From 3dc34d462651279ce8c293819dee2485ef8ce758 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Mon, 27 Jan 2014 10:43:16 +0100
Subject: [PATCH] updated to ocserv 0.3.0

---
 .gitignore                |  1 +
 ocserv.conf               | 13 +++++++----
 ocserv.service            |  4 +++-
 ocserv.spec               | 47 ++++++++++++++++++++++++++++++++++++---
 org.infradead.ocserv.conf | 14 ++++++++++++
 sources                   |  2 +-
 6 files changed, 72 insertions(+), 9 deletions(-)
 create mode 100644 org.infradead.ocserv.conf

diff --git a/.gitignore b/.gitignore
index 3475ef7..a04b424 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 /ocserv-0.2.1.tar.xz
 /ocserv-0.2.3.tar.xz
+/ocserv-0.3.0.tar.xz
diff --git a/ocserv.conf b/ocserv.conf
index 19e40fd..53e1af5 100644
--- a/ocserv.conf
+++ b/ocserv.conf
@@ -43,8 +43,8 @@ try-mtu-discovery = false
 #
 # There may be multiple certificate and key pairs and each key
 # should correspond to the preceding certificate.
-server-cert = /etc/ocserv/server.crt
-server-key = /etc/ocserv/server.key
+server-cert = /etc/pki/ocserv/public/server.crt
+server-key = /etc/pki/ocserv/private/server.key
 
 # Diffie-Hellman parameters. Only needed if you require support
 # for the DHE ciphersuites (by default this server supports ECDHE).
@@ -70,7 +70,7 @@ server-key = /etc/ocserv/server.key
 # The Certificate Authority that will be used
 # to verify clients if certificate authentication
 # is set.
-#ca-cert = /etc/ocserv/ca.crt
+ca-cert = /etc/pki/ocserv/cacerts/ca.crt
 
 # The object identifier that will be used to read the user ID in the client certificate.
 # The object identifier should be part of the certificate's DN
@@ -116,6 +116,11 @@ cookie-validity = 172800
 #connect-script = /usr/bin/myscript
 #disconnect-script = /usr/bin/myscript
 
+# D-BUS usage. If disabled occtl tool cannot be used. If enabled
+# then ocserv must have access to register org.infradead.ocserv
+# D-BUS service. See doc/dbus/org.infradead.ocserv.conf
+use-dbus = true
+
 # UTMP
 use-utmp = true
 
@@ -223,5 +228,5 @@ route-del-cmd = "ip route delete %R dev %D"
 # certificate even if they are authenticating via a previously granted
 # cookie. Legacy CISCO clients do not do that, and thus this option
 # should be set for them.
-#always-require-cert = false
+cisco-client-compat = true
 
diff --git a/ocserv.service b/ocserv.service
index 3b39466..86fca91 100644
--- a/ocserv.service
+++ b/ocserv.service
@@ -1,7 +1,9 @@
 [Unit]
 Description=OpenConnect SSL VPN server
 Documentation=man:ocserv(8)
-After=syslog.target network.target
+After=syslog.target
+After=network.target
+After=dbus.service
 
 [Service]
 PrivateTmp=true
diff --git a/ocserv.spec b/ocserv.spec
index bc87405..c477f2a 100644
--- a/ocserv.spec
+++ b/ocserv.spec
@@ -1,5 +1,5 @@
 Name:		ocserv
-Version:	0.2.3
+Version:	0.3.0
 Release:	1%{?dist}
 Summary:	OpenConnect SSL VPN server
 
@@ -12,6 +12,7 @@ Source1:	ocserv.conf
 Source2:	ocserv.service
 Source3:	ocserv-pamd.conf
 Source4:	PACKAGE-LICENSING
+Source5:	org.infradead.ocserv.conf
 
 # Taken from upstream:
 # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09
@@ -22,10 +23,15 @@ BuildRequires:	pam-devel
 BuildRequires:	iproute
 BuildRequires:	systemd
 BuildRequires:	autogen-libopts-devel
+BuildRequires:	protobuf-c-devel
+BuildRequires:	libnl3-devel
+BuildRequires:	readline-devel
+BuildRequires:	dbus-devel
 BuildRequires:	autogen
 BuildRequires:	pcllib-devel, http-parser-devel, tcp_wrappers-devel
 BuildRequires:	automake, autoconf
 
+Requires:		gnutls-utils
 Requires:		iproute
 Requires:		pam
 Requires(pre):		shadow-utils
@@ -50,11 +56,12 @@ to provide the secure VPN service.
 %prep
 %setup -q
 rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h
+rm -rf src/protobuf/
 rm -f libopts/*.c libopts/*.h libopts/*/*.c libopts/*/*.h
 rm -f src/pcl/*.c src/pcl/*.h
 sed -i 's|/etc/ocserv.conf|/etc/ocserv/ocserv.conf|g' src/config.c
 sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/*.config
-# GPLv3 in headers was a gnulib bug: 
+# GPLv3 in headers is a gnulib bug: 
 # http://lists.gnu.org/archive/html/bug-gnulib/2013-11/msg00062.html
 sed -i 's/either version 3 of the License/either version 2 of the License/g' build-aux/snippet/*
 
@@ -64,13 +71,41 @@ sed -i 's/either version 3 of the License/either version 2 of the License/g' bui
 
