[ocspd/f18] * Tue Nov 5 2013 Patrick Monnerat <pm at datasphere.ch> 1.9.0-1 - New upstream release.
Patrick Monnerat
monnerat at fedoraproject.org
Tue Nov 5 14:04:32 UTC 2013
commit 195dded9066e3ffbedc5a3ff36e9cc984617bc14
Author: Patrick Monnerat <pm at datasphere.ch>
Date: Tue Nov 5 15:04:26 2013 +0100
* Tue Nov 5 2013 Patrick Monnerat <pm at datasphere.ch> 1.9.0-1
- New upstream release.
.gitignore | 1 +
...gorcast.patch => ocspd-1.7.0-badalgorcast.patch | 8 +-
ocspd-1.7.0-badcasts.patch | 141 +++++++++
ocspd-1.7.0-bufresponse.patch | 79 +++++
ocspd-1.7.0-config.patch | 312 ++++++++++++++++++++
ocspd-1.7.0-deprecldap.patch | 128 ++++++++
....5.1-openssl.patch => ocspd-1.7.0-openssl.patch | 26 +-
...-podsyntax.patch => ocspd-1.7.0-podsyntax.patch | 0
ocspd-1.7.0-setgroups.patch | 28 ++
ocspd-1.7.0-threadinit.patch | 60 ++++
...cspd-1.5.1-misc.patch => ocspd-1.9.0-misc.patch | 281 ++++++++----------
ocspd.service | 2 +-
ocspd.spec | 47 ++-
openca-ocspd-1.5.1-badcomment.patch | 16 -
openca-ocspd-1.5.1-bufresponse.patch | 63 ----
sources | 2 +-
16 files changed, 926 insertions(+), 268 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 0ea26c4..dd99df5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
openca-ocspd-1.5.1-rc1.tar.gz
+/openca-ocspd-1.9.0.tar.gz
diff --git a/openca-ocspd-1.5.1-badalgorcast.patch b/ocspd-1.7.0-badalgorcast.patch
similarity index 80%
rename from openca-ocspd-1.5.1-badalgorcast.patch
rename to ocspd-1.7.0-badalgorcast.patch
index 747f812..fd701b5 100644
--- a/openca-ocspd-1.5.1-badalgorcast.patch
+++ b/ocspd-1.7.0-badalgorcast.patch
@@ -1,7 +1,7 @@
-diff -Naur openca-ocspd-1.5.1-rc1.orig/src/hash-db.c openca-ocspd-1.5.1-rc1.new/src/hash-db.c
---- openca-ocspd-1.5.1-rc1.orig/src/hash-db.c 2006-10-15 16:42:20.000000000 +0200
-+++ openca-ocspd-1.5.1-rc1.new/src/hash-db.c 2013-01-21 18:56:52.368649025 +0100
-@@ -701,26 +701,32 @@
+diff -Naurp openca-ocspd-1.7.0.orig/src/hash-db.c openca-ocspd-1.7.0.new/src/hash-db.c
+--- openca-ocspd-1.7.0.orig/src/hash-db.c 2008-02-15 00:24:15.000000000 +0100
++++ openca-ocspd-1.7.0.new/src/hash-db.c 2013-10-30 12:25:54.851887748 +0100
+@@ -723,26 +723,32 @@ STACK_OF(CA_ENTRY_CERTID) *ocspd_CA_ENTR
/* Set the Digest Algorithm used */
nid = EVP_MD_type(digest);
diff --git a/ocspd-1.7.0-badcasts.patch b/ocspd-1.7.0-badcasts.patch
new file mode 100644
index 0000000..e04df0e
--- /dev/null
+++ b/ocspd-1.7.0-badcasts.patch
@@ -0,0 +1,141 @@
+diff -Naur openca-ocspd-1.7.0.orig/src/hash-db.c openca-ocspd-1.7.0.new/src/hash-db.c
+--- openca-ocspd-1.7.0.orig/src/hash-db.c 2013-02-20 13:36:09.057265341 +0100
++++ openca-ocspd-1.7.0.new/src/hash-db.c 2013-02-20 14:02:28.590528713 +0100
+@@ -403,8 +403,8 @@
+ }
+
+ if( ocspd_conf->verbose ) {
+- syslog( LOG_INFO, "INFO::HTTP::Successfully got CA cert [%d]",
+- buf->length);
++ syslog( LOG_INFO, "INFO::HTTP::Successfully got CA cert [%lu]",
++ (unsigned long) buf->length);
+ }
+
+ /* Build a memory bio from the MEM_BUF data */
+@@ -487,8 +487,8 @@
+ }
+
+ if( ocspd_conf->verbose ) {
+- syslog( LOG_INFO, "INFO::HTTP::Successfully got CRL [%d]",
+- buf->length);
++ syslog( LOG_INFO, "INFO::HTTP::Successfully got CRL [%lu]",
++ (unsigned long) buf->length);
+ }
+
+ /* Build a memory bio from the MEM_BUF data */
+diff -Naur openca-ocspd-1.7.0.orig/src/http_client.c openca-ocspd-1.7.0.new/src/http_client.c
+--- openca-ocspd-1.7.0.orig/src/http_client.c 2008-02-15 00:24:15.000000000 +0100
++++ openca-ocspd-1.7.0.new/src/http_client.c 2013-02-20 13:47:44.224871928 +0100
+@@ -77,7 +77,7 @@
+ /* Max Reading size exceeded */
+ syslog( LOG_ERR,
+ "ERROR::HTTP::Read::Max read size exceeded "
+- " [ %d ]", max_size );
++ " [ %ld ]", (long) max_size );
+ BUF_MEM_free( buf );
+ return NULL;
+ }
+diff -Naur openca-ocspd-1.7.0.orig/src/ocsp_request.c openca-ocspd-1.7.0.new/src/ocsp_request.c
+--- openca-ocspd-1.7.0.orig/src/ocsp_request.c 2008-02-15 00:24:15.000000000 +0100
++++ openca-ocspd-1.7.0.new/src/ocsp_request.c 2013-02-20 13:46:42.288254074 +0100
+@@ -42,6 +42,7 @@
+
+ struct timeval time_out;
+ fd_set readset;
++ long ltemp;
+
+ if( !ocspd_conf ) {
+ return (NULL);
+@@ -142,7 +143,7 @@
+
+ if( ocspd_conf->debug ) {
+ syslog(LOG_ERR, "DEBUG::NETWORK::recv "
+- "received %d (conn = %d)!", newsize, connfd);
++ "received %ld (conn = %d)!", (long) newsize, connfd);
+ }
+
+ /*
+@@ -164,11 +165,16 @@
+ /* Check for headers */
+ if( (!cont_len) &&
+ ((pnt = strstr_nocase(buf, "Content-Length: " )) != NULL) ) {
++ ltemp = 0;
++
+ if((pnt_end = strstr(pnt, "\r\n")) != NULL )
+- sscanf((char *) (pnt+16), "%d", &cont_len );
++ sscanf((char *) (pnt+16), "%ld", <emp);
++
++ cont_len = ltemp;
++
+ if(ocspd_conf->debug) {
+- syslog(LOG_ERR, "DEBUG::Got Content Len [%d]",
+- cont_len);
++ syslog(LOG_ERR, "DEBUG::Got Content Len [%ld]",
++ ltemp);
+ }
+ }
+
+@@ -217,8 +223,8 @@
+ if( fullsize >= maxsize ) {
+ /* Max Reading size exceeded */
+ syslog( LOG_ERR,
+- "ERROR::Max REQUEST size exceeded [ %d ]",
+- maxsize );
++ "ERROR::Max REQUEST size exceeded [ %ld ]",
++ (long) maxsize );
+ free( buf );
+ return(NULL);
+ }
+@@ -250,21 +256,22 @@
+
+ syslog( LOG_ERR, "ERROR: Internal memory allocation error!");
+ if(ocspd_conf->debug) {
+- fprintf(stderr, "ERROR::req_st=%p [len %d]\n",
+- req_st, cont_len);
++ fprintf(stderr, "ERROR::req_st=%p [len %ld]\n",
++ req_st, (long) cont_len);
+ }
+ } else {
+ if((req = d2i_OCSP_REQUEST_bio(mem, NULL)) == NULL ) {
+ if(ocspd_conf->debug) {
+ syslog(LOG_ERR, "ERROR::Parsing in d2i_ function\n");
+
+- fprintf(stderr, "[len %d] buf=%p -- req_st=%p "
+- "(fullsize %d - hd_size = %d - "
+- "rq_size = %d)\n",
+- cont_len, buf,
+- req_st, fullsize,
+- req_st - buf,
+- fullsize - (req_st - buf) );
++ fprintf(stderr, "[len %ld] buf=%p -- req_st=%p "
++ "(fullsize %ld - "
++ "hd_size = %ld - "
++ "rq_size = %ld)\n",
++ (long) cont_len, buf,
++ req_st, (long) fullsize,
++ (long) (req_st - buf),
++ (long) (fullsize - (req_st - buf)));
+ }
+ }
+ if(mem) BIO_free (mem);
+diff -Naur openca-ocspd-1.7.0.orig/src/threads.c openca-ocspd-1.7.0.new/src/threads.c
+--- openca-ocspd-1.7.0.orig/src/threads.c 2008-11-21 20:13:17.000000000 +0100
++++ openca-ocspd-1.7.0.new/src/threads.c 2013-02-20 13:51:18.635395840 +0100
+@@ -29,7 +29,7 @@
+
+ th_ptr = &(ocspd_conf->threads_list[i]);
+ if( (ret=pthread_create( &ocspd_conf->threads_list[i].thread_tid,
+- NULL, thread_main, (void *) i )) ) {
++ NULL, thread_main, (void *) &i )) ) {
+
+ syslog(LOG_ERR,"ERROR::OPENCA_SRV_ERR_THREAD_CREATE");
+ return(ret);
+@@ -50,7 +50,7 @@
+
+ struct sigaction sa;
+
+- thread_nr = (int) arg;
++ thread_nr = *(int *) arg;
+
+ if ( ocspd_conf->verbose ) {
+ syslog(LOG_INFO, "INFO::OPENCA_SRV_INFO_TREAD::new thread "
diff --git a/ocspd-1.7.0-bufresponse.patch b/ocspd-1.7.0-bufresponse.patch
new file mode 100644
index 0000000..5b52eab
--- /dev/null
+++ b/ocspd-1.7.0-bufresponse.patch
@@ -0,0 +1,79 @@
+diff -Naur openca-ocspd-1.7.0.orig/src/ocspd_engine.c openca-ocspd-1.7.0.new/src/ocspd_engine.c
+--- openca-ocspd-1.7.0.orig/src/ocspd_engine.c 2008-11-21 20:37:13.000000000 +0100
++++ openca-ocspd-1.7.0.new/src/ocspd_engine.c 2013-02-20 11:43:48.853874579 +0100
+@@ -228,7 +228,7 @@
+ syslog( LOG_INFO, "Added '%s' to POST COMMANDS",
+ val->value );
+ } else {
+- syslog( LOG_INFO, "Not Reckognised '%s' option",
++ syslog( LOG_INFO, "Not recognised '%s' option",
+ val->name );
+ }
+ }
+diff -Naur openca-ocspd-1.7.0.orig/src/ocsp_response.c openca-ocspd-1.7.0.new/src/ocsp_response.c
+--- openca-ocspd-1.7.0.orig/src/ocsp_response.c 2008-11-19 22:23:16.000000000 +0100
++++ openca-ocspd-1.7.0.new/src/ocsp_response.c 2013-02-20 11:54:37.702711720 +0100
+@@ -74,7 +74,7 @@
+ if ((ca = ocspd_CA_ENTRY_find( conf, cid )) == NULL) {
+ if (conf->verbose) {
+ syslog( LOG_INFO,
+- "request for non reckognized CA [serial %ld]",
++ "request for non recognized CA [serial %ld]",
+ ASN1_INTEGER_get(serial) );
+ }
+ OCSP_basic_add1_status(bs, cid,
+@@ -227,6 +227,9 @@
+ int ocspd_resp_send_socket(int connfd, OCSP_RESPONSE *resp,
+ OCSPD_CONFIG *conf) {
+ BIO *out = NULL;
++ BIO *mem = NULL;
++ char * cp;
++ int len;
+ int bio_ret = 0;
