Update to 0.12.0-1

- Update to upstream 0.12.0 release
7 years ago · 914a518ada
parent dc565f4e83
commit 914a518ada
6 changed files with 97 additions and 89 deletions
--- a/.gitignore
+++ b/.gitignore
@ -126,3 +126,14 @@
 /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
 /ocserv-0.11.11.tar.xz.sig
 /ocserv-0.11.11.tar.xz
+/ocserv.init
+/gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg
+/ocserv-script
+/ocserv-genkey
+/PACKAGE-LICENSING
+/ocserv-pamd.conf
+/ocserv.service
+/ocserv.conf
+/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
+/ocserv-0.12.0.tar.xz.sig
+/ocserv-0.12.0.tar.xz
--- a/ocserv-0.11.11-crypt.patch
+++ b/ocserv-0.11.11-crypt.patch
@ -1,65 +0,0 @@
-From cf9cda99a5caf8fabd547f25a962b96a46e13957 Mon Sep 17 00:00:00 2001
-From: Nikos Mavrogiannopoulos <nmav@redhat.com>
-Date: Thu, 12 Apr 2018 14:58:59 +0200
-Subject: [PATCH] include crypt.h to use crypt()
-
-This is necessary in Fedora28 as it doesn't provide
-crypt() prototype in unistd.h
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1566464
-
-Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
- configure.ac            | 2 +-
- src/auth/plain.c        | 5 +++++
- src/ocpasswd/ocpasswd.c | 5 +++++
- 3 files changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index 71c27564..c03d8e7b 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -319,7 +319,7 @@ AC_CHECK_MEMBER([struct sockaddr.sa_len],
- #include <sys/socket.h>
- ])
- 
-AC_CHECK_HEADERS([net/if_tun.h linux/if_tun.h netinet/in_systm.h], [], [], [])
-+AC_CHECK_HEADERS([net/if_tun.h linux/if_tun.h netinet/in_systm.h crypt.h], [], [], [])
- 
- AC_CHECK_FUNCS([setproctitle vasprintf clock_gettime isatty pselect ppoll getpeereid sigaltstack])
- AC_CHECK_FUNCS([strlcpy posix_memalign malloc_trim strsep])
-diff --git a/src/auth/plain.c b/src/auth/plain.c
-index 2052e07d..f9c7b1b1 100644
--- a/src/auth/plain.c
-+++ b/src/auth/plain.c
-@@ -37,6 +37,11 @@
- #ifdef HAVE_LIBOATH
- # include <liboath/oath.h>
- #endif
-+#ifdef HAVE_CRYPT_H
-+  /* libcrypt in Fedora28 does not provide prototype
-+   * in unistd.h */
-+# include <crypt.h>
-+#endif
- 
- #define MAX_CPASS_SIZE 128
- #define HOTP_WINDOW 20
-diff --git a/src/ocpasswd/ocpasswd.c b/src/ocpasswd/ocpasswd.c
-index de3b8396..abb66744 100644
--- a/src/ocpasswd/ocpasswd.c
-+++ b/src/ocpasswd/ocpasswd.c
-@@ -32,6 +32,11 @@
- #include <sys/types.h>
- #include <sys/stat.h>
- #include "ocpasswd-args.h"
-+#ifdef HAVE_CRYPT_H
-+  /* libcrypt in Fedora28 does not provide prototype
-+   * in unistd.h */
-+# include <crypt.h>
-+#endif
- 
- /* Gnulib portability files. */
- #include <getpass.h>
-- 
-2.14.3
-
--- a/ocserv-0.12.0-add-missing-test.patch
+++ b/ocserv-0.12.0-add-missing-test.patch
@ -0,0 +1,46 @@
+diff --git a/tests/server-cert-rsa-pss b/tests/server-cert-rsa-pss
+new file mode 100755
+index 0000000..be3d098
+--- /dev/null
+++ b/tests/server-cert-rsa-pss
+@@ -0,0 +1,40 @@
+#!/bin/sh
+#
+# Copyright (C) 2017 Red Hat, Inc.
+#
+# This file is part of ocserv.
+#
+# ocserv is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# ocserv is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+SERV="${SERV:-../src/ocserv}"
+srcdir=${srcdir:-.}
+NO_NEED_ROOT=1
+PORT=4444
+
+. `dirname $0`/common.sh
+
+echo "Testing server cert with RSA-PSS... "
+
+update_config test-rsa-pss.config
+launch_sr_server -d 1 -f -c ${CONFIG} & PID=$!
+wait_server $PID
+
+echo "Connecting to obtain cookie... "
+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=sha256:7462b697482f771a9a787bc19db00f704a1685ae09ed201b7a126b052a09522e --cookieonly ) ||
+	fail $PID "Could not receive cookie from server"
+
+cleanup
+
+exit 0
--- a/ocserv.conf
+++ b/ocserv.conf
@ -1,12 +1,19 @@
-# User authentication method. Could be set multiple times and in 
-# that case all should succeed. To enable multiple methods use
-# multiple auth directives. Available options: certificate, 
-# plain, pam, radius, gssapi.
+### The following directives do not change with server reload.
+#
+# User authentication method. To require multiple methods to be
+# used for the user to login, add multiple auth directives. The values
+# in the 'auth' directive are AND composed (if multiple all must
+# succeed).
+# Available options: certificate, plain, pam, radius, gssapi.
+# Note that authentication methods utilizing passwords cannot be
+# combined (e.g., the plain, pam or radius methods).
 #
-# Note that authentication methods cannot be changed with reload.
-
 # certificate:
 #  This indicates that all connecting users must present a certificate.
+#  The username and user group will be then extracted from it (see
+#  cert-user-oid and cert-group-oid). The certificate to be accepted
+#  it must be signed by the CA certificate as specified in 'ca-cert' and
+#  it must not be listed in the CRL, as specified by the 'crl' option.
 #
 # pam[gid-min=1000]:
 #  This enabled PAM authentication of the user. The gid-min option is used 
@ -44,7 +51,9 @@ auth = "pam"