 # disable the smp_mflags until an issue with the dependencies in the 
 # autogen'erated files is fixed
-make #%{?_smp_mflags}
+make %{?_smp_mflags}
 
 %pre
 getent group ocserv &>/dev/null || groupadd -r ocserv
 getent passwd ocserv &>/dev/null || \
 	/usr/sbin/useradd -r -g ocserv -s /sbin/nologin -c ocserv \
 		-d /var/lib/ocserv ocserv
+mkdir -p %{_sysconfdir}/pki/ocserv/public
+mkdir -p -m 700 %{_sysconfdir}/pki/ocserv/private
+mkdir -p %{_sysconfdir}/pki/ocserv/cacerts
+#generate CA certificate/key
+if test ! -f %{_sysconfdir}/pki/ocserv/private/ca.key;then
+certtool --generate-privkey --outfile %{_sysconfdir}/pki/ocserv/private/ca.key
+echo "cn=`hostname -f` CA" >%{_sysconfdir}/pki/ocserv/ca.tmpl
+echo "serial=1" >>%{_sysconfdir}/pki/ocserv/ca.tmpl
+echo "ca" >>%{_sysconfdir}/pki/ocserv/ca.tmpl
+echo "cert_signing_key" >>%{_sysconfdir}/pki/ocserv/ca.tmpl
+certtool --template %{_sysconfdir}/pki/ocserv/ca.tmpl \
+	--generate-self-signed --load-privkey %{_sysconfdir}/pki/ocserv/private/ca.key \
+	--outfile %{_sysconfdir}/pki/ocserv/cacerts/ca.crt
+#rm -f %{_sysconfdir}/pki/ocserv/ca.tmpl
+fi
+#generate server certificate/key
+if test ! -f %{_sysconfdir}/pki/ocserv/private/server.key;then
+certtool --generate-privkey --outfile %{_sysconfdir}/pki/ocserv/private/server.key
+echo "cn=`hostname -f`" >%{_sysconfdir}/pki/ocserv/server.tmpl
+echo "serial=2" >>%{_sysconfdir}/pki/ocserv/server.tmpl
+echo "signing_key" >>%{_sysconfdir}/pki/ocserv/server.tmpl
+echo "encryption_key" >>%{_sysconfdir}/pki/ocserv/server.tmpl
+certtool --template %{_sysconfdir}/pki/ocserv/server.tmpl \
+	--generate-certificate --load-privkey %{_sysconfdir}/pki/ocserv/private/server.key \
+	--load-ca-certificate %{_sysconfdir}/pki/ocserv/cacerts/ca.crt --load-ca-privkey \
+	%{_sysconfdir}/pki/ocserv/private/ca.key --outfile %{_sysconfdir}/pki/ocserv/public/server.crt
+#rm -f %{_sysconfdir}/pki/ocserv/server.tmpl
+fi
 
 %post
 %systemd_post ocserv.service
@@ -88,6 +123,8 @@ mkdir -p %{buildroot}/%{_sysconfdir}/pam.d/
 mkdir -p %{buildroot}/%{_sysconfdir}/ocserv/
 install -p -m 644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/pam.d/ocserv
 install -p -m 644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/ocserv/
+mkdir -p %{buildroot}/%{_sysconfdir}/dbus-1/system.d/
+install -p -m 644 %{SOURCE5} %{buildroot}/%{_sysconfdir}/dbus-1/system.d/
 mkdir -p %{buildroot}/%{_unitdir}
 install -p -m 644 %{SOURCE2} %{buildroot}/%{_unitdir}
 mkdir -p %{buildroot}/var/lib/ocserv/
@@ -103,13 +140,17 @@ rm -rf %{buildroot}
 %dir %{_sysconfdir}/ocserv
 
 %config(noreplace) %{_sysconfdir}/ocserv/ocserv.conf
+%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.infradead.ocserv.conf
 %config(noreplace) %{_sysconfdir}/pam.d/ocserv
 
+
 %doc AUTHORS ChangeLog NEWS COPYING LICENSE README TODO PACKAGE-LICENSING
 %doc src/ccan/licenses/CC0 src/ccan/licenses/LGPL-2.1 src/ccan/licenses/BSD-MIT 
 %{_mandir}/man8/ocserv.8*
+%{_mandir}/man8/occtl.8*
 %{_mandir}/man8/ocpasswd.8*
 %{_bindir}/ocpasswd
+%{_bindir}/occtl
 %{_sbindir}/ocserv
 %{_unitdir}/ocserv.service
 
diff --git a/org.infradead.ocserv.conf b/org.infradead.ocserv.conf
new file mode 100644
index 0000000..8c69f93
--- /dev/null
+++ b/org.infradead.ocserv.conf
@@ -0,0 +1,14 @@
+<!DOCTYPE busconfig PUBLIC
+ "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+	<policy user="root">
+		<allow own="org.infradead.ocserv"/>
+		<allow send_destination="org.infradead.ocserv"/>
+	</policy>
+	<policy context="default">
+		<deny own="org.infradead.ocserv"/>
+		<deny send_destination="org.infradead.ocserv"/>
+	</policy>
+</busconfig>
+
diff --git a/sources b/sources
index 8e4e1da..a5c1666 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-8ea3cd7decf8a95f96e41f6a2ea5152c  ocserv-0.2.3.tar.xz
+f6d64451ac8c458c7bdd40ee8ff51192  ocserv-0.3.0.tar.xz