT -v --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE1} 2>&1 - - echo "cat" - cat ${TMPFILE1} -diff --git a/tests/test-ban b/tests/test-ban -index eb6a874..be4695a 100755 ---- a/tests/test-ban -+++ b/tests/test-ban -@@ -59,15 +59,15 @@ ${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$! - sleep 4 - - echo "Connecting with wrong password 5 times... " --echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -+echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -+echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -+echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -+echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -+echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= - - echo "" - echo "Connecting with correct password... " --eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` -+eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` - - if [ -n "$COOKIE" ];then - fail $PID "Obtained cookie although should have been banned" -@@ -90,7 +90,7 @@ sleep 25 - echo "" - - echo "Connecting with correct password after ban time... " --eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` -+eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` - - if [ -z "$COOKIE" ];then - fail $PID "Could not obtain cookie even though ban should be lifted" -@@ -99,16 +99,16 @@ fi - echo "" - echo "Checking ban reset time... " - --echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -+echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -+echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -+echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -+echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= - sleep 11 --echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -+echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= - - echo "" - echo "Connecting with correct password after ban reset time... " --eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` -+eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` - - if [ -z "$COOKIE" ];then - fail $PID "Could not obtain cookie even though ban should be lifted" -diff --git a/tests/test-ban-local b/tests/test-ban-local -index d2a4397..fbe0eb2 100755 ---- a/tests/test-ban-local -+++ b/tests/test-ban-local -@@ -60,15 +60,15 @@ ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$! - sleep 4 - - echo "Connecting with wrong password 5 times... " --echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -+echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -+echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -+echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -+echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -+echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= - - echo "" - echo "Connecting with correct password... " --eval `echo "test" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` -+eval `echo "test" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` - - if [ -z "$COOKIE" ];then - fail $PID "Could not obtain cookie even though client should be exempt" -diff --git a/tests/test-cert b/tests/test-cert -index 41362aa..7967193 100755 ---- a/tests/test-cert -+++ b/tests/test-cert -@@ -49,19 +49,19 @@ PID=$! - wait_server $PID - - echo -n "Connecting to obtain cookie (without certificate)... " --( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) && - fail $PID "Connected without certificate!" - - echo "ok (failed as expected)" - - echo -n "Connecting to obtain cookie (with invalid certificate)... " --( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert-invalid.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert-invalid.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) && - fail $PID "Connected with invalid certificate!" - - echo "ok (failed as expected)" - - echo -n "Connecting to obtain cookie (with certificate)... " --( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || - fail $PID "Could not connect with certificate!" - - echo ok -@@ -80,7 +80,7 @@ kill -HUP $PID - sleep 5 - - echo -n "Connecting to obtain cookie (with DER CRL)... " --( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || - fail $PID "Could not connect with certificate!" - - echo ok -@@ -99,13 +99,13 @@ kill -HUP $PID - sleep 5 - - echo -n "Connecting to obtain cookie (with revoked certificate)... " --( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) && - fail $PID "Connected with revoked certificate!" - - echo "ok (failed as expected)" - - #echo "Normal connection... " --#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true ) || -+#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true ) || - # fail $PID "Could not connect to server" - - rm -f "${CRLNAME}" "${CRLTMPLNAME}" -diff --git a/tests/test-cert-opt-pass b/tests/test-cert-opt-pass -index 18893d3..0109ef2 100755 ---- a/tests/test-cert-opt-pass -+++ b/tests/test-cert-opt-pass -@@ -34,7 +34,7 @@ opts=$1 - pass=$2 - rm -f ${OUTFILE} - --echo "$pass" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --authenticate >${OUTFILE} 2>&1 -+echo "$pass" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --authenticate >${OUTFILE} 2>&1 - if test $? != 0;then - cat ${OUTFILE} - return 1 -diff --git a/tests/test-client-bypass-protocol b/tests/test-client-bypass-protocol -index 09f3cb2..14cb5a5 100755 ---- a/tests/test-client-bypass-protocol -+++ b/tests/test-client-bypass-protocol -@@ -43,7 +43,7 @@ PID=$! - wait_server $PID - - echo -n "Connecting... " --timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE} 2>&1 -+timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE} 2>&1 - - echo ok - -@@ -68,7 +68,7 @@ PID=$! - wait_server $PID - - echo -n "Reconnecting..." --timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE} 2>&1 -+timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE} 2>&1 - - echo ok - -diff --git a/tests/test-config-per-group b/tests/test-config-per-group -index 4a8bd60..6b8929a 100755 ---- a/tests/test-config-per-group -+++ b/tests/test-config-per-group -@@ -81,7 +81,7 @@ ${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & - sleep 4 - - echo " * Connecting with user NOT in group..." --( echo "${PASSWORD}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "${PASSWORD}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -@@ -129,7 +129,7 @@ sleep 2 - USERNAME=test - PASSWORD=test - echo " * Connecting with user in group to ${ADDRESS}:${PORT}..." --( echo "${PASSWORD}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "${PASSWORD}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -diff --git a/tests/test-cookie-invalidation b/tests/test-cookie-invalidation -index 5f77afa..a6f8cea 100755 ---- a/tests/test-cookie-invalidation -+++ b/tests/test-cookie-invalidation -@@ -35,7 +35,7 @@ launch_server -d 1 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo "Connecting to obtain cookie... " --eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` -+eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` - - if [ -z "$COOKIE" ];then - fail $PID "Could not obtain cookie" -@@ -44,7 +44,7 @@ fi - #echo "Cookie: $COOKIE" - - echo "Connecting with cookie... " --echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE1}" --background >/dev/null 2>&1 -+echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE1}" --background >/dev/null 2>&1 - - sleep 4 - -@@ -58,9 +58,9 @@ if test $? != 0;then - fi - - echo "Terminating and connecting again with same cookie... " --#( echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+#( echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - # fail $PID "Could not connect to server" --echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background >/dev/null 2>&1 -+echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background >/dev/null 2>&1 - - sleep 4 - -@@ -82,9 +82,9 @@ rm -f "${PIDFILE2}" - sleep 18 - - echo "Proper termination and connecting again with same (invalidated) cookie... " --#( echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+#( echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - # fail $PID "Could not connect to server" --echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background >/dev/null 2>&1 -+echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background >/dev/null 2>&1 - - sleep 4 - -diff --git a/tests/test-cookie-timeout b/tests/test-cookie-timeout -index 08081b2..b8b4dda 100755 ---- a/tests/test-cookie-timeout -+++ b/tests/test-cookie-timeout -@@ -34,7 +34,7 @@ launch_server -d 1 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo "Connecting to obtain cookie... " --eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` -+eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` - - if [ -z "$COOKIE" ];then - fail $PID "Could not obtain cookie" -@@ -44,7 +44,7 @@ fi - sleep 16 - echo "" - echo "Connecting with cookie... " --echo "test" | $OPENCONNECT -q -b localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE}" --background -+echo "test" | $OPENCONNECT -q -b localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE}" --background - - sleep 4 - -@@ -59,7 +59,7 @@ rm -f "${PIDFILE}" - sleep 16 - echo "" - echo "Connecting again with cookie... " --echo "test" | $OPENCONNECT -b -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE}" --background -+echo "test" | $OPENCONNECT -b -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE}" --background - - sleep 4 - -@@ -74,7 +74,7 @@ rm -f "${PIDFILE}" - sleep 16 - echo "" - echo "Connecting after forced kill with cookie... " --echo "test" | $OPENCONNECT -b -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE}" --background -+echo "test" | $OPENCONNECT -b -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE}" --background - - sleep 4 - -@@ -90,7 +90,7 @@ rm -f "${PIDFILE}" - sleep 45 - echo "" - echo "Connecting with cookie after expiration... " --echo "test" | $OPENCONNECT -q -b localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE}" --background -+echo "test" | $OPENCONNECT -q -b localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE}" --background - - sleep 4 - -@@ -104,7 +104,7 @@ fi - # test cookie verification after cookie verification failure. That is to verify whether - # the channel between main and sec-mod is in consistent state. - echo "Connecting (again) to obtain cookie... " --echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -+echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= - - if test $? != 0;then - fail $PID "Could not obtain cookie" -diff --git a/tests/test-cookie-timeout-2 b/tests/test-cookie-timeout-2 -index fbeba81..4161eb6 100755 ---- a/tests/test-cookie-timeout-2 -+++ b/tests/test-cookie-timeout-2 -@@ -33,7 +33,7 @@ launch_server -d 1 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo "Connecting to obtain cookie... " --eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` -+eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` - - if [ -z "$COOKIE" ];then - fail $PID "Could not obtain cookie" -@@ -43,7 +43,7 @@ fi - sleep 10 - echo "" - echo "Connecting with cookie... " --echo "test" | $OPENCONNECT -q -b localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file ${srcdir}/pid.