net/ocserv: Update to 1.2.3

Release notes: https://gitlab.com/openconnect/ocserv/-/releases/1.2.3
2023-12-27 20:08:56 +01:00 · 2023-12-27 20:08:56 +01:00 · 7f0a801fe7
commit 7f0a801fe7
parent a0bd62090d
9 changed files with 66 additions and 64 deletions
--- a/net/ocserv/Makefile
+++ b/net/ocserv/Makefile
@ -1,5 +1,5 @@
 PORTNAME=	ocserv
-DISTVERSION=	1.2.2
+DISTVERSION=	1.2.3
 CATEGORIES=	net net-vpn security
 MASTER_SITES=	https://www.infradead.org/ocserv/download/

@ -56,15 +56,14 @@ RADIUS_CONFIGURE_OFF=	--without-radius
 .include <bsd.port.pre.mk>

 post-patch:
-	${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${PREFIX}/bin/ocserv-fw|g' \
-		${WRKSRC}/src/main-user.c
-	${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${PREFIX}/bin/ocserv\\-fw|g' \
+	${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${PREFIX}/libexec/ocserv\\-fw|g' \
 		${WRKSRC}/doc/ocserv.8
 	${REINPLACE_CMD} -e 's|%%PREFIX%%|${PREFIX}|g' \
 		-e 's|%%ETCDIR%%|${ETCDIR}|g' \
 		-e 's|%%USERS%%|${USERS}|g' \
 		-e 's|%%GROUPS%%|${GROUPS}|g' \
-		${WRKSRC}/doc/sample.config
+		${WRKSRC}/doc/sample.config \
+		${WRKSRC}/src/main-user.c
 .if "${PREFIX}" != "" && "${PREFIX}" != "/" && "${PREFIX}" != "/usr"
 	${REINPLACE_CMD} -E 's|^(#define DEFAULT_CFG_FILE ")(/etc/ocserv/ocserv.conf")|\1${PREFIX}\2|' ${WRKSRC}/src/config.c
 	${REINPLACE_CMD} -E 's|^(#define DEFAULT_OCPASSWD ")(/etc/ocserv/ocpasswd")|\1${PREFIX}\2|' ${WRKSRC}/src/ocpasswd/ocpasswd.c
--- a/net/ocserv/distinfo
+++ b/net/ocserv/distinfo
@ -1,3 +1,3 @@
-TIMESTAMP = 1699481326
-SHA256 (ocserv-1.2.2.tar.xz) = 6e3c7a2ee9e9b4d3621de66e155fd99eb02c0134b9f42cfbc86d3979e485c719
-SIZE (ocserv-1.2.2.tar.xz) = 751548
+TIMESTAMP = 1703628457
+SHA256 (ocserv-1.2.3.tar.xz) = 06ce0fcb59a8b33b8d65d6e551de2b5ef77b7ea641b87caa654a5ee9c49f1bbf
+SIZE (ocserv-1.2.3.tar.xz) = 757484
--- a/net/ocserv/files/patch-configure.ac
+++ b/net/ocserv/files/patch-configure.ac
@ -1,4 +1,4 @@
--- configure.ac.orig	2023-07-11 12:47:23 UTC
+--- configure.ac.orig	2023-12-14 11:45:13 UTC
 +++ configure.ac
@@ -16,7 +16,7 @@ AM_PROG_CC_C_O
 AC_PROG_SED
@ -9,7 +9,7 @@
 fi
 
 AC_PATH_PROG(CTAGS, ctags, [:])
-@@ -223,7 +223,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind
+@@ -219,7 +219,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind
 fi
 
 have_readline=no
--- a/net/ocserv/files/patch-doc_sample.config
+++ b/net/ocserv/files/patch-doc_sample.config
@ -1,4 +1,4 @@
--- doc/sample.config.orig	2023-07-11 12:54:03 UTC
+--- doc/sample.config.orig	2023-12-17 10:19:23 UTC
 +++ doc/sample.config
@@ -19,7 +19,7 @@
 #  This enabled PAM authentication of the user. The gid-min option is used
@ -18,14 +18,12 @@
 #  The radius option requires specifying freeradius-client configuration
 # file. If the groupconfig option is set, then config-per-user/group will be overridden,
 # and all configuration will be read from radius. That also includes the
-@@ -47,10 +47,10 @@
- 
+@@ -48,9 +48,9 @@
 #auth = "pam"
 #auth = "pam[gid-min=1000]"
-#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
+ #auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
 -auth = "plain[passwd=./sample.passwd]"
-+#auth = "plain[passwd=%%ETCDIR%%/sample.passwd,otp=%%ETCDIR%%/sample.otp]"
-+auth = "plain[passwd=%%ETCDIR%%/sample.passwd]"
+auth = "plain[passwd=%%ETCDIR%%/sample.passwd,otp=%%ETCDIR%%/sample.otp]"
 #auth = "certificate"
 -#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
 +#auth = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true]"
@ -41,17 +39,6 @@
 