+ ASN1_GENERALIZEDTIME *date = NULL;
+ ASN1_GENERALIZEDTIME *expire = NULL;
+@@ -258,6 +261,12 @@
+ return(0);
+ }
+
++ if((mem = BIO_new(BIO_s_mem())) == NULL ) {
++ syslog(LOG_ERR, "ERROR::memory BIO creation");
++ BIO_free(out);
++ return(0);
++ }
++
+ // thisupd = thisupd = M_ASN1_TIME_dup(ca->lastUpdate);
+ date = ASN1_GENERALIZEDTIME_new();
+ expire = ASN1_GENERALIZEDTIME_new();
+@@ -269,16 +278,23 @@
+ X509_gmtime_adj(expire, 0);
+ }
+
+- BIO_printf(out, http_resp, i2d_OCSP_RESPONSE(resp, NULL));
+- BIO_printf(out, "Date: ");
+- ASN1_GENERALIZEDTIME_print(out, date);
+- BIO_printf(out, "\r\nExpires: ");
+- ASN1_GENERALIZEDTIME_print(out, expire);
+- BIO_printf(out, "\r\n\r\n");
++ BIO_printf(mem, http_resp, i2d_OCSP_RESPONSE(resp, NULL));
++ BIO_printf(mem, "Date: ");
++ ASN1_GENERALIZEDTIME_print(mem, date);
++ BIO_printf(mem, "\r\nExpires: ");
++ ASN1_GENERALIZEDTIME_print(mem, expire);
++ BIO_printf(mem, "\r\n\r\n");
++
++ i2d_OCSP_RESPONSE_bio(mem, resp);
++ len = BIO_get_mem_data(mem, &cp);
++
++ if (len < 0)
++ syslog(LOG_ERR, "ERROR::response length %d <= 0", len);
++ else
++ BIO_write(out, cp, len);
+
+- i2d_OCSP_RESPONSE_bio(out, resp);
+ bio_ret = BIO_flush(out);
+-
++ BIO_free(mem);
+ BIO_free(out);
+
+ if( date ) ASN1_GENERALIZEDTIME_free( date );
diff --git a/ocspd-1.7.0-config.patch b/ocspd-1.7.0-config.patch
new file mode 100644
index 0000000..a665e4e
--- /dev/null
+++ b/ocspd-1.7.0-config.patch
@@ -0,0 +1,312 @@
+diff -Naurp openca-ocspd-1.7.0.orig/docs/ocspd.conf.3 openca-ocspd-1.7.0.new/docs/ocspd.conf.3
+--- openca-ocspd-1.7.0.orig/docs/ocspd.conf.3 2008-02-15 00:24:15.000000000 +0100
++++ openca-ocspd-1.7.0.new/docs/ocspd.conf.3 2013-11-04 20:08:27.870767852 +0100
+@@ -218,7 +218,7 @@ Following is a sample configuration file
+ \& group = daemon
+ \& bind = *
+ \& port = 2560
+-\& max_childs_num = 5
++\& threads_num = 150
+ \& max_req_size = 8192
+ .Ve
+ .PP
+@@ -261,7 +261,7 @@ Following is a sample configuration file
+ \& [ dbms_ldap ]
+ .Ve
+ .PP
+-.Vb 31
++.Vb 33
+ \& # It is possible to use an URI to identify a CRL and/or the
+ \& # CA certificate, the general format is:
+ \& #
+@@ -281,18 +281,21 @@ Following is a sample configuration file
+ \& #
+ \& # You can have the CRLs/CA certificates on a simple file
+ \& # crl_url = file:///usr/local/etc/ocspd/crl.pem
++\& # ca_url = file:///usr/local/etc/ocspd/ca.pem
+ \& #
+ \& # You can retrieve the CRLs/CA certificates from a web server
+-\& # crl_urt = http://server/ca/cacert.der
++\& # crl_url = http://server/ca/cacert.crl.der
++\& # ca_url = http://server/ca/cacert.der
+ \& #
+ \& # You can store the CRL into an LDAP server, simply
+ \& # store it in certificateRevocationList;binary attribute
+ \& #
+-\& # There are different way, all legal, to specify the CRL
++\& # There are different way, all legal, to specify the CRL/CA
+ \& # URL address:
+ \& # crl_url = ldap://user:pwd@ldap.server.org:389
+ \& # crl_url = ldap://ldap.server.org:389
+ \& crl_url = ldap://localhost
++\& ca_url = ldap://localhost
+ .Ve
+ .PP
+ .Vb 5
+@@ -303,6 +306,46 @@ Following is a sample configuration file
+ \& o=Organization, c=IT"
+ .Ve
+ .PP
++.Vb 12
++\& # To retrieve the CRL from LDAP the attribute where it is stored is to
++\& # be specified. Usually this should be set to:
++\& #
++\& # certificateRevocationList;binary
++\& #
++\& # anyway existing LDAP installations or new standards can mandate
++\& # for different attributes for storing CRLs into. Use this parameter
++\& # to specify the attribute used to retrieve the CRL from.
++\& #
++\& # This option is needed only if the CRL is stored on LDAP
++\& crl_entry_attribute = "certificateRevocationList;binary"
++.Ve
++.PP
++.Vb 8
++\& # We need the CA certificate for every CA we support. Upon loading
++\& # the CRL and the CA certificate a simple check is made to ensure
++\& # the CRL/CA certificate matching. Also the CA certificate is used
++\& # to retrieve the CID used to identify the certificate being
++\& # requested by the client (CID of the Issuer + serial Number).
++\& # Like the CRL URL, the URL scheme for the CA may be file, ldap or http.
++\& ca_url = ldap://localhost
++.Ve
++.PP
++.Vb 3
++\& # DN where the cACertificate;binary value can be downloaded
++\& # This option is needed only if the CA Certificate is stored on LDAP
++\& ca_entry_dn = "o=Organisation, c=IT"
++.Ve
++.PP
++.Vb 2
++\& # This is the attribute used to store the CA.
++\& ca_entry_attribute = "caCertificate;binary"
++.Ve
++.PP
++.Vb 2
++\& # Server Certificate to attach to the response
++\& server_cert = file:///etc/ocspd/certs/ocspd_cert.pem
++.Ve
++.PP
+ .Vb 2
+ \& ####################################################################
+ \& [ dbms_file ]
+@@ -371,6 +414,11 @@ to every available interface, simply use
+ .IP "\fBport\fR" 6
+ .IX Item "port"
+ specifies the port to listen to.
++.IP "\fBmax_req_size\fR" 6
++.IX Item "max_req_size"
++Maximum size of received request, if a received request is bigger it
++will be trashed. Usually simple requests are 200/300 bytes long (more
++or less).
+ .IP "\fBthreads_num\fR" 6
+ .IX Item "threads_num"
+ Number of threads that shall be created at startup time, the
+@@ -381,6 +429,21 @@ and processors.
+ From version 1.5+ the server is not pre\-forked, instead it is
+ a pre-threaded one. In order to run the server needs support
+ for \s-1POSIX1\s0.c as found in most modern UNiX systems.
++.IP "\fBmax_client_num\fR" 6
++.IX Item "max_client_num"
++Length of the system's listen() queue. Up to this number of not-yet-served
++connection requests are queued by the system. Additional ones are dropped.
++Default is 30.
++.IP "\fBmax_timeout_secs\fR" 6
++.IX Item "max_timeout_secs"
++Max timeout for request receiving. If a request is not received
++within the specified number of seconds then the socket is closed
++in order to free unused threads. If not set, the default value
++is 5 seconds.
++.IP "\fBhttp_proto\fR" 6
++.IX Item "http_proto"
++ HTTP protocol version to be required. If 1.1 is specified, then
++the "Host: <addr>" name is also used in the header of HTTP GET requests.
+ .IP "\fBchroot_dir\fR" 6
+ .IX Item "chroot_dir"
+ Chroot the application into the specified directory, watch
+@@ -392,11 +455,24 @@ privileges dropping, privileges will not
+ error will be written in the logfile, but the server will
+ continue to run assuming the \fIchroot()\fR is sufficiently isolated
+ to prevent abuse of the machine.
+-.IP "\fBmax_req_size\fR" 6
+-.IX Item "max_req_size"
+-maximum size of received request, if a received request is bigger it
+-will be trashed. Usually simple requests are 200/300 bytes long (more
+-or less).
++.IP "\fBcrl_auto_reload\fR" 6
++.IX Item "crl_auto_reload"
++Auto Reload interval of CRL in seconds. If set to 0 or not present, to
++reload the CRL you'll need to send a SIGHUP (kill -1 <pid>)
++to the parent process.
++.IP "\fBcrl_check_validity\fR" 6
++.IX Item "crl_check_validity"
++CRL validity check period in seconds. If this parameter is set to #n
++then the CRL is checked every #n secs and if the CRL's validity
++period is expired then all the responses will be set to 'unknown'.
++If is set to '0' or not specified, all
++responses will be based on the loaded CRL, no matter if it
++is expired or not.
++.IP "\fBcrl_reload_expired\fR" 6
++.IX Item "crl_reload_expired"
++If the currently loaded CRL is expired, reload it. Set this parameter to "yes"
++only if you are sure that the new CRL will be issued and put
++in the crl_url location.
+ .RE
+ .IP "\fBrequest section\fR"
+ .IX Item "request section"
+diff -Naurp openca-ocspd-1.7.0.orig/etc/ocspd.conf.in openca-ocspd-1.7.0.new/etc/ocspd.conf.in
+--- openca-ocspd-1.7.0.orig/etc/ocspd.conf.in 2013-11-04 19:06:08.816610001 +0100
++++ openca-ocspd-1.7.0.new/etc/ocspd.conf.in 2013-11-04 19:19:28.046227727 +0100
+@@ -135,7 +135,7 @@ ocsp_add_response_keyid = yes
+ # NOTE: Firefox/Mozilla do not parse correctly the OCSP answer in
+ # case the nextUpdate field is missing. It is therefore suggested
+ # to use the next_update_mins set (e.g. 5 minutes) to have mozilla's
+-# software correclty work with OCSP enabled.
