diff --git a/.gitignore b/.gitignore index 35ff967..8371d4e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,3 @@ vpnc-0.5.3.tar.gz /vpnc-0.5.3.svn457.tar.gz /vpnc-0.5.3.svn550.tar.gz -/vpnc-c4837a1.tar.gz -/vpnc-11e15a1.tar.gz diff --git a/sources b/sources index 0437011..ec107ec 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (vpnc-11e15a1.tar.gz) = 80524bfa3224f56a002892b43c633db729663eff09d5252cc997b0c5a26d0b92a471f1b268b6b422bb3f7cfabbecc93f634216b14fdbdfaef81c88d6823a1755 +d45438923db1879efe3479ec27ec1000 vpnc-0.5.3.svn550.tar.gz diff --git a/vpnc-0.5.1-dpd.patch b/vpnc-0.5.1-dpd.patch new file mode 100644 index 0000000..fd934fd --- /dev/null +++ b/vpnc-0.5.1-dpd.patch @@ -0,0 +1,63 @@ +diff -up vpnc-0.5.1/vpnc.c.dpd vpnc-0.5.1/vpnc.c +--- vpnc-0.5.1/vpnc.c.dpd 2007-09-20 11:01:35.000000000 +0200 ++++ vpnc-0.5.1/vpnc.c 2007-11-12 23:11:05.000000000 +0100 +@@ -681,13 +681,13 @@ void dpd_ike(struct sa_block *s) + send_dpd(s, 0, s->ike.dpd_seqno); + } else { + /* Our last dpd request has not yet been acked. If it's been +- ** less than 5 seconds since we sent it do nothing. Otherwise ++ ** less than 1/10th of idle timeout since we sent it do nothing. Otherwise + ** decrement dpd_attempts. If dpd_attempts is 0 dpd fails and we + ** terminate otherwise we send it again with the same sequence + ** number and record current time. + */ + time_t now = time(NULL); +- if (now < s->ike.dpd_sent + 5) ++ if (now < s->ike.dpd_sent + s->ike.dpd_idle/10) + return; + if (--s->ike.dpd_attempts == 0) { + DEBUG(2, printf("dead peer detected, terminating\n")); +@@ -695,6 +695,8 @@ void dpd_ike(struct sa_block *s) + return; + } + s->ike.dpd_sent = now; ++ if (s->ike.dpd_attempts == 3) ++ ++s->ike.dpd_seqno; /* maybe just the dpd reply got lost let's try new seq no */ + send_dpd(s, 0, s->ike.dpd_seqno); + } + } +diff -up vpnc-0.5.1/tunip.c.dpd vpnc-0.5.1/tunip.c +--- vpnc-0.5.1/tunip.c.dpd 2007-09-06 22:05:14.000000000 +0200 ++++ vpnc-0.5.1/tunip.c 2007-11-12 22:42:17.000000000 +0100 +@@ -865,7 +865,7 @@ static void vpnc_main_loop(struct sa_blo + time_t now = time(NULL); + if (s->ike.dpd_seqno != s->ike.dpd_seqno_ack) { + /* Wake up more often for dpd attempts */ +- select_timeout.tv_sec = 5; ++ select_timeout.tv_sec = s->ike.dpd_idle/10; + select_timeout.tv_usec = 0; + dpd_ike(s); + next_ike_dpd = now + s->ike.dpd_idle; +@@ -925,8 +925,8 @@ static void vpnc_main_loop(struct sa_blo + if (s->ike.dpd_seqno != s->ike.dpd_seqno_ack) { + dpd_ike(s); + next_ike_dpd = now + s->ike.dpd_idle; +- if (now + 5 < next_up) +- next_up = now + 5; ++ if (now + s->ike.dpd_idle/10 < next_up) ++ next_up = now + s->ike.dpd_idle/10; + } + else if (now >= next_ike_dpd) { + dpd_ike(s); +diff -up vpnc-0.5.1/config.c.dpd vpnc-0.5.1/config.c +--- vpnc-0.5.1/config.c.dpd 2007-11-12 22:40:01.000000000 +0100 ++++ vpnc-0.5.1/config.c 2007-11-12 23:17:39.000000000 +0100 +@@ -242,7 +242,7 @@ static const char *config_def_udp_port(v + + static const char *config_def_dpd_idle(void) + { +- return "300"; ++ return "600"; + } + + static const char *config_ca_dir(void) diff --git a/vpnc-0.5.3-cloexec.patch b/vpnc-0.5.3-cloexec.patch new file mode 100644 index 0000000..3c224f9 --- /dev/null +++ b/vpnc-0.5.3-cloexec.patch @@ -0,0 +1,12 @@ +diff -up vpnc-0.5.3/vpnc.c.cloexec vpnc-0.5.3/vpnc.c +--- vpnc-0.5.3/vpnc.c.cloexec 2008-11-19 21:55:51.000000000 +0100 ++++ vpnc-0.5.3/vpnc.c 2008-11-20 11:48:07.000000000 +0100 +@@ -2877,6 +2877,8 @@ static void do_phase2_qm(struct sa_block + close_tunnel(s); + error(1, errno, "Couldn't open socket of ESP. Maybe something registered ESP already.\nPlease try '--natt-mode force-natt' or disable whatever is using ESP.\nsocket(PF_INET, SOCK_RAW, IPPROTO_ESP)"); + } ++ fcntl(s->esp_fd, F_SETFD, FD_CLOEXEC); ++ + #ifdef IP_HDRINCL + if (setsockopt(s->esp_fd, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl)) == -1) { + close_tunnel(s); diff --git a/vpnc-0.5.3-use-autodie.patch b/vpnc-0.5.3-use-autodie.patch new file mode 100644 index 0000000..4ad5d6c --- /dev/null +++ b/vpnc-0.5.3-use-autodie.patch @@ -0,0 +1,12 @@ +diff -up vpnc-0.5.3/makeman.pl.autodie vpnc-0.5.3/makeman.pl +--- vpnc-0.5.3/makeman.pl.autodie 2009-11-19 18:03:47.000000000 +0100 ++++ vpnc-0.5.3/makeman.pl 2013-03-07 11:21:43.524106709 +0100 +@@ -17,7 +17,7 @@ + + use strict; + use warnings; +-use Fatal qw(open close); ++use autodie qw(open close); + use filetest qw(access); # to always get errno-values on filetests + use POSIX qw(strftime setlocale LC_ALL); + diff --git a/vpnc-disconnect.consolehelper b/vpnc-disconnect.consolehelper index 2011c06..27cb504 100644 --- a/vpnc-disconnect.consolehelper +++ b/vpnc-disconnect.consolehelper @@ -1,2 +1,2 @@ USER=root -PROGRAM=/usr/libexec/vpnc-disconnect +PROGRAM=/usr/sbin/vpnc-disconnect diff --git a/vpnc-helper b/vpnc-helper index 91ef213..0e906d9 100755 --- a/vpnc-helper +++ b/vpnc-helper @@ -1,10 +1,2 @@ #!/bin/sh - -if [ "$USERHELPER_UID" = "0" ]; then - # if started by root, forward all arguments - /usr/libexec/vpnc "$@" -else - # if started as unprivileged user, discard all arguments - # vpnc will use its default config file /etc/vpnc/default.conf - /usr/libexec/vpnc -fi +/usr/sbin/vpnc diff --git a/vpnc.consolehelper b/vpnc.consolehelper index fbd2e95..0170585 100644 --- a/vpnc.consolehelper +++ b/vpnc.consolehelper @@ -1,2 +1,2 @@ USER=root -PROGRAM=/usr/libexec/vpnc-helper +PROGRAM=/usr/sbin/vpnc-helper diff --git a/vpnc.pam b/vpnc.pam index 85cf06e..ddb3673 100644 --- a/vpnc.pam +++ b/vpnc.pam @@ -1,4 +1,5 @@ #%PAM-1.0 auth sufficient pam_rootok.so +auth sufficient pam_console.so auth include config-util account include config-util diff --git a/vpnc.spec b/vpnc.spec index fa35006..3636a3f 100644 --- a/vpnc.spec +++ b/vpnc.spec @@ -1,14 +1,13 @@ -%global commit 11e15a143d6a00fb4e532cad271c70b401a6b9ef -%global shortcommit %(c=%{commit}; echo ${c:0:7}) +%define snapshot .svn550 Name: vpnc -Version: 0.5.3^20241114.git%{shortcommit} -Release: 3%{?dist} +Version: 0.5.3 +Release: 35%{snapshot}%{?dist} Summary: IPSec VPN client compatible with Cisco equipment -License: GPL-2.0-or-later and BSD-2-Clause -URL: https://davidepucci.it/doc/vpnc/ +License: GPLv2+ +URL: http://www.unix-ag.uni-kl.de/~massar/vpnc/ -Source0: https://github.com/streambinder/vpnc/archive/%{commit}/%{name}-%{shortcommit}.tar.gz +Source0: http://www.unix-ag.uni-kl.de/~massar/vpnc/%{name}-%{version}%{snapshot}.tar.gz Source1: generic-vpnc.conf Source2: vpnc.consolehelper Source3: vpnc-disconnect.consolehelper @@ -18,35 +17,41 @@ Source8: %{name}-tmpfiles.conf # script used to generate the svn snapshot, not used in the actual build process Source99: fetch-sources.sh -BuildRequires: make -BuildRequires: gcc +Patch1: vpnc-0.5.1-dpd.patch +Patch2: vpnc-0.5.3-use-autodie.patch + +BuildRequires: gcc BuildRequires: libgcrypt-devel > 1.1.90 BuildRequires: gnutls-devel -# required for ./makeman.pl -BuildRequires: perl-interpreter BuildRequires: perl(autodie) -BuildRequires: perl(filetest) -BuildRequires: perl(if) -BuildRequires: systemd-rpm-macros -Requires: iproute vpnc-script usermode -Obsoletes: vpnc-consoleuser < 0.5.3^20241114.git11e15a1-2 +BuildRequires: systemd +Requires: iproute vpnc-script %description -An IPSec VPN client with support for IP tunelling, Xauth, ESP, -Mode Configuration and shared-secret IPSec authentication. +A VPN client compatible with Cisco's EasyVPN equipment. -Compatible with Cisco's EasyVPN equipment. +Supports IPSec (ESP) with Mode Configuration and Xauth. Supports only +shared-secret IPSec authentication, 3DES, MD5, and IP tunneling. + +%package consoleuser +Summary: Allows console user to run the VPN client directly +Requires: vpnc = %{version}-%{release} +Requires: usermode + +%description consoleuser +Allows the console user to run the IPSec VPN client directly without +switching to the root account. %prep -%autosetup -p1 -n %{name}-%{commit} +%autosetup %build CFLAGS="$RPM_OPT_FLAGS -fPIE" LDFLAGS="$RPM_OPT_FLAGS -pie" make PREFIX=/usr %install -make install DESTDIR="$RPM_BUILD_ROOT" PREFIX=/usr SBINDIR=%{_libexecdir} +make install DESTDIR="$RPM_BUILD_ROOT" PREFIX=/usr rm -f $RPM_BUILD_ROOT%{_bindir}/pcf2vpnc -chmod 0644 src/pcf2vpnc +chmod 0644 pcf2vpnc rm -f $RPM_BUILD_ROOT%{_mandir}/man1/pcf2vpnc.1 chmod 0644 $RPM_BUILD_ROOT%{_mandir}/man8/vpnc.8 install -m 0600 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/vpnc/default.conf @@ -59,105 +64,37 @@ install -Dp -m 0644 %{SOURCE4} \ install -Dp -m 0644 %{SOURCE4} \ $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/vpnc-disconnect install -m 0755 %{SOURCE5} \ - $RPM_BUILD_ROOT%{_libexecdir}/vpnc-helper + $RPM_BUILD_ROOT%{_sbindir}/vpnc-helper mkdir -p $RPM_BUILD_ROOT%{_bindir} ln -sf consolehelper $RPM_BUILD_ROOT%{_bindir}/vpnc ln -sf consolehelper $RPM_BUILD_ROOT%{_bindir}/vpnc-disconnect rm -f $RPM_BUILD_ROOT%{_datadir}/doc/vpnc/COPYING # vpnc-script is packaged in a separate package rm -f $RPM_BUILD_ROOT%{_sysconfdir}/vpnc/vpnc-script -rm -f $RPM_BUILD_ROOT%{_docdir}/vpnc/*.md mkdir -p %{buildroot}%{_tmpfilesdir} install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/%{name}.conf -%post -%systemd_post vpnc@.service - -%preun -%systemd_preun vpnc@.service - -%postun -%systemd_postun vpnc@.service - %files -%license LICENSE LICENSE.BSD2 -%doc docs/*.md src/pcf2vpnc src/pcf2vpnc.1 +%license COPYING +%doc README pcf2vpnc pcf2vpnc.1 %{_tmpfilesdir}/%{name}.conf %config(noreplace) %{_sysconfdir}/vpnc/default.conf +%{_sbindir}/vpnc %{_bindir}/cisco-decrypt -%{_bindir}/vpnc -%{_bindir}/vpnc-disconnect -%{_libexecdir}/vpnc -%{_libexecdir}/vpnc-disconnect -%{_libexecdir}/vpnc-helper +%{_sbindir}/vpnc-disconnect %{_mandir}/man8/vpnc.