 # Use listen-host to limit to specific IPs or to the IPs of a provided
 # hostname.
-@@ -96,8 +96,8 @@ udp-port = 443
- # The user the worker processes will be run as. This should be a dedicated
- # unprivileged user (e.g., 'ocserv') and no other services should run as this
- # user.
-run-as-user = nobody
-run-as-group = daemon
-+run-as-user = %%USERS%%
-+run-as-group = %%GROUPS%%
- 
- # socket file used for IPC with occtl. You only need to set that,
- # if you use more than a single servers.
@@ -124,22 +124,20 @@ socket-file = /var/run/ocserv-socket
 # certificate renewal (they are checked and reloaded periodically;
 # a SIGHUP signal to main server will force reload).
@ -60,8 +47,8 @@
 -#server-key = /etc/ocserv/server-key.pem
 -server-cert = ../tests/certs/server-cert.pem
 -server-key = ../tests/certs/server-key.pem
-++server-cert = %%ETCDIR%%/server-cert.pem
-++server-key = %%ETCDIR%%/server-key.pem
+server-cert = %%ETCDIR%%/server-cert.pem
+server-key = %%ETCDIR%%/server-key.pem
 
 # Diffie-Hellman parameters. Only needed if for old (pre 3.6.0
 # versions of GnuTLS for supporting DHE ciphersuites.
@ -91,13 +78,9 @@
 
 # The number of sub-processes to use for the security module (authentication)
 # processes. Typically this should not be set as the number of processes
-@@ -171,17 +168,10 @@ ca-cert = ../tests/certs/ca.pem
- ### operation. If the server key changes on reload, there may be connection
+@@ -172,16 +169,6 @@ ca-cert = ../tests/certs/ca.pem
 ### failures during the reloading time.
 
-+# ocserv 1.1.1 on FreeBSD does not currently support process isolation,
-+# because ocserv only supports Linux's seccomp system, but not capsicum(4).
-+#isolate-workers = false
 
 -# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of
 -# system calls allowed to a worker process, in order to reduce damage from a
@ -112,7 +95,7 @@
 # A banner to be displayed on clients after connection
 #banner = "Welcome"
 
-@@ -262,7 +252,7 @@ try-mtu-discovery = false
+@@ -262,7 +249,7 @@ try-mtu-discovery = false
 # You can update this response periodically using:
 # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
 # Make sure that you replace the following file in an atomic way.
@ -121,35 +104,53 @@
 
 # The object identifier that will be used to read the user ID in the client
 # certificate. The object identifier should be part of the certificate's DN
-@@ -281,7 +271,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1
+@@ -281,7 +268,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1
 # See the manual to generate an empty CRL initially. The CRL will be reloaded
 # periodically when ocserv detects a change in the file. To force a reload use
 # SIGHUP.
 -#crl = /etc/ocserv/crl.pem
-+#crl = %%ETCDIR%%/crl.pem
+crl = %%ETCDIR%%/crl.pem
 
 # Uncomment this to enable compression negotiation (LZS, LZ4).
 #compression = true
-@@ -560,15 +550,15 @@ no-route = 192.168.5.0/255.255.255.0
+@@ -415,14 +402,14 @@ rekey-method = ssl
+ # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes
+ # output from the tun device, and the duration of the session in seconds.
+ 
+-#connect-script = /usr/bin/myscript
+-#disconnect-script = /usr/bin/myscript
+#connect-script = %%PREFIX%%/bin/myscript
+#disconnect-script = %%PREFIX%%/bin/myscript
+ 
+ # This script is to be called when the client's advertised hostname becomes
+ # available. It will contain REASON with "host-update" value and the
+ # variable REMOTE_HOSTNAME in addition to the connect variables.
+ 
+-#host-update-script = /usr/bin/myhostnamescript
+#host-update-script = %%PREFIX%%/bin/myhostnamescript
+ 
+ # UTMP
+ # Register the connected clients to utmp. This will allow viewing
+@@ -563,15 +550,15 @@ no-route = 192.168.5.0/255.255.255.0
 # Note the that following two firewalling options currently are available
 # in Linux systems with iptables software.
 
-# If set, the script /usr/bin/ocserv-fw will be called to restrict
-+# If set, the script %%PREFIX%%/bin/ocserv-fw will be called to restrict
+-# If set, the script /usr/libexec/ocserv-fw will be called to restrict
+# If set, the script %%PREFIX%%/libexec/ocserv-fw will be called to restrict
 # the user to its allowed routes and prevent him from accessing
 # any other routes. In case of defaultroute, the no-routes are restricted.
-# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw
-+# All the routes applied by ocserv can be reverted using %%PREFIX%%/bin/ocserv-fw
+-# All the routes applied by ocserv can be reverted using /usr/libexec/ocserv-fw
+# All the routes applied by ocserv can be reverted using %%PREFIX%%/libexec/ocserv-fw
 # --removeall. This option can be set globally or in the per-user configuration.
 #restrict-user-to-routes = true
 