$$ --background -+echo "test" | $OPENCONNECT -q -b localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file ${srcdir}/pid.$$ --background - - sleep 4 - -@@ -58,7 +58,7 @@ rm -f "${srcdir}/pid2.$$" - sleep 30 - echo "" - echo "Connecting again with cookie (overriding first session)... " --echo "test" | $OPENCONNECT -b -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file ${srcdir}/pid2.$$ --background -+echo "test" | $OPENCONNECT -b -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file ${srcdir}/pid2.$$ --background - - sleep 6 - -diff --git a/tests/test-enc-key b/tests/test-enc-key -index 0ca6249..5d65b62 100755 ---- a/tests/test-enc-key -+++ b/tests/test-enc-key -@@ -33,7 +33,7 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo "Connecting to obtain cookie... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - cleanup -@@ -48,7 +48,7 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo "Connecting to obtain cookie... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - cleanup -diff --git a/tests/test-explicit-ip b/tests/test-explicit-ip -index bfd1a9d..41d4665 100755 ---- a/tests/test-explicit-ip -+++ b/tests/test-explicit-ip -@@ -31,13 +31,13 @@ connect() - opts=$1 - pass=$2 - COOKIE='' --eval `echo "$pass" | $OPENCONNECT -q localhost:$PORT $opts --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --authenticate` -+eval `echo "$pass" | $OPENCONNECT -q localhost:$PORT $opts --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --authenticate` - if [ -z "$COOKIE" ];then - return 1 - fi - - rm -f $TMPFILE --echo "$pass" | $OPENCONNECT -q localhost:$PORT $opts -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file ${srcdir}/pidx >$TMPFILE 2>&1 & -+echo "$pass" | $OPENCONNECT -q localhost:$PORT $opts -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file ${srcdir}/pidx >$TMPFILE 2>&1 & - CPID=$! - - sleep 3 -diff --git a/tests/test-group-pass b/tests/test-group-pass -index 1530f43..7a78237 100755 ---- a/tests/test-group-pass -+++ b/tests/test-group-pass -@@ -33,19 +33,19 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo "Connecting to obtain cookie... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group1 --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group1 --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - echo "Connecting to obtain cookie... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group2 --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group2 --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - echo "Connecting to obtain cookie... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group2 --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group2 --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - echo "Connecting to obtain cookie with wrong groupname... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group4 --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group4 --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie when we shouldn't" - - cleanup -diff --git a/tests/test-gssapi-opt-cert b/tests/test-gssapi-opt-cert -index 0ef2d55..5cf1105 100755 ---- a/tests/test-gssapi-opt-cert -+++ b/tests/test-gssapi-opt-cert -@@ -29,7 +29,7 @@ opts=$1 - pass=$2 - rm -f ${OUTFILE} - --echo "$pass" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --authenticate >${OUTFILE} 2>&1 -+echo "$pass" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --authenticate >${OUTFILE} 2>&1 - if test $? != 0;then - cat ${OUTFILE} - return 1 -diff --git a/tests/test-gssapi-opt-pass b/tests/test-gssapi-opt-pass -index 8999d30..b6ebd11 100755 ---- a/tests/test-gssapi-opt-pass -+++ b/tests/test-gssapi-opt-pass -@@ -29,7 +29,7 @@ opts=$1 - pass=$2 - rm -f ${OUTFILE} - --echo "$pass" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --authenticate >${OUTFILE} 2>&1 -+echo "$pass" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --authenticate >${OUTFILE} 2>&1 - if test $? != 0;then - cat ${OUTFILE} - return 1 -diff --git a/tests/test-iroute b/tests/test-iroute -index d7b5f52..caf0a92 100755 ---- a/tests/test-iroute -+++ b/tests/test-iroute -@@ -34,13 +34,13 @@ launch_server -d 1 -f -c "${CONFIG}" & PID=$! - wait_server $PID - - echo -n "Connecting to obtain cookie (with certificate)... " --( $OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || - fail $PID "Could not connect with certificate!" - - echo ok -@@ -47,7 +47,7 @@ kill -USR2 $PID - sleep 5 - - echo -n "Connecting to obtain cookie (with certificate)... " --( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || - fail $PID "Could not connect with certificate!" - - echo ok -@@ -58,7 +58,7 @@ kill -USR2 $PID - sleep 5 - - echo -n "Connecting to obtain cookie (with certificate)... " --( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || - fail $PID "Could not connect with certificate!" - - echo ok -diff --git a/tests/test-max-same-1 b/tests/test-max-same-1 -index 5146483..ec19c0d 100755 ---- a/tests/test-max-same-1 -+++ b/tests/test-max-same-1 -@@ -47,7 +47,7 @@ launch_server -d 1 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo "Connecting to obtain cookie... " --eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` -+eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` - - if [ -z "$COOKIE" ];then - echo "Could not obtain cookie" -@@ -57,12 +57,12 @@ fi - #echo "Cookie: $COOKIE" - - echo "Connecting with cookie... " --echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE1}" --background -+echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE1}" --background - - sleep 4 - - echo "Connecting again with same cookie... " --echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background -+echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background - - sleep 4 - -diff --git a/tests/test-multi-cookie b/tests/test-multi-cookie -index 83c9cb5..7581f9c 100755 ---- a/tests/test-multi-cookie -+++ b/tests/test-multi-cookie -@@ -47,7 +47,7 @@ launch_server -d 1 -f -c "${CONFIG}" & PID=$! - wait_server $PID - - echo "Connecting to obtain cookie... " --eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` -+eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` - - if [ -z "$COOKIE" ];then - echo "Could not obtain cookie" -@@ -57,12 +57,12 @@ fi - #echo "Cookie: $COOKIE" - - echo "Connecting with cookie... " --echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE1}" --background -+echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE1}" --background - - sleep 4 - - echo "Connecting again with same cookie... " --echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background -+echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background - - sleep 4 - -diff --git a/tests/test-multiple-client-ip b/tests/test-multiple-client-ip -index 0e799e0..76099fe 100755 ---- a/tests/test-multiple-client-ip -+++ b/tests/test-multiple-client-ip -@@ -84,14 +84,14 @@ sleep 4 - - # Run client 1 - echo " * Getting cookie from ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) - if test $? != 0;then - echo "Could not get cookie from server" - exit 1 - fi - - echo " * Connecting to ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -@@ -99,14 +99,14 @@ fi - - # Run client 2 - echo " * Getting cookie from ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS3} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) -+( echo "test" | ${CMDNS3} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) - if test $? != 0;then - echo "Could not get cookie from server" - exit 1 - fi - - echo " * Connecting to ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS3} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID2} --passwd-on-stdin -b ) -+( echo "test" | ${CMDNS3} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID2} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -diff --git a/tests/test-namespace-listen b/tests/test-namespace-listen -index 9691b28..81c3e86 100755 ---- a/tests/test-namespace-listen -+++ b/tests/test-namespace-listen -@@ -77,7 +77,7 @@ if test $? != 0; then - fi - - echo " connecting to server" --(echo "test" | ${CMDNS3} $OPENCONNECT $ADDRESS:$PORT -u "test" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --pid-file=${CLIPID} -b) || -+(echo "test" | ${CMDNS3} $OPENCONNECT $ADDRESS:$PORT -u "test" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --pid-file=${CLIPID} -b) || - fail $PID "could not connect to server" - sleep 5 - -diff --git a/tests/test-otp b/tests/test-otp -index 5209b0a..ed1fe94 100755 ---- a/tests/test-otp -+++ b/tests/test-otp -@@ -45,27 +45,27 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo -n "Connecting with wrong username... " --( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u falsetest --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u falsetest --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Connected with wrong username!" - echo ok - - echo -n "Connecting with wrong OTP... " --( echo -e "test\n999482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo -e "test\n999482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Should not have connected with wrong OTP!" - echo ok - - echo -n "Connecting with correct password and OTP... " --( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not connect with OTP!" - echo ok - - echo -n "Connecting with empty password and wrong OTP... " --( echo -e "999999\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo -e "999999\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Should have not connected with wrong OTP!" - echo ok - - echo -n "Connecting with empty password and OTP... " --( echo -e "328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo -e "328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not connect with OTP-only!" - echo ok - -diff --git a/tests/test-otp-cert b/tests/test-otp-cert -index c8dc12c..61a71db 100755 ---- a/tests/test-otp-cert -+++ b/tests/test-otp-cert -@@ -45,22 +45,22 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo -n "Connecting to obtain cookie (without certificate)... " --( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Connected without certificate!" - echo ok - - echo -n "Connecting to obtain cookie (with incorrect certificate)... " --( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-wrong.