++# software correctly work with OCSP enabled.
+ next_update_days = 0
+ next_update_mins = 5
+
+@@ -185,11 +185,16 @@ crl_entry_attribute = "certificateRevoca
+ # the CRL/CA certificate matching. Also the CA certificate is used
+ # to retrieve the CID used to identify the certificate being
+ # requested by the client (CID of the Issuer + serial Number).
+-#
++# Like the CRL URL, the URL scheme for the CA may be file, ldap or http.
++ca_url = ldap://localhost
++
+ # DN where the cACertificate;binary value can be downloaded
+ # This option is needed only if the CA Certificate is stored on LDAP
+ ca_entry_dn = "o=Organisation, c=IT"
+
++# This is the attribute used to store the CA.
++ca_entry_attribute = "caCertificate;binary"
++
+ # Server Certificate to attach to the response
+ server_cert = file://@sysconfdirvalue@/ocspd/certs/ocspd_cert.pem
+
+diff -Naurp openca-ocspd-1.7.0.orig/examples/ocspd.conf openca-ocspd-1.7.0.new/examples/ocspd.conf
+--- openca-ocspd-1.7.0.orig/examples/ocspd.conf 2013-11-04 19:06:08.816610001 +0100
++++ openca-ocspd-1.7.0.new/examples/ocspd.conf 2013-11-04 19:31:23.822329525 +0100
+@@ -32,7 +32,38 @@ port = 2560
+ # Max size of accepted requests. Data connection will be closed
+ # in case this size will be reached.
+ max_req_size = 8192
+-max_childs_num = 1
++
++# Number of threads that shall be created at startup time, the
++# more threads, the better for handling very high traffic. We
++# expect to have better performances on multi-threaded machines
++# and processors.
++threads_num = 150
++
++# Size of the system listen() queue. This allows buffering connection
++# requests for later processing when all threads are already busy.
++#max_client_num = 30
++
++# Max timeout for request receiving. If a request is not received
++# within the specified number of seconds then the socket is closed
++# in order to free unused threads. If not set, the default value
++# is 5 seconds
++max_timeout_secs = 5
++
++# HTTP protocol version to be required. If 1.1 is specified, then
++# the "Host: <addr>" name is also used in the header of HTTP GET
++# requests
++http_proto = 1.1
++
++# Chroot the application into the specified directory, whatch
++# out because if you chroot the application, all the paths
++# should be relative to the new root for CRL reloading or
++# (better solution) you have to download the CRLs from HTTP or
++# LDAP. If you chroot and you do not provide support for
++# privileges dropping, privileges will not be dropped and an
++# error will be written in the logfile, but the server will
++# continue to run assuming the chroot() is sufficiently isolated
++# to prevent abuse of the machine.
++#chroot_dir = /etc/ocspd
+
+ # Auto Reload interval of CRL (if set to 0 or not present, to
+ # reload the CRL you'll need to send a SIGHUP (kill -1 <pid>)
+@@ -100,6 +131,11 @@ ocsp_add_response_keyid = yes
+ # in the OCSP response will be left NULL indicating new data
+ # can be made available anytime (this is true if you are issuing
+ # new CRLs every time a revocation takes place)
++#
++# NOTE: Firefox/Mozilla do not parse correctly the OCSP answer in
++# case the nextUpdate field is missing. It is therefore suggested
++# to use the next_update_mins set (e.g. 5 minutes) to have mozilla's
++# software correctly work with OCSP enabled.
+ next_update_days = 0
+ next_update_mins = 5
+
+@@ -113,6 +149,9 @@ next_update_mins = 5
+ # You can have the CRL on a simple file
+ # crl_url = file:///etc/ocspd/crls/crl.pem
+
++# You can have the CRL retrieved from an HTTP server
++# crl_url = http://[user[:pwd]@]server[:port]/path_to_crl
++
+ # You can store the CRL into an LDAP server, simply
+ # store it in certificateRevocationList;binary attribute
+ #
+@@ -146,11 +185,18 @@ crl_entry_attribute = "certificateRevoca
+ # the CRL/CA certificate matching. Also the CA certificate is used
+ # to retrieve the CID used to identify the certificate being
+ # requested by the client (CID of the Issuer + serial Number).
+-#
++# Like the CRL URL, the URL scheme for the CA may be file, ldap or http.
++ca_url = ldap://localhost
++
+ # DN where the cACertificate;binary value can be downloaded
+ # This option is needed only if the CA Certificate is stored on LDAP
+ ca_entry_dn = "o=Organisation, c=IT"
+
++# This is the attribute used to store the CA.
++ca_entry_attribute = "caCertificate;binary"
++
++# Server Certificate to attach to the response
++server_cert = file:///etc/ocspd/certs/ocspd_cert.pem
+
+ ####################################################################
+ [ dbms_file ]
+@@ -164,12 +210,15 @@ ca_entry_dn = "o=Organisation, c=IT"
+ [ first_ca ]
+
+ # You can have the CRL on a simple file in PEM format
+-crl_url = file:///etc/ocspd/crls/crl_07.crl
++crl_url = file:///etc/ocspd/crls/crl_01.crl
+
+ # We need the CA certificate for every supported CRL
+ # ca_url = file:///etc/ocspd/certs/1st_cacert.pem
+ ca_url = file:///etc/ocspd/certs/cacert.pem
+
++# Server Certificate to attach to the response
++server_cert = file:///etc/ocspd/certs/ocspd_cert.pem
++
+ ####################################################################
+ [ second_ca ]
+
+@@ -179,6 +228,9 @@ crl_url = file:///etc/ocspd/crls/crl_01.
+ # We need the CA certificate for every supported CRL
+ ca_url = file:///etc/ocspd/certs/2nd_cacert.pem
+
++# Server Certificate to attach to the response
++server_cert = file:///etc/ocspd/certs/ocspd_cert.pem
++
+ ####################################################################
+ [ HSM ]
+
+@@ -207,9 +259,10 @@ engine_id = LunaCA3
+ # high application id 10, low app id 11 and password "myPassword"
+ 1.engine_pre = login:1:10:11:myPassword
+
+-# Some HSMs need to perform commands before the application can exit
+-# it is therefore available the 'engine_post' option. Usage and format
++# Some HSMs need to perform commands after the ENGINE initialisation
++# which are taken from the 'engine_post' option. Usage and format
+ # is exactly the same as 'engine_pre', the difference is that commands
+-# are sent to the HSM just before server shutdown.
++# are sent to the HSM after the ENGINE_init() function. Refer to your
++# HSM documentation for more informations
+ # 0.engine_post = logout:1:10:11
+
diff --git a/ocspd-1.7.0-deprecldap.patch b/ocspd-1.7.0-deprecldap.patch
new file mode 100644
index 0000000..12042bc
--- /dev/null
+++ b/ocspd-1.7.0-deprecldap.patch
@@ -0,0 +1,128 @@
+diff -Naur openca-ocspd-1.7.0.orig/src/hash-db.c openca-ocspd-1.7.0.new/src/hash-db.c
+--- openca-ocspd-1.7.0.orig/src/hash-db.c 2013-02-20 14:08:37.959103608 +0100
++++ openca-ocspd-1.7.0.new/src/hash-db.c 2013-02-20 16:36:05.511726770 +0100
+@@ -127,6 +127,8 @@
+ LDAP *ld = NULL;
+ int protocol = -1;
+ int ret = 0;
++ char * cp = NULL;
++ struct berval bv;
+
+
+ (void) signal( SIGPIPE, SIG_IGN );
+@@ -144,11 +146,23 @@
+ if(ocspd_conf->verbose)
+ syslog( LOG_INFO, "INFO::Connecting to LDAP (%s)", url->addr );
+
+- if (( ld = ldap_init( url->addr, url->port )) == NULL ) {
+- syslog( LOG_ERR, "ERROR::ldap_init failure!");
++ cp = malloc(strlen(url->addr) + 14);
++
++ if (!cp) {
++ syslog( LOG_ERR, "ERROR::No memory for LDAP url");
++ return NULL;
++ }
++
++ sprintf(cp, "ldap://%s:%d", url->addr, url->port);
