diff --git a/.gitignore b/.gitignore index 433523a..333d3bb 100644 --- a/.gitignore +++ b/.gitignore @@ -60,3 +60,14 @@ /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg /ocserv-0.11.7.tar.xz.sig /ocserv-0.11.7.tar.xz +/ocserv.init +/gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg +/ocserv-script +/ocserv-genkey +/PACKAGE-LICENSING +/ocserv-pamd.conf +/ocserv.service +/ocserv.conf +/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +/ocserv-0.11.8.tar.xz.sig +/ocserv-0.11.8.tar.xz diff --git a/ocserv-genkey b/ocserv-genkey index 687d685..924aab9 100755 --- a/ocserv-genkey +++ b/ocserv-genkey @@ -2,6 +2,7 @@ #generate CA certificate/key if test ! -f /etc/pki/ocserv/private/ca.key;then +mkdir -p /etc/pki/ocserv/private certtool --generate-privkey --outfile /etc/pki/ocserv/private/ca.key >/dev/null 2>&1 echo "cn=`hostname -f` CA" >/etc/pki/ocserv/ca.tmpl echo "expiration_days=-1" >>/etc/pki/ocserv/ca.tmpl diff --git a/ocserv.init b/ocserv.init new file mode 100644 index 0000000..81be91b --- /dev/null +++ b/ocserv.init @@ -0,0 +1,141 @@ +#!/bin/sh +# +# ocserv This shell script takes care of starting and stopping +# ocserv on RedHat or other chkconfig-based system. +# +# chkconfig: - 24 76 +# +# processname: ocserv +# port. + +### BEGIN INIT INFO +# Provides: ocserv +# Required-Start: $network +# Required-Stop: $network +# Short-Description: start and stop ocserv +# Description: ocserv is a VPN server +### END INIT INFO + + +# To install: +# copy this file to /etc/rc.d/init.d/ocserv +# shell> chkconfig --add ocserv +# shell> mkdir /etc/ocserv +# make .conf or .sh files in /etc/ocserv (see below) + +# To uninstall: +# run: chkconfig --del ocserv + +ocserv="" +ocserv_locations="/usr/sbin/ocserv /usr/local/sbin/ocserv" +for location in $ocserv_locations +do + if [ -f "$location" ] + then + ocserv=$location + fi +done + +# PID directory +piddir="/var/run/ocserv" +pidf="$piddir/ocserv.pid" + +# Our working directory +work=/etc/ocserv + +# Source function library. +. /etc/rc.d/init.d/functions + +# Source networking configuration. +. /etc/sysconfig/network + +# Check that networking is up. +if [ ${NETWORKING} = "no" ] +then + echo "Networking is down" + exit 0 +fi + +# Check that binary exists +if ! [ -f $ocserv ] +then + echo "ocserv binary not found" + exit 0 +fi + +# See how we were called. +case "$1" in + start) + echo -n $"Starting ocserv: " + + /sbin/modprobe tun >/dev/null 2>&1 + + # From a security perspective, I think it makes + # sense to remove this, and have users who need + # it explictly enable in their --up scripts or + # firewall setups. + + #echo 1 > /proc/sys/net/ipv4/ip_forward + + # Run startup script, if defined + if [ -x /usr/sbin/ocserv-genkey ]; then + /usr/sbin/ocserv-genkey + fi + + if [ ! -d $piddir ]; then + mkdir $piddir + fi + + if [ -s $pidf ]; then + kill `cat $pidf` >/dev/null 2>&1 + sleep 2 + fi + rm -f $pidf + + cd $work + + # Start every .conf in $work and run .sh if exists + errors=0 + $ocserv --pid-file $pidf -c $work/ocserv.conf + errors=$? + if [ $errors != 0 ]; then + failure; echo + else + success; echo + fi + ;; + stop) + echo -n $"Shutting down ocserv: " + if [ -s $pidf ]; then + kill `cat $pidf` >/dev/null 2>&1 + fi + rm -f $pidf + + success; echo + rm -f $lock + ;; + restart) + $0 stop + sleep 2 + $0 start + ;; + reload) + /usr/bin/occtl reload + exit $? + ;; + reopen) + ;; + condrestart) + $0 stop + sleep 2 + $0 start + ;; + status) + /usr/bin/occtl show status + ;; + *) + echo "Usage: ocserv {start|stop|restart|condrestart|reload|reopen|status}" + exit 1 + ;; +esac +exit 0 diff --git a/ocserv.spec b/ocserv.spec index e24d20d..687f8ab 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,8 +1,16 @@ # This spec file has been automatically updated -Version: 0.11.7 +Version: 0.11.8 Release: 1%{?dist} %global _hardened_build 1 +%if 0%{?fedora} || 0%{?rhel} >= 7 +%define use_systemd 1 +%define have_gpgv2 1 +%else +%define use_systemd 0 +%define have_gpgv2 0 +%endif + Name: ocserv Summary: OpenConnect SSL VPN server @@ -20,28 +28,25 @@ Source6: PACKAGE-LICENSING Source8: ocserv-genkey Source9: ocserv-script Source10: gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg +Source11: ocserv.init # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +%if 0%{?rhel} && 0%{?rhel} <= 6 +BuildRequires: gnutls30-devel +%else BuildRequires: gnutls-devel +%endif BuildRequires: pam-devel BuildRequires: iproute -BuildRequires: systemd -BuildRequires: systemd-devel -BuildRequires: autogen-libopts-devel + BuildRequires: protobuf-c-devel BuildRequires: libnl3-devel BuildRequires: krb5-devel BuildRequires: libtasn1-devel -BuildRequires: liboath-devel -BuildRequires: readline-devel -BuildRequires: autogen BuildRequires: gperf -%ifarch x86_64 %{ix86} %{arm} aarch64 -BuildRequires: libseccomp-devel -%endif BuildRequires: pcllib-devel BuildRequires: libtalloc-devel BuildRequires: libev-devel @@ -50,16 +55,40 @@ BuildRequires: tcp_wrappers-devel BuildRequires: automake, autoconf BuildRequires: radcli-devel BuildRequires: lz4-devel +BuildRequires: readline-devel +BuildRequires: GeoIP-devel + +%if %{use_systemd} +BuildRequires: systemd +BuildRequires: systemd-devel +BuildRequires: autogen-libopts-devel +BuildRequires: autogen +BuildRequires: liboath-devel BuildRequires: uid_wrapper BuildRequires: socket_wrapper +%if 0%{?rhel} && 0%{?rhel} >= 7 +%ifarch x86_64 %{ix86} +BuildRequires: libseccomp-devel +%endif +%else +%ifarch x86_64 %{ix86} %{arm} aarch64 +BuildRequires: libseccomp-devel +%endif +%endif + +%endif #use systemd + Requires: gnutls-utils Requires: iproute Requires: pam Requires(pre): shadow-utils +%if %{use_systemd} Requires(post): systemd Requires(preun): systemd Requires(postun): systemd +%endif + #gnulib is bundled. See https://fedorahosted.org/fpc/ticket/174 Provides: bundled(gnulib) #CCAN is bundled. See https://fedorahosted.org/fpc/ticket/364 @@ -76,13 +105,14 @@ uses the standard IETF security protocols such as TLS 1.2, and Datagram TLS to provide the secure VPN service. %prep +%if %{have_gpgv2} gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} || gpgv2 --keyring %{SOURCE10} %{SOURCE1} %{SOURCE0} +%endif %setup -q rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h rm -rf src/protobuf/protobuf-c/ rm -rf src/ccan/talloc -rm -f libopts/*.c libopts/*.h libopts/*/*.c libopts/*/*.h rm -f src/pcl/*.c src/pcl/*.h sed -i 's|/etc/ocserv.conf|/etc/ocserv/ocserv.conf|g' src/config.c sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/data/*.config @@ -91,10 +121,28 @@ sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/data/*.config sed -i 's/either version 3 of the License/either version 2 of the License/g' build-aux/snippet/* touch src/*.proto +%if 0%{?rhel} && 0%{?rhel} <= 6 +echo "int main() { return 77; }" > tests/valid-hostname.c +%else +rm -f libopts/*.c libopts/*.h libopts/*/*.c libopts/*/*.h +%endif + %build +%if 0%{?rhel} && 0%{?rhel} <= 6 +export PKG_CONFIG_LIBDIR="%{_libdir}/gnutls30/pkgconfig:%{_libdir}/pkgconfig" +export LIBGNUTLS_CFLAGS="-I/usr/include/gnutls30" +export LIBGNUTLS_LIBS="-L%{_libdir}/gnutls30/ -lgnutls" +export CFLAGS="$CFLAGS -I/usr/include/libev -I/usr/include/gnutls30" +sed -i 's/AM_PROG_AR//g' configure.ac +autoreconf -fvi +%configure \ + --disable-systemd \ + --enable-local-libopts +%else %configure \ --enable-systemd +%endif make #%{?_smp_mflags} @@ -110,6 +158,7 @@ mkdir -p %{_sysconfdir}/pki/ocserv/cacerts %check make check %{?_smp_mflags} +%if %{use_systemd} %post %systemd_post ocserv.service @@ -118,6 +167,7 @@ make check %{?_smp_mflags} %postun %systemd_postun ocserv.service +%endif %install rm -rf %{buildroot} @@ -126,14 +176,29 @@ mkdir -p %{buildroot}/%{_sysconfdir}/pam.d/ mkdir -p %{buildroot}/%{_sysconfdir}/ocserv/ install -p -m 644 %{SOURCE5} %{buildroot}/%{_sysconfdir}/pam.d/ocserv install -p -m 644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/ocserv/ -mkdir -p %{buildroot}/%{_unitdir} -install -p -m 644 %{SOURCE4} %{buildroot}/%{_unitdir} mkdir -p %{buildroot}%{_localstatedir}/lib/ocserv/ install -p -m 644 doc/profile.xml %{buildroot}%{_localstatedir}/lib/ocserv/ mkdir -p %{buildroot}/%{_sbindir} install -p -m 755 %{SOURCE8} %{buildroot}/%{_sbindir} mkdir -p %{buildroot}/%{_bindir} install -p -m 755 %{SOURCE9} %{buildroot}/%{_bindir} + +%if 0%{?rhel} +sed -i 's|expiration_days=-1|expiration_days=9999|' %{buildroot}/%{_sbindir}/ocserv-genkey +sed -i 's|tls-priorities = "@SYSTEM"|tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"|' %{buildroot}/%{_sysconfdir}/ocserv/ocserv.conf +%if 0%{?rhel} <= 6 +sed -i 's|isolate-workers = true|isolate-workers = false|' %{buildroot}/%{_sysconfdir}/ocserv/ocserv.conf +%endif +%endif + +%if %{use_systemd} +mkdir -p %{buildroot}/%{_unitdir} +install -p -m 644 %{SOURCE4} %{buildroot}/%{_unitdir} +%else +mkdir -p %{buildroot}/%{_initrddir} +install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} +%endif + %make_install %clean @@ -159,10 +224,17 @@ rm -rf %{buildroot} %{_bindir}/ocserv-script %{_sbindir}/ocserv %{_sbindir}/ocserv-genkey -%{_unitdir}/ocserv.service %{_localstatedir}/lib/ocserv/profile.xml +%if %{use_systemd} +%{_unitdir}/ocserv.service +%else +%{_initrddir}/%{name} +%endif %changelog +* Wed May 03 2017 Nikos Mavrogiannopoulos - 0.11.8-1 +- Update to upstream 0.11.8 release + * Mon Feb 13 2017 Nikos Mavrogiannopoulos - 0.11.7-1 - Update to upstream 0.11.7 release diff --git a/sources b/sources index 907a2bb..348aa08 100644 --- a/sources +++ b/sources @@ -1,10 +1,11 @@ +SHA512 (ocserv.init) = 7c3256dd0f7d5882c4e126c95209084e2476f7d8d142af137f46c5987364982eb88044bfa5d587ebc397ebd379edb40f22e5c97c0276764be982a27715a9c601 SHA512 (gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg) = c664fd9999cbf9912eeea88ee3a2c356df3f70813a664bb7a7f592be258c12bdeb9e99e4aa9a368c1f123ee449eb08e288d1dc3dcf81e849a958ece6eab82d67 SHA512 (ocserv-script) = 6d77ebe95d23469d96b45b1ac8de7a062cb1360febd0f9664b42debf0494891a522e3da8feec53d22b84e39ad349a1824b7ecd6b6b8f0790edf75aed1087e2d0 -SHA512 (ocserv-genkey) = c02a25a5504e2bd514c6e6944651960a3cc9bf2ef0a4509744f99d61421feace1f8e440c4d336652efd7349465d1a707cd3a370ff6102ef5096d709b34099a86 +SHA512 (ocserv-genkey) = e898144fd977e4c57c4a9a5480b38f6a166c0281c41500c3fa9b7e142197c4525d3fb90846a738e38d217116dc33c2ba5c16ec3e11de0dbf4d834e204c598eac SHA512 (PACKAGE-LICENSING) = eea2a2a4765c90d874c79bb72d754c8b26b58d5e5b3c3cee10c24754fbba6849fd91f7b28e380b5db9789a456f95fc94b3bd8fe8c160a98c8042f404479ecb68 SHA512 (ocserv-pamd.conf) = 3a75f19d89ddd164f3faa9c3579c7f675fc58413a194f43ec28eee7ebced6fee3f4ca305fe9b0ddf76ae39cd669e8d3d63b58afbbf19b84e4ca646ae7f42d61a SHA512 (ocserv.service) = 264f3389d88aec1f7d2e4683a4dfc0aa67af2325154de822eecf5fb43f8c221aab0d9f0c6a8eedb893e6d69ed4d94c9397b01e5d0d12e88330017a3bfa5f3644 SHA512 (ocserv.conf) = 0a48d394dba183528c1e92df2a8b844a4d7d419244b1c08883f79c8b48843986e786ea4d48478ed4e8d57fd56626bf962dbcf6c76b5839ba5ab5fac8b089c44c SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 7eccc70fb763cf8a6525228230c1f537224809cf553efb3ad6bc88ad96f01122c30a5cd9d8328fa3a97b242d59e00bc9966589a24b1e65dd4a27eb71393f097c -SHA512 (ocserv-0.11.7.tar.xz.sig) = fd4af775842cff6817adaf4a641b180d3be3b55e3b64a026977fd6f328ddc5f7070f4c91cdce7e83eb8c3b078a5c1dc7780cfe40c5322abef61ca7fc408fbb2c -SHA512 (ocserv-0.11.7.tar.xz) = a563725bd8753186ece80c91a237a2940071047bb32d1990e2ee122a32ad0468b78a7f35d422dcc9b968a8c56358992842d00958dbf9d743632a03623dd2f5cf +SHA512 (ocserv-0.11.8.tar.xz.sig) = 5551591abc54dfc053125c356095138aaecec6c3255cd125bd38e17350a257bc822094c270d5b3bb329afd4a9e37f355d3d16db16b4db804e15b8c5959321214 +SHA512 (ocserv-0.11.8.tar.xz) = cea5ef084a15de1e16c0d55f418f454f32c77e4303246f3d11e71ddbc7dbea028282b8200b59a49f5509e786970749b0a9795262639209924bbaa1d619c5c25c