 # Specify alternative authentication methods that are sufficient
 # for authentication. That is, if set, any of the methods enabled
-# will be sufficient to login.
+# will be sufficient to login, irrespective of the main 'auth' entries.
+# When multiple options are present, they are OR composed (any of them
+# succeeding allows login).
 #enable-auth = "certificate"
 #enable-auth = "gssapi"
 #enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]"
@ -176,6 +185,10 @@ try-mtu-discovery = false
 #
 # There may be multiple server-cert and server-key directives,
 # but each key should correspond to the preceding certificate.
+# The certificate files will be reloaded when changed allowing for in-place
+# certificate renewal (they are checked and reloaded periodically;
+# a SIGHUP signal to main server will force reload).
+
 server-cert = /etc/pki/ocserv/public/server.crt
 server-key = /etc/pki/ocserv/private/server.key

--- a/ocserv.spec
+++ b/ocserv.spec
@ -1,7 +1,7 @@
 # This spec file has been automatically updated
-Version:	0.11.11
-Release: 2%{?dist}
-Patch1:	ocserv-0.11.11-crypt.patch
+Version:	0.12.0
+Release: 1%{?dist}
+Patch1:	ocserv-0.12.0-add-missing-test.patch
 %global _hardened_build 1

 %if 0%{?fedora} || 0%{?rhel} >= 7
@ -20,9 +20,9 @@ Patch1:	ocserv-0.11.11-crypt.patch

 %define use_local_protobuf 0
 %if 0%{?rhel} && 0%{?rhel} == 7
-%ifarch ppc64
-%define use_local_protobuf 1
-%endif
+#%ifarch ppc64
+#%define use_local_protobuf 1
+#%endif
 %endif

 Name:		ocserv
@ -79,12 +79,11 @@ BuildRequires:	GeoIP-devel
 %if %{use_systemd}
 BuildRequires:	systemd
 BuildRequires:	systemd-devel
-BuildRequires:	autogen-libopts-devel
-BuildRequires:	autogen
 BuildRequires:	liboath-devel
 BuildRequires:	uid_wrapper
 BuildRequires:	socket_wrapper
 BuildRequires:	gnupg2
+BuildRequires:	rubygem(ronn)