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-wrong.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Should not have connected with wrong certificate!" - echo ok - - echo -n "Connecting to obtain cookie (with certificate)... " --( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not connect with certificate!" - echo ok - - echo -n "Connecting to obtain cookie (with no pass and certificate)... " --( echo -e "328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo -e "328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not connect with certificate!" - echo ok - -diff --git a/tests/test-pam b/tests/test-pam -index 8ec787a..561a140 100755 ---- a/tests/test-pam -+++ b/tests/test-pam -@@ -37,22 +37,22 @@ wait_server $PID - - echo "" - echo "Connecting with wrong password... " --( echo -e "testuser\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo -e "testuser\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie with wrong cred" - - echo "" - echo "Connecting with empty password... " --( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie with wrong cred" - - echo "" - echo "Connecting with wrong username... " --( echo -e "testuser123\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo -e "testuser123\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie with wrong cred" - - echo "" - echo "Connecting with correct password... " --( echo -e "testuser123\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) ||#>/dev/null 2>&1 ) || -+( echo -e "testuser123\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) ||#>/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - cleanup -diff --git a/tests/test-pam-noauth b/tests/test-pam-noauth -index dc8dd3d..1f67371 100755 ---- a/tests/test-pam-noauth -+++ b/tests/test-pam-noauth -@@ -35,19 +35,19 @@ launch_sr_pam_server -d 1 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo "Connecting with correct password but no PAM user... " --( echo -e "test\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u xtest --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo -e "test\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u xtest --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie with non existing user" - - echo "Connecting with incorrect password (correct in PAM) and existing user... " --( echo -e "testuser123\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo -e "testuser123\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie with non existing user" - - echo "Connecting with empty password (correct in PAM) and existing user... " --( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie with non existing user" - - echo "Connecting with correct password and existing user... " --( echo -e "test\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) ||#>/dev/null 2>&1 ) || -+( echo -e "test\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) ||#>/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - cleanup -diff --git a/tests/test-pass b/tests/test-pass -index 9d5484a..5aaaf48 100755 ---- a/tests/test-pass -+++ b/tests/test-pass -@@ -34,39 +34,39 @@ launch_sr_server -d 1 -p ${PIDFILE} -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo "Connecting to obtain cookie... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) || - fail $PID "Could not receive cookie from server" - - echo "Connecting to obtain cookie with wrong password... " --( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie when we shouldn't" - - echo "Connecting to obtain cookie with empty password... " --( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie when we shouldn't" - - echo "Connecting to obtain cookie with wrong username... " --( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u tost --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u tost --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie when we shouldn't" - - # test locked account - - echo "Connecting to obtain cookie with locked account... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u locked --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u locked --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie when we shouldn't" - - #test special characters - - echo "Connecting to obtain cookie with special password... " --( echo "!@#$%^&*()<>" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "!@#$%^&*()<>" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - echo "Connecting to obtain cookie with empty password... " --( echo "" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "empty" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "empty" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - #echo "Normal connection... " --#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true ) || -+#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true ) || - # fail $PID "Could not connect to server" - - if ! test -f ${PIDFILE};then -diff --git a/tests/test-pass-cert b/tests/test-pass-cert -index 8050788..8d284b8 100755 ---- a/tests/test-pass-cert -+++ b/tests/test-pass-cert -@@ -34,26 +34,26 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo -n "Connecting to obtain cookie (without certificate)... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Connected without certificate!" - - echo ok - - echo -n "Connecting to obtain cookie (with certificate)... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not connect with certificate!" - - echo ok - - echo -n "Connecting to obtain cookie (with incorrect certificate)... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-wrong.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-wrong.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Should not have connected with wrong certificate!" - - echo ok - - - #echo "Normal connection... " --#( echo "test" | $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true ) || -+#( echo "test" | $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true ) || - # fail $PID "Could not connect to server" - - cleanup -diff --git a/tests/test-pass-group-cert b/tests/test-pass-group-cert -index ff64993..e559ac6 100755 ---- a/tests/test-pass-group-cert -+++ b/tests/test-pass-group-cert -@@ -33,37 +33,37 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo -n "Connecting to obtain cookie (without certificate)... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Connected without certificate!" - - echo ok - - echo -n "Connecting to obtain cookie - group1 (with certificate)... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not connect with certificate!" - - echo ok - - echo -n "Connecting to obtain cookie - DEFAULT (with certificate)... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup DEFAULT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup DEFAULT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not connect with certificate!" - - echo ok - - echo -n "Connecting to obtain cookie - group2 (with certificate)... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group2 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group2 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not connect with certificate!" - - echo ok - - echo -n "Connecting to obtain cookie - group3 (hidden) (with certificate)... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group3 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group3 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not connect with certificate!" - - echo ok - - echo -n "Connecting to obtain cookie - group4 (with certificate)... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group4 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group4 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Got cookie when it shouldn't!" - - echo ok -diff --git a/tests/test-pass-group-cert-no-pass b/tests/test-pass-group-cert-no-pass -index bc39b45..401b24f 100755 ---- a/tests/test-pass-group-cert-no-pass -+++ b/tests/test-pass-group-cert-no-pass -@@ -33,25 +33,25 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo -n "Connecting to obtain cookie (without certificate)... " --LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 && -+LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 && - fail $PID "Connected without certificate!" - - echo ok - - echo -n "Connecting to obtain cookie - group1 (with certificate)... " --LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 || -+LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 || - fail $PID "Could not connect with certificate!" - - echo ok - - echo -n "Connecting to obtain cookie - group2 (with certificate)... " --LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group2 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 || -+LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group2 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 || - fail $PID "Could not connect with certificate!" - - echo ok - - echo -n "Connecting to obtain cookie - group3 (hidden) (with certificate)... " --LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group3 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 || -+LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group3 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 || - fail $PID "Could not connect with certificate!" - - echo ok -diff --git a/tests/test-pass-opt-cert b/tests/test-pass-opt-cert -index ac9adc1..1836538 100755 ---- a/tests/test-pass-opt-cert -+++ b/tests/test-pass-opt-cert -@@ -38,7 +38,7 @@ connect() - { - opts=$1 - pass=$2 --echo ${pass} | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --passwd-on-stdin --authenticate >${TMPFILE} -+echo ${pass} | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --passwd-on-stdin --authenticate >${TMPFILE} - if test $? != 0;then - cat ${TMPFILE} - return 1 -diff --git a/tests/test-pass-script b/tests/test-pass-script -index 89a4094..0f18551 100755 ---- a/tests/test-pass-script -+++ b/tests/test-pass-script -@@ -67,7 +67,7 @@ launch_server -d 1 -f -c "${CONFIG}" & PID=$! - wait_server $PID - - echo " * Connecting to obtain cookie with wrong username... " --( echo "tost" | $OPENCONNECT -q localhost:$PORT -u tost --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo "tost" | $OPENCONNECT -q localhost:$PORT -u tost --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie when we shouldn't" - - rm -f ${builddir}/connect.ok -@@ -76,11 +76,11 @@ rm -f ${builddir}/host-update.ok - #test special characters - - echo " * Connecting to obtain cookie... " --( echo "!