++
++ if (ldap_initialize(&ld, cp) != LDAP_SUCCESS) {
++ free(cp);
++ syslog( LOG_ERR, "ERROR::ldap_initialize failure!");
+ return NULL;
+ }
+
++ free(cp);
++
+ if(ocspd_conf->verbose)
+ syslog( LOG_INFO, "INFO::Connection established (%s)",
+ url->addr );
+@@ -159,13 +173,16 @@
+ != LDAP_OPT_SUCCESS ) {
+ syslog( LOG_ERR, "ERROR::Could not set LDAP_OPT_PROTOCOL_VERSION %d\n",
+ protocol );
+- ldap_unbind(ld);
++ ldap_unbind_ext(ld, NULL, NULL);
+ return(NULL);
+ }
+
+- if ( (ret = ldap_bind_s( ld, url->usr, url->pwd, LDAP_AUTH_SIMPLE ))
+- != LDAP_SUCCESS ) {
+- syslog( LOG_ERR, "ERROR::ldap_bind_s failure (%s:%d) [%d]",
++ bv.bv_len = strlen(url->pwd);
++ bv.bv_val = url->pwd;
++
++ if ((ret = ldap_sasl_bind_s(ld, url->usr, LDAP_SASL_SIMPLE, &bv,
++ NULL, NULL, NULL)) != LDAP_SUCCESS) {
++ syslog( LOG_ERR, "ERROR::ldap_sasl_bind_s failure (%s:%d) [%d]",
+ url->addr, url->port, ret );
+ return NULL;
+ }
+@@ -199,9 +216,8 @@
+ }
+
+ /* We search for the exact match, so LDAP_SCOPE_BASE is used here */
+- if (( rc = ldap_search_s( ld, url->dn, LDAP_SCOPE_BASE,
+- filter, attrs, 0, &res )) != LDAP_SUCCESS ) {
+-
++ if ((rc = ldap_search_ext_s(ld, url->dn, LDAP_SCOPE_BASE, filter,
++ attrs, 0, NULL, NULL, NULL, LDAP_NO_LIMIT, &res)) != LDAP_SUCCESS) {
+ if ( rc != LDAP_NO_SUCH_OBJECT ) {
+ syslog( LOG_ERR,
+ "LDAP: [%s] object not found", url->dn );
+@@ -282,7 +298,7 @@
+
+ end:
+ if(res) ldap_msgfree( res );
+- if(ld) ldap_unbind( ld );
++ if(ld) ldap_unbind_ext(ld, NULL, NULL);
+
+ if( ocspd_conf->verbose )
+ syslog( LOG_INFO, "INFO::LDAP::Successfully unbinded");
+@@ -300,6 +316,7 @@
+ struct berval **vals = NULL;
+ LDAPMessage *res = NULL;
+ BIO *membio = NULL;
++ struct berval bv;
+
+ X509_CRL *crl = NULL;
+
+@@ -307,11 +324,14 @@
+ return NULL;
+ }
+
+- if ( (ret = ldap_bind_s( ld, url->usr, url->pwd, LDAP_AUTH_SIMPLE ))
+- != LDAP_SUCCESS ) {
+- syslog( LOG_ERR, "LDAP: ldap_bind_s failure (%s:%d) [%d]",
++ bv.bv_len = strlen(url->pwd);
++ bv.bv_val = url->pwd;
++
++ if ((ret = ldap_sasl_bind_s(ld, url->usr, LDAP_SASL_SIMPLE, &bv,
++ NULL, NULL, NULL)) != LDAP_SUCCESS) {
++ syslog( LOG_ERR, "LDAP: ldap_sasl_bind_s failure (%s:%d) [%d]",
+ url->addr, url->port, ret );
+- // ldap_perror( ld, "ldap_bind" );
++ // ldap_perror( ld, "ldap_sasl_bind_s" );
+ return NULL;
+ }
+
+@@ -319,9 +339,8 @@
+ syslog( LOG_INFO, "INFO::LDAP::Successfully binded (%s)", url->dn);
+
+ /* We search for the exact match, so LDAP_SCOPE_BASE is used here */
+- if (( rc = ldap_search_s( ld, url->dn, LDAP_SCOPE_BASE,
+- filter, attrs, 0, &res )) != LDAP_SUCCESS ) {
+-
++ if ((rc = ldap_search_ext_s(ld, url->dn, LDAP_SCOPE_BASE, filter,
++ attrs, 0, NULL, NULL, NULL, LDAP_NO_LIMIT, &res)) != LDAP_SUCCESS) {
+ if ( rc != LDAP_NO_SUCH_OBJECT )
+ syslog( LOG_ERR, "ERROR::LDAP::[%s] NOT found",
+ url->dn );
+@@ -372,7 +391,7 @@
+
+ end:
+ if(res) ldap_msgfree( res );
+- if(ld) ldap_unbind( ld );
++ if(ld) ldap_unbind_ext(ld, NULL, NULL);
+
+ if( ocspd_conf->verbose )
+ syslog( LOG_INFO, "INFO::LDAP::Successfully unbinded" );
diff --git a/openca-ocspd-1.5.1-openssl.patch b/ocspd-1.7.0-openssl.patch
similarity index 66%
rename from openca-ocspd-1.5.1-openssl.patch
rename to ocspd-1.7.0-openssl.patch
index ca7e1f7..b23afa0 100644
--- a/openca-ocspd-1.5.1-openssl.patch
+++ b/ocspd-1.7.0-openssl.patch
@@ -1,7 +1,7 @@
-diff -up openca-ocspd-1.5.1-rc1/src/general.h.openssl openca-ocspd-1.5.1-rc1/src/general.h
---- openca-ocspd-1.5.1-rc1/src/general.h.openssl 2009-08-22 18:04:47.000000000 +0200
-+++ openca-ocspd-1.5.1-rc1/src/general.h 2009-08-22 18:04:06.000000000 +0200
-@@ -279,6 +279,10 @@ typedef struct ca_list_st
+diff -Naur openca-ocspd-1.7.0.orig/src/general.h openca-ocspd-1.7.0.new/src/general.h
+--- openca-ocspd-1.7.0.orig/src/general.h 2013-02-20 12:43:15.604909205 +0100
++++ openca-ocspd-1.7.0.new/src/general.h 2013-02-20 12:43:42.173460620 +0100
+@@ -289,6 +289,10 @@
} CA_LIST_ENTRY;
@@ -12,10 +12,10 @@ diff -up openca-ocspd-1.5.1-rc1/src/general.h.openssl openca-ocspd-1.5.1-rc1/src
typedef struct ocspd_config {
/* Configuration file name */
-diff -up openca-ocspd-1.5.1-rc1/src/ocspd_engine.c.openssl openca-ocspd-1.5.1-rc1/src/ocspd_engine.c
---- openca-ocspd-1.5.1-rc1/src/ocspd_engine.c.openssl 2009-08-22 17:50:07.000000000 +0200
-+++ openca-ocspd-1.5.1-rc1/src/ocspd_engine.c 2009-08-22 18:13:19.000000000 +0200
-@@ -97,7 +97,11 @@ int ocspd_exec_engine_cmds ( ENGINE *e,
+diff -Naur openca-ocspd-1.7.0.orig/src/ocspd_engine.c openca-ocspd-1.7.0.new/src/ocspd_engine.c
+--- openca-ocspd-1.7.0.orig/src/ocspd_engine.c 2013-02-20 12:43:15.600908971 +0100
++++ openca-ocspd-1.7.0.new/src/ocspd_engine.c 2013-02-20 12:50:05.545846962 +0100
+@@ -112,7 +112,11 @@
int i, val, num;
/* Check if there are some commands to be executed */
@@ -27,7 +27,7 @@ diff -up openca-ocspd-1.5.1-rc1/src/ocspd_engine.c.openssl openca-ocspd-1.5.1-rc
if(val < 1) {
if( ocspd_conf->verbose )
syslog(LOG_INFO, "HSM no commands to execute in stack");
-@@ -127,7 +131,11 @@ int ocspd_exec_engine_cmds ( ENGINE *e,
+@@ -142,7 +146,11 @@
const char *cmd = NULL;
const char *arg = NULL;
@@ -39,7 +39,7 @@ diff -up openca-ocspd-1.5.1-rc1/src/ocspd_engine.c.openssl openca-ocspd-1.5.1-rc
continue;
}
-@@ -192,8 +200,13 @@ int ocspd_load_engine_section ( OCSPD_CO
+@@ -207,8 +215,13 @@
return 0;
/* Initialise the STACK for pre/post commands */
@@ -53,10 +53,10 @@ diff -up openca-ocspd-1.5.1-rc1/src/ocspd_engine.c.openssl openca-ocspd-1.5.1-rc
/* Scan each option and push the value to the right cmds stack */
for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
-@@ -203,12 +216,20 @@ int ocspd_load_engine_section ( OCSPD_CO
+@@ -218,12 +231,20 @@
conf->engine_id = strdup(val->value);
syslog( LOG_INFO, "Using Engine '%s'", val->value );
- } else if( strstr( val->name, ENV_OCSPD_ENGINE_PRE ) != NULL ) {
+ } else if( strstr_nocase( val->name, ENV_OCSPD_ENGINE_PRE ) != NULL ) {
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+ sk_OPENSSL_STRING_push( conf->pre_cmds, (OPENSSL_STRING)val->value );
+#else
@@ -65,7 +65,7 @@ diff -up openca-ocspd-1.5.1-rc1/src/ocspd_engine.c.openssl openca-ocspd-1.5.1-rc
if( ocspd_conf->verbose )
syslog( LOG_INFO, "Added '%s' to PRE COMMANDS",
val->value );
- } else if ( strstr(val->name, ENV_OCSPD_ENGINE_POST) != NULL) {
+ } else if ( strstr_nocase(val->name, ENV_OCSPD_ENGINE_POST) != NULL) {
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+ sk_OPENSSL_STRING_push( conf->post_cmds, (OPENSSL_STRING)val->value );
+#else
diff --git a/openca-ocspd-1.5.1-podsyntax.patch b/ocspd-1.7.0-podsyntax.patch
similarity index 100%
rename from openca-ocspd-1.5.1-podsyntax.patch
rename to ocspd-1.7.0-podsyntax.patch
diff --git a/ocspd-1.7.0-setgroups.patch b/ocspd-1.7.0-setgroups.patch
new file mode 100644
index 0000000..32fec96
--- /dev/null
+++ b/ocspd-1.7.0-setgroups.patch
@@ -0,0 +1,28 @@
+diff -Naur openca-ocspd-1.7.0.orig/configure.in openca-ocspd-1.7.0.new/configure.in
+--- openca-ocspd-1.7.0.orig/configure.in 2013-11-05 11:35:16.362736109 +0100
++++ openca-ocspd-1.7.0.new/configure.in 2013-11-05 12:13:46.949198675 +0100
+@@ -45,6 +45,10 @@
+ [AC_MSG_ERROR([pthread library is needed!])]