 # This option implies restrict-user-to-routes set to true. If set, the
-# script /usr/bin/ocserv-fw will be called to restrict the user to
-+# script %%PREFIX%%/bin/ocserv-fw will be called to restrict the user to
+-# script /usr/libexec/ocserv-fw will be called to restrict the user to
+# script %%PREFIX%%/libexec/ocserv-fw will be called to restrict the user to
 # access specific ports in the network. This option can be set globally
 # or in the per-user configuration.
 #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
-@@ -616,13 +606,13 @@ no-route = 192.168.5.0/255.255.255.0
+@@ -619,13 +606,13 @@ no-route = 192.168.5.0/255.255.255.0
 # hostname to override any proposed by the user. Note also, that, any
 # routes, no-routes, DNS or NBNS servers present will overwrite the global ones.
 
@ -167,21 +168,12 @@
 
 # The system command to use to setup a route. %{R} will be replaced with the
 # route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device.
-@@ -644,7 +634,7 @@ no-route = 192.168.5.0/255.255.255.0
- # In MIT kerberos you'll need to add in realms:
- #   EXAMPLE.COM = {
- #     kdc = https://ocserv.example.com/KdcProxy
-#     http_anchors = FILE:/etc/ocserv-ca.pem
-+#     http_anchors = FILE:%%ETCDIR%%/ocserv-ca.pem
- #   }
- # In some distributions the krb5-k5tls plugin of kinit is required.
- #
-@@ -747,13 +737,13 @@ camouflage_realm = "Restricted Content"
+@@ -750,13 +737,13 @@ camouflage_realm = "Restricted Content"
 [vhost:www.example.com]
 auth = "certificate"
 
 -ca-cert = ../tests/certs/ca.pem
-+ca-cert = %%ETCDIR%%/ca.pem
+ca-cert = %%ETCDIR%%/www.example.com-ca.pem
 
 # The certificate set here must include a 'dns_name' corresponding to
 # the virtual host name.
--- a/net/ocserv/files/patch-src_ip-util.h
+++ b/net/ocserv/files/patch-src_ip-util.h
@ -1,10 +1,10 @@
--- src/ip-util.h.orig	2023-08-15 11:26:31.522070000 +0300
-+++ src/ip-util.h	2023-08-15 11:28:31.360118000 +0300
+--- src/ip-util.h.orig	2023-12-16 05:18:58 UTC
+++ src/ip-util.h
@@ -24,6 +24,7 @@
 
 #include <sys/socket.h>
 #include <netinet/in.h>
 +#include <sys/types.h>
 
- #define MAX_IP_STR 46
 // Lower MTU bound is the value defined in RFC 791
+ #define RFC_791_MTU (68)
--- a/net/ocserv/files/patch-src_main-ban.c
+++ b/net/ocserv/files/patch-src_main-ban.c
@ -1,6 +1,6 @@
--- src/main-ban.c.orig	2023-01-29 14:09:45 UTC
+--- src/main-ban.c.orig	2023-12-17 10:19:23 UTC
 +++ src/main-ban.c
-@@ -408,8 +408,8 @@ static bool test_local_ipv6(struct sockaddr_in6 * remo
+@@ -407,8 +407,8 @@ static bool test_local_ipv6(struct sockaddr_in6 * remo
 	unsigned index = 0;
 
 	for (index = 0; index < 4; index ++) {
--- a/net/ocserv/files/patch-src_main-user.c
+++ b/net/ocserv/files/patch-src_main-user.c
@ -0,0 +1,11 @@
+--- src/main-user.c.orig	2023-12-27 19:54:08 UTC
+++ src/main-user.c
+@@ -47,7 +47,7 @@
+ #include <script-list.h>
+ #include <ccan/list/list.h>
+ 
+-#define OCSERV_FW_SCRIPT "/usr/libexec/ocserv-fw"
+#define OCSERV_FW_SCRIPT "%%PREFIX%%/libexec/ocserv-fw"
+ 
+ #define APPEND_TO_STR(str, val) \
+ 	do { \
--- a/net/ocserv/files/patch-src_occtl_occtl.c
+++ b/net/ocserv/files/patch-src_occtl_occtl.c
@ -1,6 +1,6 @@
--- src/occtl/occtl.c.orig	2023-06-16 17:01:03 UTC
+--- src/occtl/occtl.c.orig	2023-12-17 10:19:23 UTC
 +++ src/occtl/occtl.c
-@@ -257,7 +257,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha
+@@ -260,7 +260,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha
 static int handle_reset_cmd(CONN_TYPE * conn, const char *arg, cmd_params_st *params)
 {
 	rl_reset_terminal(NULL);
--- a/net/ocserv/pkg-plist
+++ b/net/ocserv/pkg-plist
@ -1,6 +1,6 @@
 bin/occtl
 bin/ocpasswd
-bin/ocserv-fw
+libexec/ocserv-fw
 man/man8/occtl.8.gz
 man/man8/ocpasswd.8.gz
 man/man8/ocserv.8.gz