@#$%^&*()<>" | $OPENCONNECT -q localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "!@#$%^&*()<>" | $OPENCONNECT -q localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - echo " * Re-connecting to force script run... " --echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT -q --local-hostname='mylocalname' localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true -+echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT -q --local-hostname='mylocalname' localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true - - TIMEOUT=5 - while ! test -f ${builddir}/disconnect.ok; do -@@ -112,7 +112,7 @@ rm -f ${builddir}/disconnect.ok - rm -f ${builddir}/host-update.ok - - echo " * Re-connecting to get cookie... " --echo "test2" | $OPENCONNECT -q localhost:$PORT -u "test2" --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true >${PARAMSFILE} -+echo "test2" | $OPENCONNECT -q localhost:$PORT -u "test2" --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >${PARAMSFILE} - if test $? != 0;then - echo "Could not connect" - cat ${PARAMSFILE} -@@ -127,7 +127,7 @@ fi - - echo " * Re-connecting to force session stealing... " - eval "$(grep COOKIE ${PARAMSFILE})" --echo ${COOKIE}| $OPENCONNECT --local-hostname='mylocalname' localhost:$PORT -u "test2" --reconnect-timeout 0 --cookie-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true --pid-file=${OPIDFILE} -b -+echo ${COOKIE}| $OPENCONNECT --local-hostname='mylocalname' localhost:$PORT -u "test2" --reconnect-timeout 0 --cookie-on-stdin --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true --pid-file=${OPIDFILE} -b - - echo " - Pausing client" - TIMEOUT=4 -@@ -156,7 +156,7 @@ rm -f ${builddir}/connect.ok - rm -f ${builddir}/disconnect.ok - - echo " * Re-connecting to steal previous IP address... " --echo ${COOKIE} | $OPENCONNECT -q --local-hostname='mylocalname' localhost:$PORT -u "test2" --reconnect-timeout 0 --cookie-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true --pid-file=${OPIDFILE2} -b -+echo ${COOKIE} | $OPENCONNECT -q --local-hostname='mylocalname' localhost:$PORT -u "test2" --reconnect-timeout 0 --cookie-on-stdin --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true --pid-file=${OPIDFILE2} -b - - echo " - Resuming (disconnected) client" - kill -s CONT $(cat ${OPIDFILE}) -@@ -205,7 +205,7 @@ done - sleep 5 - echo " - Check server status" - --( echo "!@#$%^&*()<>" | $OPENCONNECT --local-hostname='mylocalname' -q localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "!@#$%^&*()<>" | $OPENCONNECT --local-hostname='mylocalname' -q localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - echo " - Killing server" -diff --git a/tests/test-replay b/tests/test-replay -index b8aa848..0533893 100755 ---- a/tests/test-replay -+++ b/tests/test-replay -@@ -60,7 +60,7 @@ launch_server -d 9999 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo "Connecting to obtain cookie... " --eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` -+eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` - - if [ -z "$COOKIE" ];then - echo "Could not obtain cookie" -@@ -70,7 +70,7 @@ fi - #echo "Cookie: $COOKIE" - - echo "Connecting with cookie... " --echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --verbose --pid-file "${PIDFILE1}" --background -+echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --verbose --pid-file "${PIDFILE1}" --background - - sleep 4 - -diff --git a/tests/test-san-cert b/tests/test-san-cert -index a5040ae..a41c331 100755 ---- a/tests/test-san-cert -+++ b/tests/test-san-cert -@@ -49,25 +49,25 @@ PID=$! - wait_server $PID - - echo -n "Connecting to obtain cookie (without certificate)... " --( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) && - fail $PID "Connected without certificate!" - - echo "ok (failed as expected)" - - echo -n "Connecting to obtain cookie (with invalid certificate)... " --( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert-invalid.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert-invalid.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) && - fail $PID "Connected with invalid certificate!" - - echo "ok (failed as expected)" - - echo -n "Connecting to obtain cookie (with certificate - no SAN)... " --( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) && - fail $PID "Connected with invalid certificate!" - - echo "ok (failed as expected)" - - echo -n "Connecting to obtain cookie (with certificate - SAN)... " --( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-san-cert.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-san-cert.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || - fail $PID "Failed to connect with certificate!" - - echo ok -diff --git a/tests/test-script-multi-user b/tests/test-script-multi-user -index 6327a26..c0bfa3d 100755 ---- a/tests/test-script-multi-user -+++ b/tests/test-script-multi-user -@@ -47,16 +47,16 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo "Connecting to force script block... " --echo "!@#$%^&*()<>" | timeout 60 $OPENCONNECT -q localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true & -+echo "!@#$%^&*()<>" | timeout 60 $OPENCONNECT -q localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true & - - sleep 3 - - echo "Connecting to obtain cookie... " --( echo "${USERNAME}" | $OPENCONNECT -q localhost:$PORT -u "${USERNAME}" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "${USERNAME}" | $OPENCONNECT -q localhost:$PORT -u "${USERNAME}" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - echo "Connecting in background... " --( echo "${USERNAME}" | timeout 15 $OPENCONNECT -q localhost:$PORT -u "${USERNAME}" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --background >/dev/null 2>&1 ) || -+( echo "${USERNAME}" | timeout 15 $OPENCONNECT -q localhost:$PORT -u "${USERNAME}" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --background >/dev/null 2>&1 ) || - fail $PID "Could not connect to server; probably blocked" - - sleep 3 -diff --git a/tests/test-sighup b/tests/test-sighup -index add538f..dd424e5 100755 ---- a/tests/test-sighup -+++ b/tests/test-sighup -@@ -34,7 +34,7 @@ PID=$! - wait_server $PID - - echo -n "Connecting to obtain cookie (with certificate)... " --( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || - fail $PID "Could not connect with certificate!" - - echo ok -@@ -44,7 +44,7 @@ kill -HUP $PID - sleep 5 - - echo -n "Connecting to obtain cookie (with certificate)... " --( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || - fail $PID "Could not connect with certificate!" - - echo ok -@@ -57,7 +57,7 @@ kill -HUP $PID - sleep 5 - - echo -n "Connecting to obtain cookie (with certificate)... " --( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) && - fail $PID "Could not connect with certificate!" - - echo ok -diff --git a/tests/test-stress b/tests/test-stress -index 3816604..a2db96e 100755 ---- a/tests/test-stress -+++ b/tests/test-stress -@@ -33,7 +33,7 @@ run_client() { - PASS=$1; - shift; - -- ( echo $PASS | $OPENCONNECT -q $HOST -u $USER --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true >/dev/null 2>&1 ) || -+ ( echo $PASS | $OPENCONNECT -q $HOST -u $USER --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >/dev/null 2>&1 ) || - echo "$USER: Could not connect to server" - } - -diff --git a/tests/test-udp-listen-host b/tests/test-udp-listen-host -index f3e6623..956938b 100755 ---- a/tests/test-udp-listen-host -+++ b/tests/test-udp-listen-host -@@ -111,7 +111,7 @@ ${CMDNS2} ${HAPROXY} -f ${HACONFIG} -d & HAPID=$! - sleep 3 - - echo " * Connecting to haproxy and using dtls ... " --echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} --user test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${CLIPID}" --background -+echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} --user test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${CLIPID}" --background - - wait_file "${CLIPID}" 11 - -@@ -134,7 +134,7 @@ echo "restart ocsev with udp-listen-host set to 127.0.0.1" - ${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG_UDP_LISTEN_LOCAL} ${DEBUG} & PID=$! - - echo " * Connecting to haproxy and using dtls again ... " --echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} --user test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${CLIPID2}" --background -+echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} --user test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${CLIPID2}" --background - - wait_file "${CLIPID2}" 11 - -diff --git a/tests/test-user-config b/tests/test-user-config -index 1c7f518..f8573ce 100755 ---- a/tests/test-user-config -+++ b/tests/test-user-config -@@ -42,20 +42,20 @@ PID=$! - wait_server $PID - - echo -n "Connecting to obtain cookie (with certificate)... " --( $OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null ) || -+( $OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null ) || - fail $PID "Could not connect with certificate!" - - echo ok - - echo -n "Re-connecting to force script run... " --$OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true /dev/null & -+$OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true /dev/null & - kpid1=$! - echo ok - - sleep 2 - - echo -n "Re-connecting to check the iroutes... " --$OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE1} 2>&1 & -+$OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE1} 2>&1 & - kpid2=$! - - echo ok -@@ -63,7 +63,7 @@ sleep 3 - - echo -n "Checking if max-same-clients is considered... " - --timeout 15s $OPENCONNECT localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE2} 2>&1 -+timeout 15s $OPENCONNECT localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE2} 2>&1 - if test $? = 124;then - fail $PID "Max-same-clients directive was ignored" - fi -@@ -155,7 +155,7 @@ rm -f ${TMPFILE1} - rm -f ${TMPFILE2} - - echo -n "Re-connecting to check the ipv4-network... " --$OPENCONNECT -v localhost:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert-testipnet.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE1} 2>&1 & kpid3=$! -+$OPENCONNECT -v localhost:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert-testipnet.