+ )
+
++AC_CHECK_FUNC(setgroups,
++ [AC_DEFINE([HAVE_SETGROUPS], 1, [setgroups() function])]
++)
++
+ if test x$arch = xlinux ; then
+ AC_DEFINE(OCSPD_TARGET_LINUX, 1, [Linux])
+ fi
+diff -Naur openca-ocspd-1.7.0.orig/src/support.c openca-ocspd-1.7.0.new/src/support.c
+--- openca-ocspd-1.7.0.orig/src/support.c 2008-11-10 21:14:06.000000000 +0100
++++ openca-ocspd-1.7.0.new/src/support.c 2013-11-05 11:59:56.344162745 +0100
+@@ -275,6 +275,10 @@
+ return 0;
+ }
+
++#ifdef HAVE_SETGROUPS
++ setgroups(1, &gr->gr_gid);
++#endif
++
+ if (setuid (pw->pw_uid) == -1) {
+ syslog(LOG_ERR,"Error setting user %d (%s)",
+ pw->pw_uid, conf->user );
diff --git a/ocspd-1.7.0-threadinit.patch b/ocspd-1.7.0-threadinit.patch
new file mode 100644
index 0000000..bb71d91
--- /dev/null
+++ b/ocspd-1.7.0-threadinit.patch
@@ -0,0 +1,60 @@
+diff -Naurp openca-ocspd-1.7.0.orig/src/core.c openca-ocspd-1.7.0.new/src/core.c
+--- openca-ocspd-1.7.0.orig/src/core.c 2013-10-29 18:37:12.628234602 +0100
++++ openca-ocspd-1.7.0.new/src/core.c 2013-10-29 18:38:21.917819430 +0100
+@@ -98,15 +98,15 @@ int start_threaded_server ( char * bind_
+ ocspd_conf->iget = ocspd_conf->iput = 0;
+
+ for( i = 0; i < nthreads; i++ ) {
++ /* Initialize the values of clifd[] to -1 */
++ ocspd_conf->clifd[i] = -1;
++
+ if(thread_make(i) != 0 ) {
+ syslog(LOG_ERR,
+ "ERROR::FATAL::Can not create "
+ "thread (%d)\n", i );
+ exit(80);
+ }
+-
+- /* Initialize the values of clifd[] to -1 */
+- ocspd_conf->clifd[i] = -1;
+ }
+
+ /* Register the alarm handler */
+diff -Naurp openca-ocspd-1.7.0.orig/src/threads.c openca-ocspd-1.7.0.new/src/threads.c
+--- openca-ocspd-1.7.0.orig/src/threads.c 2013-10-29 18:37:12.636234669 +0100
++++ openca-ocspd-1.7.0.new/src/threads.c 2013-10-29 19:02:07.337239828 +0100
+@@ -28,8 +28,8 @@ int thread_make ( int i ) {
+ int ret;
+
+ th_ptr = &(ocspd_conf->threads_list[i]);
+- if( (ret=pthread_create( &ocspd_conf->threads_list[i].thread_tid,
+- NULL, thread_main, (void *) &i )) ) {
++ if ((ret = pthread_create(&ocspd_conf->threads_list[i].thread_tid,
++ NULL, thread_main, (void *) (ocspd_conf->clifd + i)))) {
+
+ syslog(LOG_ERR,"ERROR::OPENCA_SRV_ERR_THREAD_CREATE");
+ return(ret);
+@@ -45,12 +45,11 @@ void * thread_main ( void *arg ) {
+ OCSP_RESPONSE *resp = NULL;
+ EVP_PKEY *pkey;
+ ENGINE *engine;
+-
+- int thread_nr = -1;
++ int thread_nr;
+
+ struct sigaction sa;
+
+- thread_nr = *(int *) arg;
++ thread_nr = (int *) arg - ocspd_conf->clifd;
+
+ if ( ocspd_conf->verbose ) {
+ syslog(LOG_INFO, "INFO::OPENCA_SRV_INFO_TREAD::new thread "
+@@ -163,7 +162,7 @@ void * thread_main ( void *arg ) {
+ connfd = ocspd_conf->clifd[thread_nr];
+ // pthread_mutex_unlock( &clifd_mutex );
+
+- if( connfd <= 0 ) {
++ if( connfd < 0 ) {
+ /* If its own spot is not a valid fd, go from the
+ * beginning */
+ if( ocspd_conf->verbose == 1 ) {
diff --git a/openca-ocspd-1.5.1-misc.patch b/ocspd-1.9.0-misc.patch
similarity index 79%
rename from openca-ocspd-1.5.1-misc.patch
rename to ocspd-1.9.0-misc.patch
index d6fc50d..2ae5abd 100644
--- a/openca-ocspd-1.5.1-misc.patch
+++ b/ocspd-1.9.0-misc.patch
@@ -1,7 +1,7 @@
-diff -Naur openca-ocspd-1.5.1-rc1.orig/configure.in openca-ocspd-1.5.1-rc1.new/configure.in
---- openca-ocspd-1.5.1-rc1.orig/configure.in 2006-10-13 22:45:29.000000000 +0200
-+++ openca-ocspd-1.5.1-rc1.new/configure.in 2008-07-02 14:31:13.000000000 +0200
-@@ -3,7 +3,7 @@
+diff -Naurp openca-ocspd-1.9.0.orig/configure.in openca-ocspd-1.9.0.new/configure.in
+--- openca-ocspd-1.9.0.orig/configure.in 2009-04-24 21:55:42.000000000 +0200
++++ openca-ocspd-1.9.0.new/configure.in 2013-11-05 13:44:49.150167062 +0100
+@@ -3,7 +3,7 @@ dnl Process this file with autoconf to p
dnl Autoconf boilerplate/
AC_INIT(src/ocspd.c)
@@ -10,23 +10,24 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/configure.in openca-ocspd-1.5.1-rc1.new/c
AC_CONFIG_AUX_DIR(build)
VERSION=`cat VERSION`
-@@ -11,12 +11,12 @@
- PACKAGE_MAJOR=`cat VERSION`
- PACKAGE_MINOR=1
+@@ -21,12 +21,12 @@ dnl AC_PROG_LIBTOOL
+ dnl fi
--AC_SUBST( PACKAGE_MAJOR )
--AC_SUBST( PACKAGE_MINOR )
-+AC_SUBST(PACKAGE_MAJOR)
-+AC_SUBST(PACKAGE_MINOR)
-
- dnl Automake boilerplate.
- AC_CANONICAL_SYSTEM
+ dnl AC_CANONICAL_SYSTEM
-AM_INIT_AUTOMAKE( $PACKAGE_NAME, $PACKAGE_MAJOR )
+AM_INIT_AUTOMAKE($PACKAGE_NAME, $PACKAGE_MAJOR)
dnl Options.
- #AC_DISABLE_FAST_INSTALL
-@@ -40,9 +40,9 @@
+-#AC_DISABLE_FAST_INSTALL
+-#AC_DISABLE_SHARED
+-#AM_MAINTAINER_MODE
++dnl AC_DISABLE_FAST_INSTALL
++dnl AC_DISABLE_SHARED
++dnl AM_MAINTAINER_MODE
+
+ dnl Select OS specific versions of source files.
+ case "${build_os}" in
+@@ -45,9 +45,9 @@ AM_CONDITIONAL(OCSPD_ARCH_OSX, test x$ar
AM_CONDITIONAL(OCSPD_ARCH_SOLARIS, test x$arch = xsolaris)
AM_CONDITIONAL(OCSPD_ARCH_HPUX, test x$arch = xhpux)
@@ -39,9 +40,9 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/configure.in openca-ocspd-1.5.1-rc1.new/c
)
if test x$arch = xlinux ; then
-@@ -79,13 +79,6 @@
- AC_PROG_MAKE_SET
- AC_PROG_LN_S
+@@ -106,13 +106,6 @@ fi
+
+ AC_SUBST(DIST_NAME)
-dnl Add libtool support.
-AM_PROG_LIBTOOL
@@ -53,52 +54,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/configure.in openca-ocspd-1.5.1-rc1.new/c
dnl Setup dist stuff
AC_SUBST(ac_aux_dir)
-@@ -93,17 +86,17 @@
- AC_CHECK_LIB(nsl, gethostbyname)
- AC_CHECK_LIB(socket, socket)
- AC_CHECK_LIB(resolv, res_query)
--dnl AC_CHECK_LIB(crypto, SSLeay )
--dnl AC_CHECK_LIB(crypto, ENGINE_init )
--dnl AC_CHECK_LIB(ssl, SSL_version )
--dnl AC_CHECK_LIB(db-4.0, open )
-+dnl AC_CHECK_LIB(crypto, SSLeay)
-+dnl AC_CHECK_LIB(crypto, ENGINE_init)
-+dnl AC_CHECK_LIB(ssl, SSL_version)
-+dnl AC_CHECK_LIB(db-4.0, open)
-
- dnl Check for Pod2Man program
--AC_PATH_PROG( POD2MAN, pod2man,pod2man,
-+AC_PATH_PROG(POD2MAN, pod2man, pod2man,
- $PATH:/sbin:/usr/sbin:/usr/local/sbin)
-
- dnl Check for Pod2Html program
--AC_PATH_PROG( POD2HTML, pod2html,pod2html,
-+AC_PATH_PROG(POD2HTML, pod2html, pod2html,
- $PATH:/sbin:/usr/sbin:/usr/local/sbin)
-
- dnl Check for package and related programs
-@@ -124,16 +117,16 @@
- AC_PATH_PROG(PERL, perl)
- AC_SUBST(PERL)
-
--AC_MSG_RESULT([architecture : ${build_os} ])
-+AC_MSG_RESULT([architecture : ${build_os}])
-
- dnl OpenSSL prefix
--AC_ARG_WITH( openssl-prefix,
-+AC_ARG_WITH(openssl-prefix,
- [ --with-openssl-prefix=DIR openssl prefix directory],
--[ openssl_prefix=$withval ] , [ openssl_prefix= ] )
-+[openssl_prefix=$withval] , [openssl_prefix=])
-
- AC_SUBST(openssl_prefix)
-
--AC_MSG_RESULT([with openssl-prefix : $openssl_prefix ])
-+AC_MSG_RESULT([with openssl-prefix : $openssl_prefix])
-
- if [[ x$openssl_prefix != x ]]; then
- openssl_path=$openssl_prefix/lib
-@@ -142,7 +135,7 @@
+@@ -208,7 +201,7 @@ else
AC_MSG_RESULT([openssl lib dir : $openssl_path (default)])
fi
@@ -107,7 +63,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/configure.in openca-ocspd-1.5.1-rc1.new/c
### Setup for OpenSSL build flags ###
dnl Now we like the version of openssl. Let's construct
-@@ -160,7 +153,7 @@
+@@ -226,7 +219,7 @@ AM_CONDITIONAL(OPENSSL_PREFIX, test x$op
openssl_cflags=[-I${openssl_prefix}/include]
openssl_libs=["-L${openssl_prefix}/lib -L${openssl_prefix} -lssl -lcrypto "]
openssl_setup=yes
@@ -116,7 +72,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/configure.in openca-ocspd-1.5.1-rc1.new/c
dnl Check if the developer has the pkg-config macros
dnl for the autotools on their system
ifdef([PKG_CHECK_MODULES],
-@@ -169,22 +162,20 @@
+@@ -235,22 +228,20 @@ AM_CONDITIONAL(OPENSSL_PREFIX, test x$op
dnl If so, we can check if the target system has
dnl (1) pkg-config support installed as well, and
dnl (2) has openssl 0.9.7 or greater installed
@@ -147,7 +103,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/configure.in openca-ocspd-1.5.1-rc1.new/c
],
[
## Skipping pkg-config macros...
-@@ -192,14 +183,14 @@
+@@ -258,14 +249,14 @@ AM_CONDITIONAL(OPENSSL_PREFIX, test x$op
)dnl End of check using pkg-config...
