From bda3dc01cfebd43b0971126325ffbf74c9b0d26b Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Sat, 23 Aug 2014 18:32:28 +0200
Subject: [PATCH] ocserv: added various patches

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
 net/ocserv/Makefile                           |  2 +-
 ...procmask-prior-to-entering-main-loop.patch | 24 ++++++
 ...UDP-socket-is-updated-update-the-DTL.patch | 26 +++++++
 ...fork-restore-the-default-signal-mask.patch | 76 +++++++++++++++++++
 ...d-for-infinite-loop-if-the-UDP-descr.patch | 25 ++++++
 5 files changed, 152 insertions(+), 1 deletion(-)
 create mode 100644 net/ocserv/patches/0001-worker-call-sigprocmask-prior-to-entering-main-loop.patch
 create mode 100644 net/ocserv/patches/0002-worker-when-the-UDP-socket-is-updated-update-the-DTL.patch
 create mode 100644 net/ocserv/patches/0003-after-fork-restore-the-default-signal-mask.patch
 create mode 100644 net/ocserv/patches/0004-added-work-around-for-infinite-loop-if-the-UDP-descr.patch

diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile
index e5a31779b6..4a30551757 100644
--- a/net/ocserv/Makefile
+++ b/net/ocserv/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ocserv
 PKG_VERSION:=0.8.2
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
diff --git a/net/ocserv/patches/0001-worker-call-sigprocmask-prior-to-entering-main-loop.patch b/net/ocserv/patches/0001-worker-call-sigprocmask-prior-to-entering-main-loop.patch
new file mode 100644
index 0000000000..783aa2b1df
--- /dev/null
+++ b/net/ocserv/patches/0001-worker-call-sigprocmask-prior-to-entering-main-loop.patch
@@ -0,0 +1,24 @@
+From 9be381859d7c9077ed652a82ec06ef01494d413d Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Fri, 8 Aug 2014 12:27:08 +0200
+Subject: [PATCH 01/10] worker: call sigprocmask() prior to entering main loop
+
+---
+ src/worker-vpn.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/worker-vpn.c b/src/worker-vpn.c
+index 1c30f14..55ab375 100644
+--- a/src/worker-vpn.c
++++ b/src/worker-vpn.c
+@@ -1856,6 +1856,7 @@ static int connect_handler(worker_st * ws)
+ 	bandwidth_init(&ws->b_tx, ws->config->tx_per_sec);
+ 
+ 	session_info_send(ws);
++	sigprocmask(SIG_BLOCK, &blockset, NULL);
+ 
+ 	/* worker main loop  */
+ 	for (;;) {
+-- 
+2.0.0
+
diff --git a/net/ocserv/patches/0002-worker-when-the-UDP-socket-is-updated-update-the-DTL.patch b/net/ocserv/patches/0002-worker-when-the-UDP-socket-is-updated-update-the-DTL.patch
new file mode 100644
index 0000000000..0c5ea02ce8
--- /dev/null
+++ b/net/ocserv/patches/0002-worker-when-the-UDP-socket-is-updated-update-the-DTL.patch
@@ -0,0 +1,26 @@
+From c567a129f4dac88d1b3c4508484a2dffd78e1e5a Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Fri, 22 Aug 2014 11:57:15 +0200
+Subject: [PATCH 06/10] worker: when the UDP socket is updated, update the DTLS
+ session
+
+---
+ src/worker-misc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/worker-misc.c b/src/worker-misc.c
+index 52be346..bde24d7 100644
+--- a/src/worker-misc.c
++++ b/src/worker-misc.c
+@@ -139,6 +139,8 @@ int handle_worker_commands(struct worker_st *ws)
+ 						close(fd);
+ 						return 0;
+ 					}
++					if (ws->dtls_session != NULL)
++						gnutls_transport_set_ptr(ws->dtls_session, (gnutls_transport_ptr_t)(long)fd);
+ 				} else { /* received client hello */
+ 					ws->udp_state = UP_SETUP;
+ 				}
+-- 
+2.0.0
+
diff --git a/net/ocserv/patches/0003-after-fork-restore-the-default-signal-mask.patch b/net/ocserv/patches/0003-after-fork-restore-the-default-signal-mask.patch