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE1} 2>&1 & kpid3=$! - - echo ok - sleep 3 -diff --git a/tests/test-vhost b/tests/test-vhost -index 902f011..1a57e60 100755 ---- a/tests/test-vhost -+++ b/tests/test-vhost -@@ -62,7 +62,7 @@ PID=$! - wait_server $PID - - echo -n "Connecting to default host to obtain cookie (user without certificate)... " --connect "default.example.com" "-u test" "test" "d66b507ae074d03b02eafca40d35f87dd81049d3" -+connect "default.example.com" "-u test" "test" "pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=" - if test $? != 0;then - fail $PID "Failed to connect with user without certificate!" - fi -@@ -111,7 +111,7 @@ fi - echo ok - - echo -n "Connecting to default host to obtain cookie (with certificate)... " --connect "default.example.com" "-u test --sslkey ./certs/user-key.pem -c ./certs/user-cert.pem" "" "d66b507ae074d03b02eafca40d35f87dd81049d3" -+connect "default.example.com" "-u test --sslkey ./certs/user-key.pem -c ./certs/user-cert.pem" "" "pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=" - if test $? = 0;then - fail $PID "Connected to wrong host with certificate!" - fi -@@ -136,7 +136,7 @@ kill -HUP $PID - sleep 5 - - echo -n "Sanity check to default host..." --connect "default.example.com" "-u test" "test" "d66b507ae074d03b02eafca40d35f87dd81049d3" -+connect "default.example.com" "-u test" "test" "pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=" - if test $? != 0;then - fail $PID "Failed to connect with user without certificate!" - fi -diff --git a/tests/traffic b/tests/traffic -index 3ea962f..1f0fcaf 100755 ---- a/tests/traffic -+++ b/tests/traffic -@@ -79,14 +79,14 @@ sleep 4 - - # Run clients - echo " * Getting cookie from ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) - if test $? != 0;then - echo "Could not get cookie from server" - exit 1 - fi - - echo " * Connecting to ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 diff --git a/ocserv.conf b/ocserv.conf index d5e0814..0ecd600 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -34,7 +34,7 @@ # and all configuration will be read from radius. That also includes the # Acct-Interim-Interval, and Session-Timeout values. # -# See doc/README-radius.md for the supported radius configuration atributes. +# See doc/README-radius.md for the supported radius configuration attributes. # # gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900] # The gssapi option allows one to use authentication methods supported by GSSAPI, @@ -72,25 +72,29 @@ auth = "pam" # Only one accounting method can be specified. #acct = "radius[config=/etc/radiusclient/radiusclient.conf]" -# Use listen-host to limit to specific IPs or to the IPs of a provided +# Use listen-host to limit to specific IPs or to the IPs of a provided # hostname. #listen-host = [IP|HOSTNAME] +# Use udp-listen-host to limit udp to specific IPs or to the IPs of a provided +# hostname. if not set, listen-host will be used +#udp-listen-host = [IP|HOSTNAME] + # When the server has a dynamic DNS address (that may change), # should set that to true to ask the client to resolve again on # reconnects. #listen-host-is-dyndns = true -# Use udp-listen-host to limit udp to specific IPs or to the IPs of a provided -# hostname. if not set, listen-host will be used -#udp-listen-host = [IP|HOSTNAME] +# move the listen socket within the specified network namespace +# listen-netns = "foo" # TCP and UDP port number tcp-port = 443 udp-port = 443 -# The user the worker processes will be run as. It should be -# unique (no other services run as this user). +# The user the worker processes will be run as. This should be a dedicated +# unprivileged user (e.g., 'ocserv') and no other services should run as this +# user. run-as-user = ocserv run-as-group = ocserv @@ -148,7 +152,10 @@ server-key = /etc/pki/ocserv/private/server.key # is set. #ca-cert = /etc/ocserv/ca.pem - +# The number of sub-processes to use for the security module (authentication) +# processes. Typically this should not be set as the number of processes +# is determined automatically by the initially set maximum number of clients. +#sec-mod-scale = 4 ### All configuration options below this line are reloaded on a SIGHUP. @@ -167,7 +174,7 @@ server-key = /etc/pki/ocserv/private/server.key # Note however, that process isolation is restricted to the specific libc versions # the isolation was tested at. If you get random failures on worker processes, try # disabling that option and report the failures you, along with system and debugging -# information at: https://gitlab.com/ocserv/ocserv/issues +# information at: https://gitlab.com/openconnect/ocserv/issues isolate-workers = true # A banner to be displayed on clients after connection @@ -176,7 +183,8 @@ isolate-workers = true # A banner to be displayed on clients before connection #pre-login-banner = "Welcome" -# Limit the number of clients. Unset or set to zero for unlimited. +# Limit the number of clients. Unset or set to zero if unknown. In +# that case the maximum value is ~8k clients. #max-clients = 1024 max-clients = 16 @@ -238,6 +246,10 @@ switch-to-tcp-timeout = 25 # MTU discovery (DPD must be enabled) try-mtu-discovery = false +# To enable load-balancer connection draining, set server-drain-ms to a value +# higher than your load-balancer health probe interval. +#server-drain-ms = 15000 + # If you have a certificate from a CA that provides an OCSP # service you may provide a fresh OCSP status response within # the TLS handshake. That will prevent the client from connecting @@ -294,11 +306,8 @@ cert-user-oid = 0.9.2342.19200300.100.1.1 tls-priorities = "NORMAL:%SERVER_PRECEDENCE" # That option requires the established DTLS channel to use the same -# cipher as the primary TLS channel. This cannot be combined with -# listen-clear-file since the ciphersuite information is not available -# in that configuration. Note also, that this option implies that -# dtls-legacy option is false; this option cannot be enforced -# in the legacy/compat protocol. +# cipher as the primary TLS channel.Note also, that this option implies +# that the dtls-legacy option is false; this option cannot be enforced #match-tls-dtls-ciphers = true # The time (in seconds) that a client is allowed to stay connected prior @@ -327,11 +336,9 @@ min-reauth-time = 300 # that get a score over that configured number are banned for # min-reauth-time seconds. By default a wrong password attempt is 10 points, # a KKDCP POST is 1 point, and a connection is 1 point. Note that -# due to difference processes being involved the count of points -# will not be real-time precise. -# -# Score banning cannot be reliably used when receiving proxied connections -# locally from an HTTP server (i.e., when listen-clear-file is used). +# due to different processes being involved the count of points +# will not be real-time precise. Local subnet IPs are exempt to allow +# services that check for process health. # # Set to zero to disable. max-ban-score = 80 @@ -381,7 +388,8 @@ rekey-method = ssl # Script to call when a client connects and obtains an IP. # The following parameters are passed on the environment. # REASON, VHOST, USERNAME, GROUPNAME, DEVICE, IP_REAL (the real IP of the client), -# IP_REAL_LOCAL (the local interface IP the client connected), IP_LOCAL +# REMOTE_HOSTNAME (the remotely advertised hostname), IP_REAL_LOCAL +# (the local interface IP the client connected), IP_LOCAL # (the local IP in the P-t-P connection), IP_REMOTE (the VPN IP of the client), # IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6 # assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and @@ -400,6 +408,12 @@ rekey-method = ssl #connect-script = /usr/bin/ocserv-script #disconnect-script = /usr/bin/ocserv-script +# This script is to be called when the client's advertised hostname becomes +# available. It will contain REASON with "host-update" value and the +# variable REMOTE_HOSTNAME in addition to the connect variables. + +#host-update-script = /usr/bin/myhostnamescript + # UTMP # Register the connected clients to utmp. This will allow viewing # the connected clients using the command 'who'. @@ -412,6 +426,20 @@ use-occtl = true # PID file. It can be overridden in the command line. pid-file = /var/run/ocserv.pid +# Log Level. Ocserv sends the logging messages to standard error +# as well as the system log. The log level can be overridden in the +# command line with the -d option. All messages at the configured +# level and lower will be displayed. +# Supported levels (default 0): +# 0 default (Same as basic) +# 1 basic +# 2 info +# 3 debug +# 4 http +# 8 sensitive +# 9 TLS +log-level = 1 + # Set the protocol-defined priority (SO_PRIORITY) for packets to # be sent. That is a number from 0 to 6 with 0 being the lowest # priority. Alternatively this can be used to set the IP Type- @@ -434,7 +462,8 @@ device = vpns # same for the same user when possible. predictable-ips = true -# The default domain to be advertised +# The default domain to be advertised. Multiple domains (functional on +# openconnect clients) can be provided in a space separated list. default-domain = example.com # The pool of addresses that leases will be given from. If the leases @@ -561,10 +590,10 @@ no-route = 192.168.5.0/255.255.255.0 # per group. Each file name on these directories must match the username # or the groupname. # The options allowed in the configuration files are dns, nbns, -# ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, no-route, -# explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp, +# ipv?