fi dnl End of prefix block
@@ -166,7 +122,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/configure.in openca-ocspd-1.5.1-rc1.new/c
AC_SUBST(openssl_cflags)
AC_SUBST(openssl_libs)
-@@ -209,28 +200,28 @@
+@@ -275,28 +266,28 @@ dnl Let's check the presence of OCSP ext
dnl AC_OPENSSL_OCSP
dnl Let's check the openssl version
@@ -202,7 +158,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/configure.in openca-ocspd-1.5.1-rc1.new/c
[ --enable-openldap enable openldap support (yes)],
[case "${enableval}" in
yes) openldap=true ;;
-@@ -244,16 +235,16 @@
+@@ -310,16 +301,16 @@ AM_CONDITIONAL(HAVE_OPENLDAP, test x$ope
if [[ x$openldap = xtrue ]]; then
@@ -223,7 +179,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/configure.in openca-ocspd-1.5.1-rc1.new/c
if [[ x$openldap_prefix != x ]]; then
openldap_path=$openldap_prefix/lib
AC_MSG_RESULT([openldap lib dir : $openldap_path])
-@@ -286,31 +277,31 @@
+@@ -352,31 +343,31 @@ if [[ x$openldap = xtrue ]]; then
fi
fi
@@ -264,7 +220,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/configure.in openca-ocspd-1.5.1-rc1.new/c
[ --enable-openssl-engine enable openssl engine support (no)],
[case "${enableval}" in
yes) engine=true ;;
-@@ -326,10 +317,10 @@
+@@ -392,10 +383,10 @@ if [[ x$engine = xtrue ]] ; then
AC_DEFINE(HAVE_ENGINE, [1], [ENGINE support for OpenSSL])
fi
@@ -277,7 +233,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/configure.in openca-ocspd-1.5.1-rc1.new/c
[ --enable-semaphores use semaphores locking method (yes)],
[case "${enableval}" in
yes) sem=true ;;
-@@ -338,7 +329,7 @@
+@@ -404,7 +395,7 @@ AC_ARG_ENABLE( semaphores,
esac], [sem=true])
@@ -286,7 +242,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/configure.in openca-ocspd-1.5.1-rc1.new/c
[ --enable-flock use semaphores locking method (no)],
[case "${enableval}" in
yes) flock=true && sem=false ;;
-@@ -361,10 +352,10 @@
+@@ -427,10 +418,10 @@ AM_CONDITIONAL(HAVE_FLOCK, test x$flock
dnl Debug option
AC_ARG_ENABLE(debug,
[ --enable-debug enable debug messages.],
@@ -300,7 +256,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/configure.in openca-ocspd-1.5.1-rc1.new/c
debug=false ;;
*) AC_MSG_ERROR([bad value ${enableval} for --enable-debug]) ;;
esac], [debug=false])
-@@ -379,17 +370,27 @@
+@@ -445,16 +436,26 @@ if [[ x${prefix} = xNONE ]]; then
prefix="/usr/local";
fi
@@ -326,23 +282,23 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/configure.in openca-ocspd-1.5.1-rc1.new/c
fi
-AC_MSG_RESULT([with openca-prefix : $openca_prefix ])
--AC_SUBST( openca_prefix )
+AC_MSG_RESULT([with openca-prefix : $openca_prefix])
-+AC_SUBST(openca_prefix)
+ AC_SUBST(openca_prefix)
AC_MSG_RESULT([install prefix : $prefix])
-
-@@ -401,5 +402,5 @@
+@@ -467,7 +468,7 @@ AC_OUTPUT(
etc/Makefile
etc/ocspd
etc/ocspd.conf
+ etc/ocspd.sysconfig
+ contrib/openca-ocspd.xml
+ contrib/openca-ocspd-common.xml
)
-
-diff -Naur openca-ocspd-1.5.1-rc1.orig/docs/ocspd.conf.3.pod openca-ocspd-1.5.1-rc1.new/docs/ocspd.conf.3.pod
---- openca-ocspd-1.5.1-rc1.orig/docs/ocspd.conf.3.pod 2006-10-13 22:32:23.000000000 +0200
-+++ openca-ocspd-1.5.1-rc1.new/docs/ocspd.conf.3.pod 2008-07-02 14:31:13.000000000 +0200
-@@ -68,11 +68,9 @@
+diff -Naurp openca-ocspd-1.9.0.orig/docs/ocspd.conf.3.pod openca-ocspd-1.9.0.new/docs/ocspd.conf.3.pod
+--- openca-ocspd-1.9.0.orig/docs/ocspd.conf.3.pod 2008-02-15 00:24:15.000000000 +0100
++++ openca-ocspd-1.9.0.new/docs/ocspd.conf.3.pod 2013-11-05 13:39:12.715332386 +0100
+@@ -68,11 +68,9 @@ Following is a sample configuration file
[ OCSPD_default ]
@@ -355,7 +311,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/docs/ocspd.conf.3.pod openca-ocspd-1.5.1-
ocspd_certificate = $dir/certs/ocspd_cert.pem
ocspd_key = $dir/private/ocspd_key.pem
pidfile = $dir/ocspd.pid
-@@ -100,7 +98,7 @@
+@@ -100,7 +98,7 @@ Following is a sample configuration file
####################################################################
[ ocsp_response ]
@@ -364,7 +320,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/docs/ocspd.conf.3.pod openca-ocspd-1.5.1-
ocsp_add_response_certs = $dir/certs/chain_certs.pem
ocsp_add_response_keyid = yes
next_update_days = 0
-@@ -127,7 +125,7 @@
+@@ -127,7 +125,7 @@ Following is a sample configuration file
# http is used)
#
# You can have the CRLs/CA certificates on a simple file
@@ -373,7 +329,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/docs/ocspd.conf.3.pod openca-ocspd-1.5.1-
#
# You can retrieve the CRLs/CA certificates from a web server
# crl_urt = http://server/ca/cacert.der
-@@ -151,7 +149,7 @@
+@@ -151,7 +149,7 @@ Following is a sample configuration file
[ dbms_file ]
# You can have the CRL on a simple file in PEM format
@@ -382,7 +338,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/docs/ocspd.conf.3.pod openca-ocspd-1.5.1-
[ HSM ]
# Hardware accelerators support via the ENGINE interface
-@@ -173,21 +171,10 @@
+@@ -173,21 +171,10 @@ line options too ( see L<ocspd(3)>).
specifies the directory where everything is kept.
@@ -404,7 +360,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/docs/ocspd.conf.3.pod openca-ocspd-1.5.1-
=item B<ocspd_certificate>
path to the certificate to be used by the responder.
-@@ -234,6 +221,13 @@
+@@ -234,6 +221,13 @@ From version 1.5+ the server is not pre-
a pre-threaded one. In order to run the server needs support
for POSIX1.c as found in most modern UNiX systems.
@@ -418,7 +374,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/docs/ocspd.conf.3.pod openca-ocspd-1.5.1-
=item B<chroot_dir>
Chroot the application into the specified directory, watch
-@@ -296,7 +290,7 @@
+@@ -296,7 +290,7 @@ the days+mins.
specifies the URI where the CA certificate (which identifies the
single CA) is located. Three different protocols are implemented
( file:// http:// or ldap:// ). If file is chosen, then the parameter
@@ -427,7 +383,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/docs/ocspd.conf.3.pod openca-ocspd-1.5.1-
If ldap or http is chosen, you can specify the address, and the port
of the server where to connect to (i.e. ldap://server.addr:port).
-@@ -306,7 +300,7 @@
+@@ -306,7 +300,7 @@ specifies the URI where the CRL (list of
actually used for building responses) is located. Three different
protocols are actually implemented ( file:// http:// or ldap:// ).
If file is chosen, then the parameter should have the path to the
@@ -436,9 +392,9 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/docs/ocspd.conf.3.pod openca-ocspd-1.5.1-
is chosen, you can specify the address, and the port of the
server where to connect to (i.e. ldap://server.addr:port).
-diff -Naur openca-ocspd-1.5.1-rc1.orig/etc/Makefile.am openca-ocspd-1.5.1-rc1.new/etc/Makefile.am
---- openca-ocspd-1.5.1-rc1.orig/etc/Makefile.am 2006-09-18 16:28:41.000000000 +0200
-+++ openca-ocspd-1.5.1-rc1.new/etc/Makefile.am 2008-07-02 14:31:13.000000000 +0200
+diff -Naurp openca-ocspd-1.9.0.orig/etc/Makefile.am openca-ocspd-1.9.0.new/etc/Makefile.am
+--- openca-ocspd-1.9.0.orig/etc/Makefile.am 2008-02-15 00:24:15.000000000 +0100
++++ openca-ocspd-1.9.0.new/etc/Makefile.am 2013-11-05 13:39:12.715332386 +0100
@@ -2,20 +2,23 @@
CHMOD = @CHMOD@
@@ -473,10 +429,10 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/etc/Makefile.am openca-ocspd-1.5.1-rc1.ne
+ $(INSTALL_DATA) ocspd $(DESTDIR)$(sysconfdir)/rc.d/init.d ; \
+ $(CHMOD) +x $(DESTDIR)$(sysconfdir)/rc.d/init.d/ocspd; \
+ $(INSTALL_DATA) ocspd.sysconfig $(DESTDIR)$(sysconfdir)/sysconfig/ocspd
-diff -Naur openca-ocspd-1.5.1-rc1.orig/etc/ocspd.conf.in openca-ocspd-1.5.1-rc1.new/etc/ocspd.conf.in
---- openca-ocspd-1.5.1-rc1.orig/etc/ocspd.conf.in 2006-10-21 18:35:59.000000000 +0200
-+++ openca-ocspd-1.5.1-rc1.new/etc/ocspd.conf.in 2008-07-02 14:31:13.000000000 +0200
-@@ -8,14 +8,12 @@
+diff -Naurp openca-ocspd-1.9.0.orig/etc/ocspd.conf.in openca-ocspd-1.9.0.new/etc/ocspd.conf.in
+--- openca-ocspd-1.9.0.orig/etc/ocspd.conf.in 2008-02-15 00:24:15.000000000 +0100
++++ openca-ocspd-1.9.0.new/etc/ocspd.conf.in 2013-11-05 13:39:12.715332386 +0100
+@@ -8,14 +8,12 @@ default_ocspd = OCSPD_default # The def
####################################################################
[ OCSPD_default ]
@@ -493,7 +449,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/etc/ocspd.conf.in openca-ocspd-1.5.1-rc1.
# User and Group the server will run as. It is a good idea
# not having servers running as root: in case of errors in
-@@ -41,6 +39,10 @@
+@@ -41,6 +39,10 @@ max_req_size = 8192
# and processors.
threads_num = 150
@@ -504,7 +460,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/etc/ocspd.conf.in openca-ocspd-1.5.1-rc1.
# Max timeout for request receiving. If a request is not received
# within the specified number of seconds then the socket is closed
# in order to free unused threads. If not set, the default value
-@@ -56,7 +58,7 @@
+@@ -61,7 +63,7 @@ http_proto = 1.1
# error will be written in the logfile, but the server will
# continue to run assuming the chroot() is sufficiently isolated
# to prevent abuse of the machine.
@@ -513,7 +469,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/etc/ocspd.conf.in openca-ocspd-1.5.1-rc1.
# Auto Reload interval of CRL (if set to 0 or not present, to
# reload the CRL you'll need to send a SIGHUP (kill -1 <pid>)
-@@ -75,7 +77,7 @@
+@@ -80,7 +82,7 @@ crl_check_validity = 600
# Reload CRL if the one loaded is expired. Set this parameter
# only if you are sure that the new CRL will be issued and put
# in the crl_url.
@@ -522,7 +478,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/etc/ocspd.conf.in openca-ocspd-1.5.1-rc1.
# Specifies the response section to load the server options
# from
-@@ -84,10 +86,10 @@
+@@ -89,10 +91,10 @@ response = ocsp_response
# It specifies the section to be used where options about where
# CRL and certificates are kept.
#
@@ -535,7 +491,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/etc/ocspd.conf.in openca-ocspd-1.5.1-rc1.
dbms = dbms_file
# Enables the ENGINE interface for the server. If set to off then
-@@ -103,7 +105,7 @@
+@@ -108,7 +110,7 @@ dbms = dbms_file
####################################################################
[ ocsp_response ]
@@ -544,7 +500,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/etc/ocspd.conf.in openca-ocspd-1.5.1-rc1.
# It is possible to include additional certificates in given
# responses. Put all the certificates you want to include in
-@@ -140,7 +142,7 @@
+@@ -145,7 +147,7 @@ next_update_mins = 5
[ ldap_ca_1 ]
# You can have the CRL on a simple file
@@ -553,7 +509,16 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/etc/ocspd.conf.in openca-ocspd-1.5.1-rc1.
