nmav pushed to ocserv (epel7). "made detection of gnutls capabilities dynamic"
notifications at fedoraproject.org
notifications at fedoraproject.org
Tue Mar 31 11:45:27 UTC 2015
>From abbf86337ce6b87e0dc9e58c1ec456faa437ba0a Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav at redhat.com>
Date: Tue, 31 Mar 2015 13:45:11 +0200
Subject: made detection of gnutls capabilities dynamic
diff --git a/ocserv-0.10.2-dynamic.patch b/ocserv-0.10.2-dynamic.patch
new file mode 100644
index 0000000..032a2d3
--- /dev/null
+++ b/ocserv-0.10.2-dynamic.patch
@@ -0,0 +1,89 @@
+diff --git a/src/tlslib.c b/src/tlslib.c
+index 86a2413..1aabd9f 100644
+--- a/src/tlslib.c
++++ b/src/tlslib.c
+@@ -828,6 +828,7 @@ unsigned i;
+ return retval;
+ }
+
++
+ size_t tls_get_overhead(gnutls_protocol_t version, gnutls_cipher_algorithm_t cipher, gnutls_mac_algorithm_t mac)
+ {
+ #if GNUTLS_VERSION_NUMBER >= 0x030207
+@@ -840,9 +841,7 @@ unsigned block_size;
+ switch(version) {
+ case GNUTLS_DTLS0_9:
+ case GNUTLS_DTLS1_0:
+-#if GNUTLS_VERSION_NUMBER >= 0x030200
+ case GNUTLS_DTLS1_2:
+-#endif
+ overhead += 13;
+ break;
+ default:
+diff --git a/src/tlslib.h b/src/tlslib.h
+index 7fc71af..8c20150 100644
+--- a/src/tlslib.h
++++ b/src/tlslib.h
+@@ -27,6 +27,10 @@
+ #include <ccan/htable/htable.h>
+ #include <errno.h>
+
++# if GNUTLS_VERSION_NUMBER < 0x030200
++# define GNUTLS_DTLS1_2 202
++# endif
++
+ typedef struct
+ {
+ struct htable *ht;
+diff --git a/src/worker-http.c b/src/worker-http.c
+index e7161e2..b8de179 100644
+--- a/src/worker-http.c
++++ b/src/worker-http.c
+@@ -76,7 +76,6 @@ const static struct known_urls_st known_urls[] = {
+ * HTTP headers (WTF), and the compression negotiation.
+ */
+ static const dtls_ciphersuite_st ciphersuites[] = {
+-#if GNUTLS_VERSION_NUMBER >= 0x030207
+ {
+ .oc_name = CS_AES128_GCM,
+ .gnutls_name =
+@@ -84,6 +83,7 @@ static const dtls_ciphersuite_st ciphersuites[] = {
+ .gnutls_version = GNUTLS_DTLS1_2,
+ .gnutls_mac = GNUTLS_MAC_AEAD,
+ .gnutls_cipher = GNUTLS_CIPHER_AES_128_GCM,
++ .txt_version = "3.2.7",
+ .server_prio = 90},
+ {
+ .oc_name = CS_AES256_GCM,
+@@ -93,8 +93,8 @@ static const dtls_ciphersuite_st ciphersuites[] = {
+ .gnutls_mac = GNUTLS_MAC_AEAD,
+ .gnutls_cipher = GNUTLS_CIPHER_AES_256_GCM,
+ .server_prio = 80,
++ .txt_version = "3.2.7",
+ },
+-#endif
+ {
+ .oc_name = "AES128-SHA",
+ .gnutls_name =
+@@ -256,6 +256,9 @@ void header_value_check(struct worker_st *ws, struct http_req_st *req)
+ i < sizeof(ciphersuites) / sizeof(ciphersuites[0]);
+ i++) {
+ if (strcmp(token, ciphersuites[i].oc_name) == 0) {
++ if (ciphersuites[i].txt_version != NULL && gnutls_check_version(ciphersuites[i].txt_version) == NULL)
++ continue; /* not supported */
++
+ if (cand == NULL ||
+ cand->server_prio <
+ ciphersuites[i].server_prio) {
+diff --git a/src/worker.h b/src/worker.h
+index 9584532..d4f31f4 100644
+--- a/src/worker.h
++++ b/src/worker.h
+@@ -102,6 +102,7 @@ typedef struct dtls_ciphersuite_st {
+ unsigned gnutls_cipher;
+ unsigned gnutls_mac;
+ unsigned gnutls_version;
++ const char *txt_version;
+ } dtls_ciphersuite_st;
+
+ #ifdef HAVE_GSSAPI
diff --git a/ocserv.spec b/ocserv.spec
index ab14b01..c0d9620 100644
--- a/ocserv.spec
+++ b/ocserv.spec
@@ -2,7 +2,7 @@
Name: ocserv
Version: 0.10.2
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: OpenConnect SSL VPN server
# For a breakdown of the licensing, see PACKAGE-LICENSING
@@ -18,6 +18,7 @@ Source6: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig
Source7: ocserv-genkey
Source8: ocserv-script
Patch0: ocserv-0.10.2-libtasn1.patch
+Patch1: ocserv-0.10.2-dynamic.patch
# Taken from upstream:
# http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09
@@ -86,6 +87,7 @@ sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/*.config
sed -i 's/either version 3 of the License/either version 2 of the License/g' build-aux/snippet/*
touch src/*.proto
%patch0 -p1 -b .libtasn1
+%patch1 -p1 -b .dynamic
%build
autoreconf -ifv
@@ -158,6 +160,9 @@ rm -rf %{buildroot}
%{_localstatedir}/lib/ocserv/profile.xml
%changelog
+* Mon Mar 30 2015 Nikos Mavrogiannopoulos <nmav at redhat.com> - 0.10.2-2
+- Detection of gnutls capabilities is done dynamically
+
* Mon Mar 30 2015 Nikos Mavrogiannopoulos <nmav at redhat.com> - 0.10.2-1
- new upstream release
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/ocserv.git/commit/?h=epel7&id=abbf86337ce6b87e0dc9e58c1ec456faa437ba0a
More information about the scm-commits
mailing list