-network, ipv4-netmask, rx/tx-data-per-sec, iroute, route, no-route, +# explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp, # keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns, -# restrict-user-to-routes, user-profile, cgroup, stats-report-time, +# restrict-user-to-routes, cgroup, stats-report-time, # mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports, # split-dns and session-timeout. # @@ -628,10 +657,13 @@ no-route = 192.168.5.0/255.255.255.0 # # # Other fields may be used by some of the CISCO clients. -# This file must be accessible from inside the worker's chroot. -# Note that enabling this option is not recommended as it will allow -# the worker processes to open arbitrary files (when isolate-workers is -# set to true). +# This file must be accessible from inside the worker's chroot. +# Note that: +# (1) enabling this option is not recommended as it will allow the +# worker processes to open arbitrary files (when isolate-workers is +# set to true). +# (2) This option cannot be set per-user or per-group; only the global +# version is being sent to client. #user-profile = profile.xml # @@ -657,6 +689,35 @@ cisco-client-compat = true # by the dtls-psk protocol supported by openconnect 7.08+. dtls-legacy = true +# This option will enable the settings needed for Cisco SVC IPPhone clients +# to connect. It implies dtls-legacy = true and tls-priorities is changed to +# only the ciphers the device supports. +cisco-svc-client-compat = false + +# This option will enable the X-CSTP-Client-Bypass-Protocol (disabled by default). +# If the server has not configured an IPv6 or IPv4 address pool, enabling this option +# will instruct the client to bypass the server for that IP protocol. The option is +# currently only understood by Anyconnect clients. +client-bypass-protocol = false + +# The following options are related to server camouflage (hidden service) + +# This option allows you to enable the camouflage feature of ocserv that makes it look +# like a web server to unauthorized parties. +# With "camouflage" enabled, connection to the VPN can be established only if the client provided a specific +# "secret string" in the connection URL, e.g. "https://example.com/?mysecretkey", +# otherwise the server will return HTTP error for all requests. +camouflage = false + +# The URL prefix that should be set on the client (after '?' sign) to pass through the camouflage check, +# e.g. in case of 'mysecretkey', the server URL on the client should be like "https://example.com/?mysecretkey". +camouflage_secret = "mysecretkey" + +# Defines the realm (browser prompt) for HTTP authentication. +# If no realm is set, the server will return 404 Not found error instead of 401 Unauthorized. +# Better change it from the default value to avoid fingerprinting. +camouflage_realm = "Restricted Content" + #Advanced options # Option to allow sending arbitrary custom headers to the client after @@ -669,8 +730,8 @@ dtls-legacy = true -## An example virtual host with different authentication methods serviced -## by this server. +# An example virtual host with different authentication methods serviced +# by this server. #[vhost:www.example.com] #auth = "certificate" @@ -687,3 +748,18 @@ dtls-legacy = true #ipv4-netmask = 255.255.255.0 #cert-user-oid = 0.9.2342.19200300.100.1.1 + +# HTTP headers +included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains +included-http-headers = X-Frame-Options: deny +included-http-headers = X-Content-Type-Options: nosniff +included-http-headers = Content-Security-Policy: default-src 'none' +included-http-headers = X-Permitted-Cross-Domain-Policies: none +included-http-headers = Referrer-Policy: no-referrer +included-http-headers = Clear-Site-Data: "cache","cookies","storage" +included-http-headers = Cross-Origin-Embedder-Policy: require-corp +included-http-headers = Cross-Origin-Opener-Policy: same-origin +included-http-headers = Cross-Origin-Resource-Policy: same-origin +included-http-headers = X-XSS-Protection: 0 +included-http-headers = Pragma: no-cache +included-http-headers = Cache-control: no-store, no-cache diff --git a/ocserv.spec b/ocserv.spec index 8f2b22b..1a72762 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,4 +1,4 @@ -Version: 1.1.7 +Version: 1.2.0 Release: %autorelease %global _hardened_build 1 @@ -38,8 +38,6 @@ Source8: ocserv-genkey Source9: ocserv-script Source10: gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg Source11: ocserv.init -# When removed remove the autoreconf step -Patch0: expired-certs.patch # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 @@ -141,8 +139,6 @@ gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} || gpgv2 --keyring %{SOURCE10} %endif %autosetup -p1 -# temporarily needed to apply patches -autoreconf -fvi rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h %if (0%{?use_local_protobuf} == 0) @@ -152,9 +148,6 @@ touch src/*.proto rm -rf src/ccan/talloc sed -i 's|/etc/ocserv.conf|/etc/ocserv/ocserv.conf|g' src/config.c sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/data/*.config -# GPLv3 in headers is a gnulib bug: -# http://lists.gnu.org/archive/html/bug-gnulib/2013-11/msg00062.html -sed -i 's/either version 3 of the License/either version 2 of the License/g' build-aux/snippet/* %if 0%{?rhel} && 0%{?rhel} <= 6 echo "int main() { return 77; }" > tests/valid-hostname.c @@ -199,7 +192,8 @@ mkdir -p -m 700 %{_sysconfdir}/pki/ocserv/private mkdir -p %{_sysconfdir}/pki/ocserv/cacerts %check -make check %{?_smp_mflags} VERBOSE=1 +# The 1.2.0 release has a missing file +make check %{?_smp_mflags} VERBOSE=1 XFAIL_TESTS="test-group-cert" %if %{use_systemd} %post @@ -254,7 +248,7 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %config(noreplace) %{_sysconfdir}/pam.d/ocserv %config(noreplace) %{_localstatedir}/lib/ocserv/profile.xml -%doc AUTHORS ChangeLog NEWS COPYING COPYING README.md PACKAGE-LICENSING +%doc AUTHORS ChangeLog NEWS COPYING README.md PACKAGE-LICENSING doc/README-radius.md %doc src/ccan/licenses/CC0 src/ccan/licenses/LGPL-2.1 src/ccan/licenses/BSD-MIT %{_mandir}/man8/ocserv.8* diff --git a/sources b/sources index 30fa688..bd969b3 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (ocserv-1.1.7.tar.xz) = 5b6182b98c0406a27dae7121ec0d8771b158e0d8ce2056bd35451c8ed087a8b7f7d40035f9db5c19aa9a9a3b2c6b07be8f0bad4b6b96569584815a5358202ba4 -SHA512 (ocserv-1.1.7.tar.xz.sig) = 96d2562fdf918f2b6ea829d747330a3be2e015ab25897e01bd0d387cb69ef3592aacabbeec9612e95eca1fbce6178a176dbf76d553b7626c09d453d216ddd63d +SHA512 (ocserv-1.2.0.tar.xz) = 23edd48313cb4988cea1e2493ab65784c7a39a062798e1ffd380b6de5629e69bd71ded863eb7a0c9fe1bac3cc2db23014cdedbd5d15801e2a66d5ef4e3f28ffb +SHA512 (ocserv-1.2.0.tar.xz.sig) = 1d8ac24c97c6495adc070f7b24553715ff27e6a9937a020522904559f4c48f3e18ca712b80762d55c285ce8f99eb4cd9a84b2875a351eb1df1ef6c705c5d3199 From 4335142cbc18b8f89bf76719a0dc15b928ad1117 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 15 Aug 2023 19:16:12 +0200 Subject: [PATCH 169/177] use %systemd_postun_with_restart Signed-off-by: Nikos Mavrogiannopoulos --- ocserv.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ocserv.spec b/ocserv.spec index 1a72762..a44cf9c 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -203,7 +203,7 @@ make check %{?_smp_mflags} VERBOSE=1 XFAIL_TESTS="test-group-cert" %systemd_preun ocserv.service %postun -%systemd_postun ocserv.service +%systemd_postun_with_restart ocserv.service %endif %install From e054a61e967e95d9d8249d90dc8254ff0dd7439f Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 22 Aug 2023 19:31:54 +0200 Subject: [PATCH 170/177] updated URIs of source --- ocserv.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ocserv.spec b/ocserv.spec index a44cf9c..f940294 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -27,8 +27,8 @@ Summary: OpenConnect SSL VPN server # To simplify licenses LGPLv2+ files have been promoted to GPLv2+. License: GPLv2+ and BSD and MIT and CC0 URL: http://www.infradead.org/ocserv/ -Source0: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz -Source1: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig +Source0: https://www.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz +Source1: https://www.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig Source2: gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg Source3: ocserv.conf Source4: ocserv.service From 1699efe2725c751015e766735854ac238932c49a Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 23 Aug 2023 09:21:15 +0200 Subject: [PATCH 171/177] corrected download link --- ocserv.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ocserv.spec b/ocserv.spec index f940294..63ec528 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -27,8 +27,8 @@ Summary: OpenConnect SSL VPN server # To simplify licenses LGPLv2+ files have been promoted to GPLv2+. License: GPLv2+ and BSD and MIT and CC0 URL: http://www.infradead.org/ocserv/ -Source0: https://www.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz -Source1: https://www.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig +Source0: https://www.infradead.org/ocserv/download/%{name}-%{version}.tar.xz +Source1: https://www.infradead.org/ocserv/download/%{name}-%{version}.tar.xz.sig Source2: gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg Source3: ocserv.conf Source4: ocserv.service From 5ceb96715ae39d42bf7eea26e517eff4d97c95cc Mon Sep 17 00:00:00 2001 From: Packit Date: Wed, 23 Aug 2023 07:25:56 +0000 Subject: [PATCH 172/177] [packit] 1.2.1 upstream release MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Upstream tag: 1.2.1 Upstream commit: 895a23f3 If you need to do any change in this pull request, you need to locally fetch the source branch of it and push it (with a fix) to your fork (as it is not possible to push to the branch created in the Packit’s fork): ``` git fetch https://src.fedoraproject.org/forks/packit/rpms/ocserv.git refs/heads/*:refs/remotes/packit/* git checkout packit/1.2.1-epel9-update-pull_from_upstream ``` --- .gitignore | 2 ++ README.packit | 3 +++ ocserv.spec | 2 +- sources | 4 ++-- 4 files changed, 8 insertions(+), 3 deletions(-) create mode 100644 README.packit diff --git a/.gitignore b/.gitignore index 2113177..1b89049 100644 --- a/.gitignore +++ b/.gitignore @@ -241,3 +241,5 @@ /ocserv-1.1.7.tar.xz.sig /ocserv-1.2.0.tar.xz /ocserv-1.2.0.tar.xz.sig +/ocserv-1.2.1.tar.xz +/ocserv-1.2.1.tar.xz.sig diff --git a/README.packit b/README.packit new file mode 100644 index 0000000..797aefb --- /dev/null +++ b/README.packit @@ -0,0 +1,3 @@ +This repository is maintained by packit. +https://packit.dev/ +The file was generated using packit 0.79.0.post2+g93f33d9. diff --git a/ocserv.spec b/ocserv.spec index 63ec528..67ea6c7 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,4 +1,4 @@ -Version: 1.2.0 +Version: 1.2.1 Release: %autorelease %global _hardened_build 1 diff --git a/sources b/sources index bd969b3..b336b2f 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (ocserv-1.2.0.tar.xz) = 23edd48313cb4988cea1e2493ab65784c7a39a062798e1ffd380b6de5629e69bd71ded863eb7a0c9fe1bac3cc2db23014cdedbd5d15801e2a66d5ef4e3f28ffb -SHA512 (ocserv-1.2.0.tar.xz.sig) = 1d8ac24c97c6495adc070f7b24553715ff27e6a9937a020522904559f4c48f3e18ca712b80762d55c285ce8f99eb4cd9a84b2875a351eb1df1ef6c705c5d3199 +SHA512 (ocserv-1.2.1.tar.xz) = 13cc0dc33cced3c020a754414ce6f4f6c210875b75264528b2ba7b62c07416c30db1549f2efdad6f5f01b3156a23379243c7d761b3164db9741929ec8e001c93 +SHA512 (ocserv-1.2.1.tar.xz.sig) = de1a4ec354d48834901e98f165d9f25b5a3a19f7b81194b728dac19d93198a8ddd8b692cb266fe3a707523a8d936403f171c3f33ed8293ff20a5eda9d3abc912 From 9808a6f48fd16155f4f44364f7c3c077bea520a2 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 23 Aug 2023 09:47:54 +0200 Subject: [PATCH 173/177] make check: no longer use xfail for missing file --- ocserv.spec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ocserv.spec b/ocserv.spec index 67ea6c7..6ca2228 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -192,8 +192,7 @@ mkdir -p -m 700 %{_sysconfdir}/pki/ocserv/private mkdir -p %{_sysconfdir}/pki/ocserv/cacerts %check -# The 1.2.0 release has a missing file -make check %{?