# You can have the CRL retrieved from an HTTP server
# crl_url = http://[user[:pwd]@]server[:port]/path_to_crl
-@@ -196,19 +198,19 @@
+@@ -189,7 +191,7 @@ crl_entry_attribute = "certificateRevoca
+ ca_entry_dn = "o=Organisation, c=IT"
+
+ # Server Certificate to attach to the response
+-server_cert = file:///@prefix@/etc/ocspd/certs/ocspd_cert.pem
++server_cert = file://@sysconfdirvalue@/ocspd/certs/ocspd_cert.pem
+
+ ####################################################################
+ [ dbms_file ]
+@@ -203,25 +205,25 @@ server_cert = file:///@prefix@/etc/ocspd
[ first_ca ]
# You can have the CRL on a simple file in PEM format
@@ -564,6 +529,10 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/etc/ocspd.conf.in openca-ocspd-1.5.1-rc1.
-ca_url = file:///@prefix@/etc/ocspd/certs/1st_cacert.pem
+ca_url = file://@sysconfdirvalue@/ocspd/certs/1st_cacert.pem
+ # Server Certificate to attach to the response
+-server_cert = file:///@prefix@/etc/ocspd/certs/ocspd_cert.pem
++server_cert = file://@sysconfdirvalue@/ocspd/certs/ocspd_cert.pem
+
####################################################################
[ second_ca ]
@@ -575,11 +544,15 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/etc/ocspd.conf.in openca-ocspd-1.5.1-rc1.
-ca_url = file:///@prefix@/etc/ocspd/certs/2nd_cacert.pem
+ca_url = file://@sysconfdirvalue@/ocspd/certs/2nd_cacert.pem
+ # Server Certificate to attach to the response
+-server_cert = file:///@prefix@/etc/ocspd/certs/ocspd_cert.pem
++server_cert = file://@sysconfdirvalue@/ocspd/certs/ocspd_cert.pem
+
####################################################################
[ HSM ]
-diff -Naur openca-ocspd-1.5.1-rc1.orig/etc/ocspd.in openca-ocspd-1.5.1-rc1.new/etc/ocspd.in
---- openca-ocspd-1.5.1-rc1.orig/etc/ocspd.in 2006-10-15 17:11:45.000000000 +0200
-+++ openca-ocspd-1.5.1-rc1.new/etc/ocspd.in 2008-07-02 15:31:57.000000000 +0200
+diff -Naurp openca-ocspd-1.9.0.orig/etc/ocspd.in openca-ocspd-1.9.0.new/etc/ocspd.in
+--- openca-ocspd-1.9.0.orig/etc/ocspd.in 2008-02-15 00:24:15.000000000 +0100
++++ openca-ocspd-1.9.0.new/etc/ocspd.in 2013-11-05 13:39:12.716332395 +0100
@@ -1,90 +1,94 @@
#!/bin/sh
#
@@ -741,9 +714,9 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/etc/ocspd.in openca-ocspd-1.5.1-rc1.new/e
-exit 0
+exit $RETVAL
-diff -Naur openca-ocspd-1.5.1-rc1.orig/etc/ocspd.sysconfig.in openca-ocspd-1.5.1-rc1.new/etc/ocspd.sysconfig.in
---- openca-ocspd-1.5.1-rc1.orig/etc/ocspd.sysconfig.in 1970-01-01 01:00:00.000000000 +0100
-+++ openca-ocspd-1.5.1-rc1.new/etc/ocspd.sysconfig.in 2008-07-02 14:31:13.000000000 +0200
+diff -Naurp openca-ocspd-1.9.0.orig/etc/ocspd.sysconfig.in openca-ocspd-1.9.0.new/etc/ocspd.sysconfig.in
+--- openca-ocspd-1.9.0.orig/etc/ocspd.sysconfig.in 1970-01-01 01:00:00.000000000 +0100
++++ openca-ocspd-1.9.0.new/etc/ocspd.sysconfig.in 2013-11-05 13:39:12.716332395 +0100
@@ -0,0 +1,8 @@
+# Name of daemon program.
+#OCSPD=@sbindirvalue@/ocspd
@@ -753,15 +726,15 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/etc/ocspd.sysconfig.in openca-ocspd-1.5.1
+
+# Additional command line options.
+#OPTIONS=""
-diff -Naur openca-ocspd-1.5.1-rc1.orig/examples/index.txt openca-ocspd-1.5.1-rc1.new/examples/index.txt
---- openca-ocspd-1.5.1-rc1.orig/examples/index.txt 2006-09-18 16:28:39.000000000 +0200
-+++ openca-ocspd-1.5.1-rc1.new/examples/index.txt 1970-01-01 01:00:00.000000000 +0100
+diff -Naurp openca-ocspd-1.9.0.orig/examples/index.txt openca-ocspd-1.9.0.new/examples/index.txt
+--- openca-ocspd-1.9.0.orig/examples/index.txt 2008-02-15 00:24:15.000000000 +0100
++++ openca-ocspd-1.9.0.new/examples/index.txt 1970-01-01 01:00:00.000000000 +0100
@@ -1 +0,0 @@
-V 020610093819Z 01 unknown /Email=chiarap at excite.com/CN=Chiara Ponz de Leon/OU=Building A/O=OpenCA/C=IT
-diff -Naur openca-ocspd-1.5.1-rc1.orig/examples/ocspd.conf openca-ocspd-1.5.1-rc1.new/examples/ocspd.conf
---- openca-ocspd-1.5.1-rc1.orig/examples/ocspd.conf 2006-09-18 16:28:39.000000000 +0200
-+++ openca-ocspd-1.5.1-rc1.new/examples/ocspd.conf 2008-07-02 14:31:13.000000000 +0200
-@@ -8,11 +8,9 @@
+diff -Naurp openca-ocspd-1.9.0.orig/examples/ocspd.conf openca-ocspd-1.9.0.new/examples/ocspd.conf
+--- openca-ocspd-1.9.0.orig/examples/ocspd.conf 2008-02-15 00:24:15.000000000 +0100
++++ openca-ocspd-1.9.0.new/examples/ocspd.conf 2013-11-05 13:39:12.716332395 +0100
+@@ -8,11 +8,9 @@ default_ocspd = OCSPD_default # The def
####################################################################
[ OCSPD_default ]
@@ -774,7 +747,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/examples/ocspd.conf openca-ocspd-1.5.1-rc
ocspd_certificate = $dir/certs/ocspd_cert_2.pem # The OCSP server cert
ocspd_key = $dir/private/ocspd_key.pem # The OCSP server key
pidfile = $dir/ocspd.pid # Main process pid
-@@ -81,7 +79,7 @@
+@@ -81,7 +79,7 @@ dbms = dbms_file
####################################################################
[ ocsp_response ]
@@ -783,7 +756,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/examples/ocspd.conf openca-ocspd-1.5.1-rc
# It is possible to include additional certificates in given
# responses. Put all the certificates you want to include in
-@@ -113,7 +111,7 @@
+@@ -113,7 +111,7 @@ next_update_mins = 5
[ ldap_ca_1 ]
# You can have the CRL on a simple file
@@ -792,7 +765,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/examples/ocspd.conf openca-ocspd-1.5.1-rc
# You can store the CRL into an LDAP server, simply
# store it in certificateRevocationList;binary attribute
-@@ -166,20 +164,20 @@
+@@ -166,20 +164,20 @@ ca_entry_dn = "o=Organisation, c=IT"
[ first_ca ]
# You can have the CRL on a simple file in PEM format
@@ -818,21 +791,21 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/examples/ocspd.conf openca-ocspd-1.5.1-rc
####################################################################
[ HSM ]
-diff -Naur openca-ocspd-1.5.1-rc1.orig/src/core.c openca-ocspd-1.5.1-rc1.new/src/core.c
---- openca-ocspd-1.5.1-rc1.orig/src/core.c 2006-10-21 16:50:32.000000000 +0200
-+++ openca-ocspd-1.5.1-rc1.new/src/core.c 2008-07-02 14:31:13.000000000 +0200
-@@ -18,8 +18,8 @@
- pthread_cond_t clifd_cond;
+diff -Naurp openca-ocspd-1.9.0.orig/src/core.c openca-ocspd-1.9.0.new/src/core.c
+--- openca-ocspd-1.9.0.orig/src/core.c 2009-06-08 19:24:05.000000000 +0200
++++ openca-ocspd-1.9.0.new/src/core.c 2013-11-05 13:39:12.716332395 +0100
+@@ -36,8 +36,8 @@ void handle_sigabrt ( int i );
+ /* Function Bodies */
-int start_threaded_server ( char * bind_s, char * port_s, int nthreads,
- OCSPD_CONFIG * ocspd_conf ) {
+int start_threaded_server ( char * bind_s, char * port_s, int queue_len,
+ int nthreads, OCSPD_CONFIG * ocspd_conf ) {
int i;
+ int cycle = -1;
- struct sockaddr_in cliaddr;
-@@ -36,7 +36,8 @@
+@@ -55,7 +55,8 @@ int start_threaded_server ( char * bind_
exit(68);
}
@@ -842,9 +815,9 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/src/core.c openca-ocspd-1.5.1-rc1.new/src
syslog(LOG_ERR, "ERROR::BIND::Can not bind to [%s],[%d]",
bind_s, atoi(port_s));
exit(101);
-diff -Naur openca-ocspd-1.5.1-rc1.orig/src/core.h openca-ocspd-1.5.1-rc1.new/src/core.h
---- openca-ocspd-1.5.1-rc1.orig/src/core.h 2006-10-14 13:37:32.000000000 +0200
-+++ openca-ocspd-1.5.1-rc1.new/src/core.h 2008-07-02 14:31:13.000000000 +0200
+diff -Naurp openca-ocspd-1.9.0.orig/src/core.h openca-ocspd-1.9.0.new/src/core.h
+--- openca-ocspd-1.9.0.orig/src/core.h 2009-06-08 19:24:05.000000000 +0200
++++ openca-ocspd-1.9.0.new/src/core.h 2013-11-05 13:39:12.716332395 +0100
@@ -16,8 +16,8 @@
#include "general.h"
#include "ocsp_request.h"
@@ -856,10 +829,10 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/src/core.h openca-ocspd-1.5.1-rc1.new/src
int set_alrm_handler( void );
void close_server ( void );
void handle_sigterm ( int i );
-diff -Naur openca-ocspd-1.5.1-rc1.orig/src/general.h openca-ocspd-1.5.1-rc1.new/src/general.h
---- openca-ocspd-1.5.1-rc1.orig/src/general.h 2006-10-21 14:53:55.000000000 +0200
-+++ openca-ocspd-1.5.1-rc1.new/src/general.h 2008-07-02 14:31:13.000000000 +0200
-@@ -83,24 +83,14 @@
+diff -Naurp openca-ocspd-1.9.0.orig/src/general.h openca-ocspd-1.9.0.new/src/general.h