 %if 0%{?rhel} && 0%{?rhel} >= 7
 %ifarch x86_64 %{ix86}
@ -127,7 +126,12 @@ to provide the secure VPN service.
 %if %{have_gpgv2}
 gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} || gpgv2 --keyring %{SOURCE10} %{SOURCE1} %{SOURCE0}
 %endif
+
+%if 0%{?rhel} && 0%{?rhel} <= 6
 %setup -q
+%else
+%autosetup -p1
+%endif

 rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h
 %if (0%{?use_local_protobuf} == 0)
@ -141,14 +145,13 @@ sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/data/*.config
 # GPLv3 in headers is a gnulib bug: 
 # http://lists.gnu.org/archive/html/bug-gnulib/2013-11/msg00062.html
 sed -i 's/either version 3 of the License/either version 2 of the License/g' build-aux/snippet/*
-sed -i 's/exit 1/exit 77/g' tests/ocpasswd-test

 %if 0%{?rhel} && 0%{?rhel} <= 6
 echo "int main() { return 77; }" > tests/valid-hostname.c
-%else
-rm -f libopts/*.c libopts/*.h libopts/*/*.c libopts/*/*.h
 %endif

+chmod 755 tests/server-cert-rsa-pss
+
 %build

 %if 0%{?rhel} && 0%{?rhel} <= 6
@ -166,9 +169,6 @@ autoreconf -fvi
 %else
 	--disable-systemd \
 %endif
-%if 0%{?rhel} && 0%{?rhel} <= 6
-	--enable-local-libopts \
-%endif
 %if %{use_local_protobuf}
 	--without-protobuf \
 %endif
@ -263,6 +263,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name}
 %endif

 %changelog
+* Mon Apr 23 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.12.0-1
+- Update to upstream 0.12.0 release
+
 * Thu Apr 12 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.11.11-2
 - Update to upstream 0.11.11 release
 - include crypt.h to use crypt()
--- a/6
+++ b/6
@ -5,7 +5,7 @@ SHA512 (ocserv-genkey) = e898144fd977e4c57c4a9a5480b38f6a166c0281c41500c3fa9b7e1
 SHA512 (PACKAGE-LICENSING) = eea2a2a4765c90d874c79bb72d754c8b26b58d5e5b3c3cee10c24754fbba6849fd91f7b28e380b5db9789a456f95fc94b3bd8fe8c160a98c8042f404479ecb68
 SHA512 (ocserv-pamd.conf) = 3a75f19d89ddd164f3faa9c3579c7f675fc58413a194f43ec28eee7ebced6fee3f4ca305fe9b0ddf76ae39cd669e8d3d63b58afbbf19b84e4ca646ae7f42d61a
 SHA512 (ocserv.service) = 264f3389d88aec1f7d2e4683a4dfc0aa67af2325154de822eecf5fb43f8c221aab0d9f0c6a8eedb893e6d69ed4d94c9397b01e5d0d12e88330017a3bfa5f3644
-SHA512 (ocserv.conf) = 0a48d394dba183528c1e92df2a8b844a4d7d419244b1c08883f79c8b48843986e786ea4d48478ed4e8d57fd56626bf962dbcf6c76b5839ba5ab5fac8b089c44c
+SHA512 (ocserv.conf) = 5b68a3547c6c69bf7c2b322692d6382162a587c47edad97690223c36f30ed98d3869d1ce063c630740d91888a4d70aadd657ddc6052c10e6e26800fca2e9d0c0
 SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 3b1989dc6a64d1140f83a2af0773da2adb03c50d97b6da7357cf09525050651aafa21131f1e3180baa540a8af922119a256f5ff5bcd6602996a806e8e1816bad
-SHA512 (ocserv-0.11.11.tar.xz.sig) = 7a1521f94d48d7aafb66e6c544eb2e1c5a08d02441acc5f57876faaa984ad203f0395da37e602ad5539f54aa0ce1ff5da7389254028f6b811a9e01d6f86b1e84
-SHA512 (ocserv-0.11.11.tar.xz) = 1750e4ddd221913f82379ed34cf63f2ce858d73cfda0bcf60670a32bf2e8574a39f267c77abab78d2cf9a563a816d975e1a07b85c5e2412bd6d009850c8c262d
+SHA512 (ocserv-0.12.0.tar.xz.sig) = a746e72ba07bf7d28104385a70ba4c685389353368d02383eb385aece19ccc9d51a86226371338dbe1737046e403b17e351a04ffa2674ca594bf9e467438b534
+SHA512 (ocserv-0.12.0.tar.xz) = 73e39a6073761a42cff7637fdc0748d969dc6ddd80635633487aa2627ae7234af772194cf27fdded9f08637b26d7ca9017555242ccdb6ade03897f9d4ca4de8d