_smp_mflags} VERBOSE=1 XFAIL_TESTS="test-group-cert" +make check %{?_smp_mflags} VERBOSE=1 %if %{use_systemd} %post From 32b4c1e85e5a267581b14db2a7a221790f73013c Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 29 Aug 2023 11:00:27 +0200 Subject: [PATCH 174/177] config: increased log level to 3 Signed-off-by: Nikos Mavrogiannopoulos --- ocserv.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ocserv.conf b/ocserv.conf index 0ecd600..0e63981 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -438,7 +438,7 @@ pid-file = /var/run/ocserv.pid # 4 http # 8 sensitive # 9 TLS -log-level = 1 +log-level = 3 # Set the protocol-defined priority (SO_PRIORITY) for packets to # be sent. That is a number from 0 to 6 with 0 being the lowest From a6589987fd097a55717fbe45f5d71fec0e0d3020 Mon Sep 17 00:00:00 2001 From: Packit Date: Thu, 21 Sep 2023 19:44:33 +0000 Subject: [PATCH 175/177] [packit] 1.2.2 upstream release Upstream tag: 1.2.2 Upstream commit: f6164756 --- .gitignore | 2 ++ README.packit | 2 +- ocserv.spec | 2 +- sources | 4 ++-- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 1b89049..4fa485b 100644 --- a/.gitignore +++ b/.gitignore @@ -243,3 +243,5 @@ /ocserv-1.2.0.tar.xz.sig /ocserv-1.2.1.tar.xz /ocserv-1.2.1.tar.xz.sig +/ocserv-1.2.2.tar.xz +/ocserv-1.2.2.tar.xz.sig diff --git a/README.packit b/README.packit index 797aefb..ce6b9b9 100644 --- a/README.packit +++ b/README.packit @@ -1,3 +1,3 @@ This repository is maintained by packit. https://packit.dev/ -The file was generated using packit 0.79.0.post2+g93f33d9. +The file was generated using packit 0.80.0.post35+g9430d702. diff --git a/ocserv.spec b/ocserv.spec index 6ca2228..ff70f88 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,4 +1,4 @@ -Version: 1.2.1 +Version: 1.2.2 Release: %autorelease %global _hardened_build 1 diff --git a/sources b/sources index b336b2f..58e8472 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (ocserv-1.2.1.tar.xz) = 13cc0dc33cced3c020a754414ce6f4f6c210875b75264528b2ba7b62c07416c30db1549f2efdad6f5f01b3156a23379243c7d761b3164db9741929ec8e001c93 -SHA512 (ocserv-1.2.1.tar.xz.sig) = de1a4ec354d48834901e98f165d9f25b5a3a19f7b81194b728dac19d93198a8ddd8b692cb266fe3a707523a8d936403f171c3f33ed8293ff20a5eda9d3abc912 +SHA512 (ocserv-1.2.2.tar.xz) = f1a55d2d849aadadcae6ea792845531d4fe71a3d7defad353a961828ddea74faa85a7d6b8de64a5fce115b14ea00f87755f01833cf31550532b1c52a02bd1fb0 +SHA512 (ocserv-1.2.2.tar.xz.sig) = e3a159d76b5651c99487546681657cdb008d50d86647bf2df1034dc6936720d0db9566490958a9d79ad4a68b122b1d19021e0c849d72a0ab3277d777b9e1ddb7 From a84f3ca3a7eb058dee4150b96a15ec634b4a97e1 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 22 Sep 2023 14:44:26 +0200 Subject: [PATCH 176/177] Added packit config --- .packit.yaml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 .packit.yaml diff --git a/.packit.yaml b/.packit.yaml new file mode 100644 index 0000000..b3ac8a0 --- /dev/null +++ b/.packit.yaml @@ -0,0 +1,26 @@ +upstream_project_url: https://gitlab.com/openconnect/ocserv +issue_repository: https://gitlab.com/openconnect/ocserv +copy_upstream_release_description: true +downstream_package_name: ocserv + +jobs: +- job: pull_from_upstream + trigger: release + dist_git_branches: + - fedora-all + - epel-8 + - epel-9 + +- job: koji_build + trigger: commit + dist_git_branches: + - fedora-all + - epel-8 + - epel-9 + +- job: bodhi_update + trigger: commit + dist_git_branches: + - fedora-branched # rawhide updates are created automatically + - epel-8 + - epel-9 From 4226be09dbbebf3031e28478180633c1e7b12c80 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Mon, 30 Oct 2023 17:37:07 +0300 Subject: [PATCH 177/177] Remove unnecessary files and fix spec-file --- ocserv.spec | 554 +++++++++++++++++++++++++++++++++++++++++++++++++++- sources | 2 - 2 files changed, 553 insertions(+), 3 deletions(-) delete mode 100644 sources diff --git a/ocserv.spec b/ocserv.spec index ff70f88..fcddf62 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,3 +1,13 @@ +## START: Set by rpmautospec +## (rpmautospec version 0.3.5) +## RPMAUTOSPEC: autorelease, autochangelog +%define autorelease(e:s:pb:n) %{?-p:0.}%{lua: + release_number = 2; + base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); + print(release_number + base_release_number - 1); +}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} +## END: Set by rpmautospec + Version: 1.2.2 Release: %autorelease %global _hardened_build 1 @@ -269,4 +279,546 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog -%autochangelog +* Fri Sep 22 2023 Nikos Mavrogiannopoulos - 1.2.2-2 +- Added packit config + +* Thu Sep 21 2023 Packit - 1.2.2-1 +- [packit] 1.2.2 upstream release + +* Tue Aug 29 2023 Nikos Mavrogiannopoulos - 1.2.1-3 +- config: increased log level to 3 + +* Wed Aug 23 2023 Nikos Mavrogiannopoulos - 1.2.1-2 +- make check: no longer use xfail for missing file + +* Wed Aug 23 2023 Packit - 1.2.1-1 +- [packit] 1.2.1 upstream release + +* Wed Aug 23 2023 Nikos Mavrogiannopoulos - 1.2.0-4 +- corrected download link + +* Tue Aug 22 2023 Nikos Mavrogiannopoulos - 1.2.0-3 +- updated URIs of source + +* Tue Aug 15 2023 Nikos Mavrogiannopoulos - 1.2.0-2 +- use %%systemd_postun_with_restart + +* Tue Jul 11 2023 Nikos Mavrogiannopoulos - 1.2.0-1 +- Updated to 1.2.0 + +* Tue Jul 11 2023 Nikos Mavrogiannopoulos - 1.1.7-3 +- use %%autorelease and %%autochangelog + +* Thu Jun 22 2023 Nikos Mavrogiannopoulos - 1.1.7-2 +- Backported fixes for expired certificates + +* Sun May 07 2023 Nikos Mavrogiannopoulos - 1.1.7-1 +- updated to 1.1.7 + +* Thu Feb 17 2022 Nikos Mavrogiannopoulos - 1.1.6-1 +- Updated to 1.1.6 + +* Thu Feb 10 2022 Nikos Mavrogiannopoulos - 1.1.4-3 +- Fixes for gnutls 3.7.3 and glibc new syscalls + +* Thu Jan 20 2022 Fedora Release Engineering - 1.1.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Sat Nov 13 2021 Nikos Mavrogiannopoulos - 1.1.4-1 +- update to 1.1.4 + +* Sat Nov 06 2021 Adrian Reber - 1.1.3-5 +- Rebuilt for protobuf 3.19.0 + +* Tue Oct 26 2021 Adrian Reber - 1.1.3-4 +- Rebuilt for protobuf 3.18.1 + +* Thu Jul 22 2021 Fedora Release Engineering - 1.1.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Wed Jun 02 2021 Nikos Mavrogiannopoulos - 1.1.3-2 +- removed unused file + +* Wed Jun 02 2021 Nikos Mavrogiannopoulos - 1.1.3-1 +- updated to 1.1.3 + +* Tue Jan 26 2021 Fedora Release Engineering - 1.1.2-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Jan 14 2021 Adrian Reber - 1.1.2-5 +- Rebuilt for protobuf 3.14 + +* Sat Jan 09 2021 Tom Stellard - 1.1.2-4 +- Add BuildRequires: make + +* Wed Dec 09 2020 Nikos Mavrogiannopoulos - 1.1.2-3 +- do not special case rhel8 for http-parser + +* Sun Dec 06 2020 Nikos Mavrogiannopoulos - 1.1.2-2 +- skip patch that needs root + +* Sun Dec 06 2020 Nikos Mavrogiannopoulos - 1.1.2-1 +- Update to upstream 1.1.2 release + +* Mon Nov 23 2020 Nikos Mavrogiannopoulos - 1.1.1-15 +- Rebuilt for ronn successor + +* Thu Nov 12 2020 Nikos Mavrogiannopoulos - 1.1.1-14 +- rebuilt for new radcli + +* Fri Oct 30 2020 Nikos Mavrogiannopoulos - 1.1.1-13 +- spec: removed seccomp-trap debugging option + +* Fri Oct 30 2020 Nikos Mavrogiannopoulos - 1.1.1-12 +- Compile with new glibc + +* Thu Oct 29 2020 Nikos Mavrogiannopoulos - 1.1.1-11 +- rebuild without pcllib + +* Fri Oct 23 2020 Nikos Mavrogiannopoulos - 1.1.1-10 +- do not treat TODO as document to install + +* Thu Sep 24 2020 Adrian Reber - 1.1.1-9 +- Rebuilt for protobuf 3.13 + +* Mon Sep 21 2020 Nikos Mavrogiannopoulos - 1.1.1-8 +- corrected bogus date + +* Mon Sep 21 2020 Nikos Mavrogiannopoulos - 1.1.1-7 +- disable socket_wrapper on archs where it causes problems + +* Mon Sep 21 2020 Nikos Mavrogiannopoulos - 1.1.1-6 +- make check: be verbose + +* Mon Sep 21 2020 Nikos Mavrogiannopoulos - 1.1.1-5 +- removed xfail tests; they no longer fail + +* Mon Sep 21 2020 Nikos Mavrogiannopoulos - 1.1.1-4 +- ensure gnutls-utils are installed when building + +* Mon Sep 21 2020 Nikos Mavrogiannopoulos - 1.1.1-3 +- added resumption to XFAIL + +* Mon Sep 21 2020 Nikos Mavrogiannopoulos - 1.1.1-2 +- documented crypto policies change + +* Mon Sep 21 2020 Nikos Mavrogiannopoulos - 1.1.1-1 +- updated to 1.1.1 + +* Tue Jul 28 2020 Fedora Release Engineering - 1.1.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Sun Jun 21 2020 Adrian Reber - 1.1.0-2 +- Rebuilt for protobuf 3.12 + +* Tue Jun 16 2020 Nikos Mavrogiannopoulos - 1.1.0-1 +- updated to 1.1.0 + +* Wed May 06 2020 Nikos Mavrogiannopoulos - 1.0.1-4 +- Requirements turned to recommendations + +* Fri May 01 2020 Nikos Mavrogiannopoulos - 1.0.1-3 +- sources: removed unnecessary files + +* Wed Apr 15 2020 Igor Raits - 1.0.1-2 +- Rebuild for http-parser 2.9.4 + +* Thu Apr 09 2020 Nikos Mavrogiannopoulos - 1.0.1-1 +- Update to 1.0.1-1 +- Update to upstream 1.0.1 release + +* Thu Apr 09 2020 Nikos Mavrogiannopoulos - 1.0.0-2 +- sources: removed unnecessary files + +* Fri Mar 20 2020 Nikos Mavrogiannopoulos - 1.0.0-1 +- Update to 1.0.0-1 +- Update to upstream 1.0.0 release + +* Wed Jan 29 2020 Fedora Release Engineering - 0.12.6-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Thu Jan 02 2020 Nikos Mavrogiannopoulos - 0.12.6-3 +- updated configuration to mark profile as configuration + +* Sat Dec 28 2019 Nikos Mavrogiannopoulos - 0.12.6-2 +- ocserv.conf: updated to latest upstream version + +* Sat Dec 28 2019 Nikos Mavrogiannopoulos - 0.12.6-1 +- Update to 0.12.6-1 +- Update to upstream 0.12.6 release + +* Wed Oct 16 2019 Nikos Mavrogiannopoulos - 0.12.5-1 +- Update to 0.12.5-1 +- Update to upstream 0.12.5 release + +* Wed Oct 16 2019 Nikos Mavrogiannopoulos - 0.12.4-4 +- spec: fix missing definition + +* Mon Oct 14 2019 Nikos Mavrogiannopoulos +- spec: updated for rhel8 + +* Thu Jul 25 2019 Fedora Release Engineering - 0.12.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Wed Jul 03 2019 Nikos Mavrogiannopoulos - 0.12.4-1 +- Update to 0.12.4-1 +- Update to upstream 0.12.4 release + +* Tue Mar 12 2019 Nikos Mavrogiannopoulos - 0.12.3-1 +- Update to 0.12.3-1 +- Update to upstream 0.12.3 release + +* Sun Feb 17 2019 Igor Gnatenko - 0.12.2-4 +- Rebuild for readline 8.0 + +* Fri Feb 01 2019 Fedora Release Engineering - 0.12.