new file mode 100644
index 0000000000..c16228a4a6
--- /dev/null
+++ b/net/ocserv/patches/0003-after-fork-restore-the-default-signal-mask.patch
@@ -0,0 +1,76 @@
+From 817f757577ef78bcc19aecf73d6ecf1b11258c82 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Fri, 22 Aug 2014 15:23:16 +0200
+Subject: [PATCH 07/10] after fork restore the default signal mask
+
+---
+ src/main-user.c | 2 ++
+ src/main.c      | 5 +++--
+ src/main.h      | 1 +
+ 3 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/main-user.c b/src/main-user.c
+index bc16e3a..9b57e00 100644
+--- a/src/main-user.c
++++ b/src/main-user.c
+@@ -66,6 +66,8 @@ const char* script;
+ 		char local[64] = "";
+ 		char remote[64] = "";
+ 
++		sigprocmask(SIG_SETMASK, &sig_default_set, NULL);
++
+ 		snprintf(real, sizeof(real), "%u", (unsigned)proc->pid);
+ 		setenv("ID", real, 1);
+ 
+diff --git a/src/main.c b/src/main.c
+index 8bb3061..a71bde6 100644
+--- a/src/main.c
++++ b/src/main.c
+@@ -64,6 +64,7 @@ static unsigned int terminate = 0;
+ static unsigned int reload_conf = 0;
+ unsigned int need_maintenance = 0;
+ static unsigned int need_children_cleanup = 0;
++sigset_t sig_default_set;
+ 
+ static void ms_sleep(unsigned ms)
+ {
+@@ -974,7 +975,7 @@ int main(int argc, char** argv)
+ 		exit(1);
+ 	}
+ 
+-	sigprocmask(SIG_BLOCK, &blockset, NULL);
++	sigprocmask(SIG_BLOCK, &blockset, &sig_default_set);
+ 	alarm(MAINTAINANCE_TIME(s));
+ 
+ 	for (;;) {
+@@ -1061,6 +1062,7 @@ int main(int argc, char** argv)
+ 					/* close any open descriptors, and erase
+ 					 * sensitive data before running the worker
+ 					 */
++					sigprocmask(SIG_SETMASK, &sig_default_set, NULL);
+ 					close(cmd_fd[0]);
+ 					clear_lists(s);
+ 
+@@ -1096,7 +1098,6 @@ int main(int argc, char** argv)
+ 					 * sensitive data have to be overwritten anyway. */
+ 					malloc_trim(0);
+ #endif
+-					sigprocmask(SIG_UNBLOCK, &blockset, NULL);
+ 					vpn_server(ws);
+ 					exit(0);
+ 				} else if (pid == -1) {
+diff --git a/src/main.h b/src/main.h
+index de3d00c..cf5a0b1 100644
+--- a/src/main.h
++++ b/src/main.h
+@@ -39,6 +39,7 @@
+ 
+ #define COOKIE_KEY_SIZE 16
+ 
++extern sigset_t sig_default_set;
+ int cmd_parser (void *pool, int argc, char **argv, struct cfg_st** config);
+ void reload_cfg_file(void *pool, struct cfg_st* config);
+ void clear_cfg_file(struct cfg_st* config);
+-- 
+2.0.0
+
diff --git a/net/ocserv/patches/0004-added-work-around-for-infinite-loop-if-the-UDP-descr.patch b/net/ocserv/patches/0004-added-work-around-for-infinite-loop-if-the-UDP-descr.patch
new file mode 100644
index 0000000000..33f03c650c
--- /dev/null
+++ b/net/ocserv/patches/0004-added-work-around-for-infinite-loop-if-the-UDP-descr.patch
@@ -0,0 +1,25 @@
+diff --git a/src/worker-vpn.c b/src/worker-vpn.c
+index 55ab375..12cd3c8 100644
+--- a/src/worker-vpn.c
++++ b/src/worker-vpn.c
+@@ -1071,9 +1071,20 @@ static int dtls_mainloop(worker_st * ws, struct timespec *tnow)
+ {
+ 	int ret, l;
+ 
++#if GNUTLS_VERSION_NUMBER <= 0x030210
++	/* work-around an infinite loop caused by gnutls_record_recv()
++	 * always succeeding by counting every error as a discarded packet.
++	 */
++	ret = gnutls_record_get_discarded(ws->dtls_session);
++	if (ret > 1000) {
++		ws->udp_state = UP_DISABLED;
++		return 0;
++	}
++#endif
+ 	switch (ws->udp_state) {
+ 	case UP_ACTIVE:
+ 	case UP_INACTIVE:
++
+ 		ret =
+ 		    tls_recv_nb(ws->dtls_session, ws->buffer, ws->buffer_size);
+ 		oclog(ws, LOG_TRANSFER_DEBUG,