* %{_mandir}/man1/cisco-decrypt.* -%{_unitdir}/vpnc@.service + +%files consoleuser %config(noreplace) %{_sysconfdir}/security/console.apps/vpnc* %config(noreplace) %{_sysconfdir}/pam.d/vpnc* +%{_bindir}/vpnc* +%{_sbindir}/vpnc-helper %changelog -* Fri Jul 25 2025 Fedora Release Engineering - 0.5.3^20241114.git11e15a1-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild - -* Wed May 07 2025 Christian Krause - 0.5.3^20241114.git11e15a1-2 -- Fix issues with /usr/bin/ and /usr/sbin/ merge (#2363531) -- Always use consolehelper, implicitly allowed for root, - remove consoleuser sub-package -- Remove pam_console.so from vpnc.pam (not available anymore) - -* Mon Mar 24 2025 Lubomir Rintel - 0.5.3^20241114.gitc4837a1-1 -- Update to a snapshot from an active upstream Git repository - -* Sun Jan 19 2025 Fedora Release Engineering - 0.5.3-50.svn550 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild - -* Fri Jul 26 2024 Miroslav Suchý - 0.5.3-49.svn550 -- convert license to SPDX - -* Sat Jul 20 2024 Fedora Release Engineering - 0.5.3-48.svn550 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild - -* Sat Jan 27 2024 Fedora Release Engineering - 0.5.3-47.svn550 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Sat Jul 22 2023 Fedora Release Engineering - 0.5.3-46.svn550 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Sat Jan 21 2023 Fedora Release Engineering - 0.5.3-45.svn550 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Sat Jul 23 2022 Fedora Release Engineering - 0.5.3-44.svn550 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Sat Jan 22 2022 Fedora Release Engineering - 0.5.3-43.svn550 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Fri Jul 23 2021 Fedora Release Engineering - 0.5.3-42.svn550 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Wed Jan 27 2021 Fedora Release Engineering - 0.5.3-41.svn550 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Mon Aug 03 2020 Felix Schwarz - 0.5.3-40.svn550 -- add missing perl dependencies for makeman.pl - -* Sat Aug 01 2020 Fedora Release Engineering - 0.5.3-39.svn550 -- Second attempt - Rebuilt for - https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Wed Jul 29 2020 Fedora Release Engineering - 0.5.3-38.svn550 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Fri Jan 31 2020 Fedora Release Engineering - 0.5.3-37.svn550 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Sat Jul 27 2019 Fedora Release Engineering - 0.5.3-36.svn550 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - * Tue Apr 23 2019 Felix Schwarz - 0.5.3-35.svn550 - avoid legacy warning from systemd (rhbz 1691908)