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Jan 14 2019 Björn Esser - 0.12.2-2 +- Rebuilt for libcrypt.so.2 (#1666033) + +* Thu Jan 10 2019 Nikos Mavrogiannopoulos - 0.12.2-1 +- Update to 0.12.2-1 +- Update to upstream 0.12.2 release + +* Tue Jul 24 2018 Nikos Mavrogiannopoulos - 0.12.1-5 +- Added gcc as build-dependency + +* Fri Jul 13 2018 Fedora Release Engineering - 0.12.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue Jul 10 2018 Jason Tibbitts - 0.12.1-3 +- Remove needless use of %%defattr + +* Mon Jul 09 2018 Igor Gnatenko - 0.12.1-2 +- add BuildRequires: gcc + +* Sat May 12 2018 Nikos Mavrogiannopoulos - 0.12.1-1 +- Update to 0.12.1-1 +- Update to upstream 0.12.1 release + +* Mon Apr 23 2018 Nikos Mavrogiannopoulos - 0.12.0-1 +- Update to 0.12.0-1 +- Update to upstream 0.12.0 release + +* Thu Apr 12 2018 Nikos Mavrogiannopoulos - 0.11.11-2 +- Update to 0.11.11-2 +- Update to upstream 0.11.11 release +- include crypt.h to use crypt() + +* Mon Mar 05 2018 Nikos Mavrogiannopoulos - 0.11.11-1 +- Update to 0.11.11-1 +- Update to upstream 0.11.11 release + +* Wed Feb 14 2018 Igor Gnatenko - 0.11.10-5 +- Remove %%clean section + +* Tue Feb 13 2018 Igor Gnatenko - 0.11.10-4 +- Remove BuildRoot definition + +* Thu Feb 08 2018 Fedora Release Engineering - 0.11.10-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sat Jan 20 2018 Björn Esser - 0.11.10-2 +- Rebuilt for switch to libxcrypt + +* Mon Jan 08 2018 Nikos Mavrogiannopoulos - 0.11.10-1 +- Update to 0.11.10-1 +- Update to upstream 0.11.10 release + +* Tue Nov 21 2017 Nikos Mavrogiannopoulos - 0.11.9-3 +- Update to 0.11.9-3 +- Update to upstream 0.11.9 release + +* Thu Nov 16 2017 Nikos Mavrogiannopoulos - 0.11.9-2 +- do not enable libwrap + +* Tue Oct 10 2017 Nikos Mavrogiannopoulos - 0.11.9-1 +- Update to 0.11.9-1 +- Update to upstream 0.11.9 release + +* Thu Aug 03 2017 Fedora Release Engineering - 0.11.8-3 +- Rebuilt for + https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 0.11.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed May 03 2017 Nikos Mavrogiannopoulos - 0.11.8-1 +- Update to 0.11.8-1 +- Update to upstream 0.11.8 release + +* Mon Feb 13 2017 Nikos Mavrogiannopoulos - 0.11.7-1 +- Update to 0.11.7-1 +- Update to upstream 0.11.7 release + +* Sat Feb 11 2017 Fedora Release Engineering - 0.11.6-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Jan 12 2017 Igor Gnatenko - 0.11.6-4 +- Rebuild for readline 7.x + +* Tue Nov 15 2016 Nikos Mavrogiannopoulos - 0.11.6-3 +- Removed gpg keys from sources + +* Tue Nov 15 2016 Nikos Mavrogiannopoulos - 0.11.6-2 +- ocserv.conf: include switch-to-tcp-timeout + +* Tue Nov 15 2016 Nikos Mavrogiannopoulos - 0.11.6-1 +- updated to 0.11.6 + +* Fri Sep 23 2016 Nikos Mavrogiannopoulos - 0.11.5-1 +- updated to 0.11.5 + +* Wed Sep 14 2016 Nikos Mavrogiannopoulos - 0.11.4-3 +- Added getrandom to the list of allowed syscalls (#1375851) + +* Thu Sep 08 2016 Nikos Mavrogiannopoulos - 0.11.4-2 +- Rebuild to address http-parser breakage (#1374081) + +* Fri Aug 05 2016 Nikos Mavrogiannopoulos - 0.11.4-1 +- updated to 0.11.4 + +* Thu Jun 16 2016 Nikos Mavrogiannopoulos - 0.11.3-1 +- updated to 0.11.3 + +* Tue Apr 26 2016 Nikos Mavrogiannopoulos - 0.11.2-2 +- fixed date and removed legacy config options + +* Tue Apr 26 2016 Nikos Mavrogiannopoulos - 0.11.2-1 +- updated to 0.11.2 and added auto sig verification + +* Mon Mar 21 2016 Nikos Mavrogiannopoulos - 0.11.1-1 +- updated to 0.11.1 + +* Fri Feb 19 2016 Nikos Mavrogiannopoulos - 0.11.0-1 +- updated to 0.11.0 + +* Thu Feb 04 2016 Fedora Release Engineering - 0.10.11-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Feb 02 2016 Nikos Mavrogiannopoulos - 0.10.11-2 +- corrected license to apply to the real one + +* Mon Jan 11 2016 Nikos Mavrogiannopoulos - 0.10.11-1 +- updated to 0.10.11 + +* Mon Nov 30 2015 Nikos Mavrogiannopoulos - 0.10.10-1 +- updated to 0.10.10 + +* Thu Oct 08 2015 Nikos Mavrogiannopoulos - 0.10.9-1 +- updated to 0.10.9 + +* Thu Sep 17 2015 Nikos Mavrogiannopoulos - 0.10.8-2 +- compile ocserv using radcli + +* Mon Sep 07 2015 Nikos Mavrogiannopoulos - 0.10.8-1 +- updated to 0.10.8 + +* Fri Aug 07 2015 Nikos Mavrogiannopoulos - 0.10.7-1 +- updated to 0.10.7 + +* Thu Jul 09 2015 Nikos Mavrogiannopoulos - 0.10.6-2 +- corrected JSON output in occtl + +* Thu Jul 02 2015 Nikos Mavrogiannopoulos - 0.10.6-1 +- updated to 0.10.6 + +* Wed Jun 17 2015 Dennis Gilmore - 0.10.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon May 25 2015 Nikos Mavrogiannopoulos - 0.10.5-1 +- updated to 0.10.5 + +* Mon Apr 27 2015 Nikos Mavrogiannopoulos - 0.10.4-1 +- new upstream release + +* Mon Mar 30 2015 Nikos Mavrogiannopoulos - 0.10.2-1 +- new upstream release + +* Mon Mar 16 2015 Nikos Mavrogiannopoulos - 0.10.1-1 +- updated to 0.10.1 + +* Wed Mar 11 2015 Nikos Mavrogiannopoulos - 0.10.0-2 +- updated dependencies and files for 0.10.0 + +* Wed Mar 11 2015 Nikos Mavrogiannopoulos - 0.10.0-1 +- updated to 0.10.0 + +* Wed Feb 18 2015 Nikos Mavrogiannopoulos - 0.9.2-1 +- new upstream release + +* Mon Feb 16 2015 Peter Robinson - 0.9.1-3 +- aarch64 (and ARMv7) now has seccomp support + +* Mon Feb 16 2015 Nikos Mavrogiannopoulos - 0.9.1-2 +- depend on freeradius-client + +* Mon Feb 16 2015 Nikos Mavrogiannopoulos - 0.9.1-1 +- updated to 0.9.1 + +* Thu Jan 29 2015 Nikos Mavrogiannopoulos - 0.9.0-3 +- run make check + +* Thu Jan 29 2015 Nikos Mavrogiannopoulos - 0.9.0-2 +- Do not enable seccomp in x86. It is broken. + +* Thu Jan 22 2015 Nikos Mavrogiannopoulos - 0.9.0-1 +- new upstream release + +* Tue Jan 13 2015 Nikos Mavrogiannopoulos - 0.8.9-10 +- compile without support for smp to prevent issues with autogen + +* Fri Jan 09 2015 Nikos Mavrogiannopoulos - 0.8.9-9 +- enable PIE + +* Tue Jan 06 2015 Nikos Mavrogiannopoulos - 0.8.9-8 +- Comply with system-wide crypto policies + +* Tue Jan 06 2015 Nikos Mavrogiannopoulos - 0.8.9-7 +- enable seccomp on x86 platforms only + +* Tue Jan 06 2015 Nikos Mavrogiannopoulos - 0.8.9-6 +- mention the enabling of seccomp + +* Tue Jan 06 2015 Nikos Mavrogiannopoulos - 0.8.9-5 +- disable seccomp on arm + +* Tue Jan 06 2015 Nikos Mavrogiannopoulos - 0.8.9-4 +- ocserv.service: depend on network-online.target (#1178760) + +* Mon Dec 29 2014 Nikos Mavrogiannopoulos - 0.8.9-3 +- Added seccomp dependency + +* Thu Dec 11 2014 Nikos Mavrogiannopoulos - 0.8.9-2 +- updated for bundled script + +* Thu Dec 11 2014 Nikos Mavrogiannopoulos - 0.8.9-1 +- new upstream release + +* Wed Nov 26 2014 Nikos Mavrogiannopoulos - 0.8.8-1 +- new upstream release + +* Mon Oct 27 2014 Nikos Mavrogiannopoulos - 0.8.7-2 +- corrected bogus date + +* Mon Oct 27 2014 Nikos Mavrogiannopoulos - 0.8.7-1 +- updated to 0.8.7 + +* Tue Sep 09 2014 Nikos Mavrogiannopoulos - 0.8.4-3 +- Ship a default ocserv-script, which will put connecting clients into the + internal firewall zone. + +* Thu Aug 28 2014 Nikos Mavrogiannopoulos - 0.8.4-2 +- removed unused config file + +* Thu Aug 28 2014 Nikos Mavrogiannopoulos - 0.8.4-1 +- updated to 0.8.4 and removed unused file + +* Sun Aug 17 2014 Peter Robinson - 0.8.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Fri Aug 08 2014 Nikos Mavrogiannopoulos - 0.8.2-4 +- rebuilt + +* Tue Aug 05 2014 Nikos Mavrogiannopoulos - 0.8.2-3 +- rebuilt for new protobuf-c + +* Fri Aug 01 2014 Nikos Mavrogiannopoulos - 0.8.2-2 +- disabled auto-select-group by default + +* Mon Jul 28 2014 Nikos Mavrogiannopoulos - 0.8.2-1 +- new upstream release + +* Mon Jun 30 2014 Nikos Mavrogiannopoulos - 0.8.1-1 +- Updated to 0.8.1 + +* Fri Jun 06 2014 Nikos Mavrogiannopoulos - 0.8.0-6 +- Added ocserv-genkey + +* Fri Jun 06 2014 Nikos Mavrogiannopoulos - 0.8.0-5 +- corrected date + +* Fri Jun 06 2014 Nikos Mavrogiannopoulos - 0.8.0-4 +- doc update + +* Fri Jun 06 2014 Nikos Mavrogiannopoulos - 0.8.0-3 +- corrected chroot path + +* Fri Jun 06 2014 Nikos Mavrogiannopoulos - 0.8.0-2 +- Generate the certificates and private keys before the first run + +* Mon Jun 02 2014 Nikos Mavrogiannopoulos - 0.8.0-1 +- updated ocserv to 0.8.0 + +* Tue May 27 2014 Nikos Mavrogiannopoulos - 0.8.0pre0-4 +- Updated license information + +* Mon May 26 2014 Nikos Mavrogiannopoulos - 0.8.0pre0-3 +- depend on systemd-devel + +* Mon May 26 2014 Nikos Mavrogiannopoulos - 0.8.0pre0-2 +- depend on talloc + +* Mon May 26 2014 Nikos Mavrogiannopoulos - 0.8.0pre0-1 +- new upstream release + +* Fri May 09 2014 Nikos Mavrogiannopoulos - 0.3.5-1 +- new upstream release + +* Fri May 02 2014 Nikos Mavrogiannopoulos - 0.3.4-2 +- updated default config file + +* Fri May 02 2014 Nikos Mavrogiannopoulos - 0.3.4-1 +- new upstream release + +* Thu Apr 10 2014 Nikos Mavrogiannopoulos - 0.3.3-1 +- new upstream release + +* Fri Mar 14 2014 Nikos Mavrogiannopoulos - 0.3.2-1 +- new upstream release + +* Mon Feb 17 2014 Nikos Mavrogiannopoulos - 0.3.1-4 +- Added missing profile file. + +* Mon Feb 17 2014 Nikos Mavrogiannopoulos - 0.3.1-3 +- more config updates + +* Mon Feb 17 2014 Nikos Mavrogiannopoulos - 0.3.1-2 +- fixes in default config + +* Mon Feb 17 2014 Nikos Mavrogiannopoulos - 0.3.1-1 +- new upstream release + +* Wed Jan 29 2014 Nikos Mavrogiannopoulos - 0.3.0-6 +- bumped version + +* Wed Jan 29 2014 Nikos Mavrogiannopoulos - 0.3.0-5 +- remove expiration date by default + +* Mon Jan 27 2014 Nikos Mavrogiannopoulos - 0.3.0-4 +- more uniform handling of buildrequires + +* Mon Jan 27 2014 Nikos Mavrogiannopoulos - 0.3.0-3 +- do not output anything when generating certificates + +* Mon Jan 27 2014 Nikos Mavrogiannopoulos - 0.3.0-2 +- added changelog entry + +* Mon Jan 27 2014 Nikos Mavrogiannopoulos - 0.3.0-1 +- updated to ocserv 0.3.0 + +* Mon Dec 16 2013 Nikos Mavrogiannopoulos - 0.2.3-1 +- updated to 0.2.3 + +* Fri Dec 06 2013 Nikos Mavrogiannopoulos - 0.2.1-4 +- use the correct config file + +* Fri Dec 06 2013 Nikos Mavrogiannopoulos - 0.2.1-3 +- corrected chroot directory + +* Fri Dec 06 2013 Nikos Mavrogiannopoulos - 0.2.1-2 +- compile with any version of libopts + +* Fri Dec 06 2013 Nikos Mavrogiannopoulos - 0.2.1-1 +- Initial import (#1027770) diff --git a/sources b/sources deleted file mode 100644 index 58e8472..0000000 --- a/sources +++ /dev/null @@ -1,2 +0,0 @@ -SHA512 (ocserv-1.2.2.tar.xz) = f1a55d2d849aadadcae6ea792845531d4fe71a3d7defad353a961828ddea74faa85a7d6b8de64a5fce115b14ea00f87755f01833cf31550532b1c52a02bd1fb0 -SHA512 (ocserv-1.2.2.tar.xz.sig) = e3a159d76b5651c99487546681657cdb008d50d86647bf2df1034dc6936720d0db9566490958a9d79ad4a68b122b1d19021e0c849d72a0ab3277d777b9e1ddb7