+--- openca-ocspd-1.9.0.orig/src/general.h 2009-06-08 19:25:19.000000000 +0200
++++ openca-ocspd-1.9.0.new/src/general.h 2013-11-05 13:39:12.716332395 +0100
+@@ -85,24 +85,14 @@ char *strchr (), *strrchr ();
#include <openssl/ocsp.h>
@@ -884,7 +857,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/src/general.h openca-ocspd-1.5.1-rc1.new/
#define ENV_OCSPD_PORT "port"
#define ENV_OCSPD_BIND "bind"
#define ENV_OCSPD_CHILD "threads_num"
-@@ -142,20 +132,6 @@
+@@ -146,20 +136,6 @@ char *strchr (), *strrchr ();
#define OCSP_REQ_CONTENT_TYPE "application/ocsp-request"
#define OCSP_RESP_CONTENT_TYPE "application/ocsp-response"
@@ -905,10 +878,10 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/src/general.h openca-ocspd-1.5.1-rc1.new/
#define FORMAT_UNDEF 0
#define FORMAT_ASN1 1
#define FORMAT_TEXT 2
-diff -Naur openca-ocspd-1.5.1-rc1.orig/src/ocspd.c openca-ocspd-1.5.1-rc1.new/src/ocspd.c
---- openca-ocspd-1.5.1-rc1.orig/src/ocspd.c 2006-10-21 14:58:10.000000000 +0200
-+++ openca-ocspd-1.5.1-rc1.new/src/ocspd.c 2008-07-02 14:31:13.000000000 +0200
-@@ -71,7 +71,8 @@
+diff -Naurp openca-ocspd-1.9.0.orig/src/ocspd.c openca-ocspd-1.9.0.new/src/ocspd.c
+--- openca-ocspd-1.9.0.orig/src/ocspd.c 2009-06-08 19:24:05.000000000 +0200
++++ openca-ocspd-1.9.0.new/src/ocspd.c 2013-11-05 13:39:12.717332408 +0100
+@@ -72,7 +72,8 @@ static char *ocspd_usage[] = {
NULL
};
@@ -918,7 +891,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/src/ocspd.c openca-ocspd-1.5.1-rc1.new/sr
char *prgname = "ocspd";
char *version = VERSION;
-@@ -91,6 +92,7 @@
+@@ -94,6 +95,7 @@ int main ( int argc, char *argv[] ) {
char *max_timeout_s = NULL;
int child_num = 5;
@@ -926,15 +899,15 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/src/ocspd.c openca-ocspd-1.5.1-rc1.new/sr
int verbose = 0;
int debug = 0;
-@@ -103,7 +105,6 @@
- char *keyfile = NULL;
+@@ -106,7 +108,6 @@ int main ( int argc, char *argv[] ) {
+ // char *keyfile = NULL;
char *configfile = NULL;
char *cert = NULL;
- char *cacert = NULL;
char **pp = NULL;
char *key = NULL;
char *passargin = NULL;
-@@ -387,36 +388,6 @@
+@@ -448,36 +449,6 @@ bad:
}
/*****************************************************************/
@@ -971,7 +944,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/src/ocspd.c openca-ocspd-1.5.1-rc1.new/sr
/* Let's get the digest */
if ((ocsp_digest_name == NULL) &&
((ocsp_digest_name=NCONF_get_string(ocspd_conf->conf,section,
-@@ -452,6 +423,15 @@
+@@ -513,6 +484,15 @@ bad:
bind_s = "0.0.0.0";
}
@@ -987,19 +960,19 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/src/ocspd.c openca-ocspd-1.5.1-rc1.new/sr
/* Number of child threads to be spawned */
if ((child_s == NULL) && ((child_s = NCONF_get_string(ocspd_conf->conf,
section, ENV_OCSPD_CHILD)) == NULL)) {
-@@ -682,7 +662,7 @@
+@@ -751,7 +731,7 @@ bad:
+ writePid( ppid, pidfile );
}
- // CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
- start_threaded_server( bind_s, port_s, child_num, ocspd_conf );
+ start_threaded_server(bind_s, port_s, queue_len, child_num, ocspd_conf);
goto end;
-diff -Naur openca-ocspd-1.5.1-rc1.orig/src/sock.c openca-ocspd-1.5.1-rc1.new/src/sock.c
---- openca-ocspd-1.5.1-rc1.orig/src/sock.c 2006-10-14 13:26:00.000000000 +0200
-+++ openca-ocspd-1.5.1-rc1.new/src/sock.c 2008-07-02 14:31:13.000000000 +0200
-@@ -18,12 +18,11 @@
+diff -Naurp openca-ocspd-1.9.0.orig/src/sock.c openca-ocspd-1.9.0.new/src/sock.c
+--- openca-ocspd-1.9.0.orig/src/sock.c 2009-06-08 19:24:05.000000000 +0200
++++ openca-ocspd-1.9.0.new/src/sock.c 2013-11-05 13:39:12.717332408 +0100
+@@ -20,12 +20,11 @@
#include "sock.h"
#define SERV_PORT 4567
@@ -1013,7 +986,7 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/src/sock.c openca-ocspd-1.5.1-rc1.new/src
int fd, reuse_addr;
struct sockaddr_in servaddr;
struct hostent *ht = NULL;
-@@ -79,7 +78,7 @@
+@@ -81,7 +80,7 @@ int Listen (char *hostname, int port) {
return(0);
};
@@ -1022,9 +995,9 @@ diff -Naur openca-ocspd-1.5.1-rc1.orig/src/sock.c openca-ocspd-1.5.1-rc1.new/src
syslog(LOG_ERR, "FATAL ERROR::Listen::%s",
strerror( errno ));
return(0);
-diff -Naur openca-ocspd-1.5.1-rc1.orig/src/sock.h openca-ocspd-1.5.1-rc1.new/src/sock.h
---- openca-ocspd-1.5.1-rc1.orig/src/sock.h 2006-10-13 17:06:00.000000000 +0200
-+++ openca-ocspd-1.5.1-rc1.new/src/sock.h 2008-07-02 14:31:13.000000000 +0200
+diff -Naurp openca-ocspd-1.9.0.orig/src/sock.h openca-ocspd-1.9.0.new/src/sock.h
+--- openca-ocspd-1.9.0.orig/src/sock.h 2009-06-08 19:24:05.000000000 +0200
++++ openca-ocspd-1.9.0.new/src/sock.h 2013-11-05 13:39:12.717332408 +0100
@@ -8,7 +8,7 @@
/* Socket Wrapping functions */
diff --git a/ocspd.service b/ocspd.service
index 8ac9c06..cac6d14 100644
--- a/ocspd.service
+++ b/ocspd.service
@@ -6,7 +6,7 @@ After=syslog.target network.target
Type=forking
PIDFile=/var/run/ocspd.pid
EnvironmentFile=-/etc/sysconfig/ocspd
-ExecStart=/usr/sbin/ocspd -d -c /etc/ocspd/ocspd.conf
+ExecStart=/usr/sbin/ocspd -d -c /etc/ocspd/ocspd.conf $OPTIONS
[Install]
WantedBy=multi-user.target
diff --git a/ocspd.spec b/ocspd.spec
index 32dee53..3b0d1b2 100644
--- a/ocspd.spec
+++ b/ocspd.spec
@@ -1,21 +1,25 @@
-%define alphatag rc1
-%define revision %{?alphatag:-}%{alphatag}
+# % global alphatag rc1
+%global revision %{?alphatag:-}%{?alphatag}
Name: ocspd
-Version: 1.5.1
-Release: 0.13.%{alphatag}%{?dist}
+Version: 1.9.0
+Release: 1%{?alphatag:.}%{?alphatag}%{?dist}
Summary: OpenCA OCSP Daemon
License: ASL 1.0
Group: System Environment/Daemons
Source: http://downloads.sourceforge.net/openca/openca-ocspd-%{version}%{revision}.tar.gz
Source1: ocspd.service
-Patch1: openca-ocspd-1.5.1-bufresponse.patch
-Patch2: openca-ocspd-1.5.1-misc.patch
-Patch3: openca-ocspd-1.5.1-badcomment.patch
-Patch4: openca-ocspd-1.5.1-openssl.patch
-Patch5: openca-ocspd-1.5.1-podsyntax.patch
-Patch6: openca-ocspd-1.5.1-badalgorcast.patch
+Patch1: ocspd-1.7.0-bufresponse.patch
+Patch2: ocspd-1.9.0-misc.patch
+Patch3: ocspd-1.7.0-openssl.patch
+Patch4: ocspd-1.7.0-podsyntax.patch
+Patch5: ocspd-1.7.0-badalgorcast.patch
+Patch6: ocspd-1.7.0-badcasts.patch
+Patch7: ocspd-1.7.0-deprecldap.patch
+Patch8: ocspd-1.7.0-threadinit.patch
+Patch9: ocspd-1.7.0-config.patch
+Patch10: ocspd-1.7.0-setgroups.patch
URL: http://www.openca.org/projects/ocspd
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
Obsoletes: openca-ocspd <= %{version}-%{release}
@@ -25,6 +29,10 @@ BuildRequires: openssl-devel
BuildRequires: openldap-devel
BuildRequires: automake autoconf
+%if 0%{?fedora} > 18
+BuildRequires: perl-podlators
+%endif
+
%if 0%{?fedora} >= 16
Requires(post): systemd
Requires(post): systemd-sysv
@@ -50,10 +58,14 @@ Mozilla/Firefox/Thunderbird/Apache).
%setup -q -n openca-ocspd-%{version}%{revision}
%patch1 -p1 -b .bufresponse
%patch2 -p1 -b .misc
-%patch3 -p1 -b .badcomment
-%patch4 -p1 -b .openssl
-%patch5 -p1 -b .podsyntax
-%patch6 -p1 -b .badalgorcast
+%patch3 -p1 -b .openssl
+%patch4 -p1 -b .podsyntax
+%patch5 -p1 -b .badalgorcast
+%patch6 -p1 -b .badcasts
+%patch7 -p1 -b .deprecldap
+%patch8 -p1 -b .threadinit
+%patch9 -p1 -b .config
+%patch10 -p1 -b .setgroups
#-------------------------------------------------------------------------------
@@ -64,7 +76,7 @@ Mozilla/Firefox/Thunderbird/Apache).
aclocal
autoheader
-automake
+automake --add-missing
autoconf
@@ -91,7 +103,7 @@ make DESTDIR="${RPM_BUILD_ROOT}" install
rm -rf "${RPM_BUILD_ROOT}%{_initrddir}"
-# Install systemd init script.
+# Install systemd service script.
mkdir -p "${RPM_BUILD_ROOT}%{_unitdir}/"
cp -a "%{SOURCE1}" "${RPM_BUILD_ROOT}%{_unitdir}/"
@@ -212,6 +224,9 @@ fi
%changelog
#-------------------------------------------------------------------------------
+* Tue Nov 5 2013 Patrick Monnerat <pm at datasphere.ch> 1.9.0-1
+- New upstream release.
+
* Mon Jan 21 2013 Patrick Monnerat <pm at datasphere.ch> 1.5.1-0.13.rc1
- Patch "podsyntax" to fix man page pod syntax.
- Patch "badalgorcast" to fix a bad X509_ALGOR cast.
diff --git a/sources b/sources
index b5b3720..4cfba32 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-79e6ba80ccd7daa9212c03ca951f7d15 openca-ocspd-1.5.1-rc1.tar.gz
+5fcd184fab22f9dc333d1971e18a488a openca-ocspd-1.9.0.tar.gz
More information about the scm-commits
mailing list