kpriv/freebsd-ports
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

net/ocserv: Update to 1.2.3

Browse source 
Release notes: https://gitlab.com/openconnect/ocserv/-/releases/1.2.3
This commit is contained in:
Juraj Lutter 2023-12-27 20:08:56 +01:00
parent a0bd62090d
commit 7f0a801fe7
9 changed files with 66 additions and 64 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
net/ocserv/Makefile
View file

@ -1,5 +1,5 @@
PORTNAME= ocserv PORTNAME= ocserv
DISTVERSION= 1.2.2 DISTVERSION= 1.2.3
CATEGORIES= net net-vpn security CATEGORIES= net net-vpn security
MASTER_SITES= https://www.infradead.org/ocserv/download/ MASTER_SITES= https://www.infradead.org/ocserv/download/
@ -56,15 +56,14 @@ RADIUS_CONFIGURE_OFF= --without-radius
.include <bsd.port.pre.mk> .include <bsd.port.pre.mk>
post-patch: post-patch:
${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${PREFIX}/bin/ocserv-fw|g' \ ${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${PREFIX}/libexec/ocserv\\-fw|g' \
${WRKSRC}/src/main-user.c
${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${PREFIX}/bin/ocserv\\-fw|g' \
${WRKSRC}/doc/ocserv.8 ${WRKSRC}/doc/ocserv.8
${REINPLACE_CMD} -e 's|%%PREFIX%%|${PREFIX}|g' \ ${REINPLACE_CMD} -e 's|%%PREFIX%%|${PREFIX}|g' \
-e 's|%%ETCDIR%%|${ETCDIR}|g' \ -e 's|%%ETCDIR%%|${ETCDIR}|g' \
-e 's|%%USERS%%|${USERS}|g' \ -e 's|%%USERS%%|${USERS}|g' \
-e 's|%%GROUPS%%|${GROUPS}|g' \ -e 's|%%GROUPS%%|${GROUPS}|g' \
${WRKSRC}/doc/sample.config ${WRKSRC}/doc/sample.config \
${WRKSRC}/src/main-user.c
.if "${PREFIX}" != "" && "${PREFIX}" != "/" && "${PREFIX}" != "/usr" .if "${PREFIX}" != "" && "${PREFIX}" != "/" && "${PREFIX}" != "/usr"
${REINPLACE_CMD} -E 's|^(#define DEFAULT_CFG_FILE ")(/etc/ocserv/ocserv.conf")|\1${PREFIX}\2|' ${WRKSRC}/src/config.c ${REINPLACE_CMD} -E 's|^(#define DEFAULT_CFG_FILE ")(/etc/ocserv/ocserv.conf")|\1${PREFIX}\2|' ${WRKSRC}/src/config.c
${REINPLACE_CMD} -E 's|^(#define DEFAULT_OCPASSWD ")(/etc/ocserv/ocpasswd")|\1${PREFIX}\2|' ${WRKSRC}/src/ocpasswd/ocpasswd.c ${REINPLACE_CMD} -E 's|^(#define DEFAULT_OCPASSWD ")(/etc/ocserv/ocpasswd")|\1${PREFIX}\2|' ${WRKSRC}/src/ocpasswd/ocpasswd.c

6
net/ocserv/distinfo
View file

@ -1,3 +1,3 @@
TIMESTAMP = 1699481326 TIMESTAMP = 1703628457
SHA256 (ocserv-1.2.2.tar.xz) = 6e3c7a2ee9e9b4d3621de66e155fd99eb02c0134b9f42cfbc86d3979e485c719 SHA256 (ocserv-1.2.3.tar.xz) = 06ce0fcb59a8b33b8d65d6e551de2b5ef77b7ea641b87caa654a5ee9c49f1bbf
SIZE (ocserv-1.2.2.tar.xz) = 751548 SIZE (ocserv-1.2.3.tar.xz) = 757484

4
net/ocserv/files/patch-configure.ac
View file

@ -1,4 +1,4 @@
--- configure.ac.orig 2023-07-11 12:47:23 UTC --- configure.ac.orig 2023-12-14 11:45:13 UTC
+++ configure.ac +++ configure.ac
@@ -16,7 +16,7 @@ AM_PROG_CC_C_O @@ -16,7 +16,7 @@ AM_PROG_CC_C_O
AC_PROG_SED AC_PROG_SED
@ -9,7 +9,7 @@
fi fi
AC_PATH_PROG(CTAGS, ctags, [:]) AC_PATH_PROG(CTAGS, ctags, [:])
@@ -223,7 +223,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind @@ -219,7 +219,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind
fi fi
have_readline=no have_readline=no

84
net/ocserv/files/patch-doc_sample.config
View file

@ -1,4 +1,4 @@
--- doc/sample.config.orig 2023-07-11 12:54:03 UTC --- doc/sample.config.orig 2023-12-17 10:19:23 UTC
+++ doc/sample.config +++ doc/sample.config
@@ -19,7 +19,7 @@ @@ -19,7 +19,7 @@
# This enabled PAM authentication of the user. The gid-min option is used # This enabled PAM authentication of the user. The gid-min option is used
@ -18,14 +18,12 @@
# The radius option requires specifying freeradius-client configuration # The radius option requires specifying freeradius-client configuration
# file. If the groupconfig option is set, then config-per-user/group will be overridden, # file. If the groupconfig option is set, then config-per-user/group will be overridden,
# and all configuration will be read from radius. That also includes the # and all configuration will be read from radius. That also includes the
@@ -47,10 +47,10 @@ @@ -48,9 +48,9 @@
#auth = "pam" #auth = "pam"
#auth = "pam[gid-min=1000]" #auth = "pam[gid-min=1000]"
-#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]" #auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
-auth = "plain[passwd=./sample.passwd]" -auth = "plain[passwd=./sample.passwd]"
+#auth = "plain[passwd=%%ETCDIR%%/sample.passwd,otp=%%ETCDIR%%/sample.otp]" +auth = "plain[passwd=%%ETCDIR%%/sample.passwd,otp=%%ETCDIR%%/sample.otp]"
+auth = "plain[passwd=%%ETCDIR%%/sample.passwd]"
#auth = "certificate" #auth = "certificate"
-#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]" -#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
+#auth = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true]" +#auth = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true]"
@ -41,17 +39,6 @@
# Use listen-host to limit to specific IPs or to the IPs of a provided # Use listen-host to limit to specific IPs or to the IPs of a provided
# hostname. # hostname.
@@ -96,8 +96,8 @@ udp-port = 443
# The user the worker processes will be run as. This should be a dedicated
# unprivileged user (e.g., 'ocserv') and no other services should run as this
# user.
-run-as-user = nobody
-run-as-group = daemon
+run-as-user = %%USERS%%
+run-as-group = %%GROUPS%%
# socket file used for IPC with occtl. You only need to set that,
# if you use more than a single servers.
@@ -124,22 +124,20 @@ socket-file = /var/run/ocserv-socket @@ -124,22 +124,20 @@ socket-file = /var/run/ocserv-socket
# certificate renewal (they are checked and reloaded periodically; # certificate renewal (they are checked and reloaded periodically;
# a SIGHUP signal to main server will force reload). # a SIGHUP signal to main server will force reload).
@ -60,8 +47,8 @@
-#server-key = /etc/ocserv/server-key.pem -#server-key = /etc/ocserv/server-key.pem
-server-cert = ../tests/certs/server-cert.pem -server-cert = ../tests/certs/server-cert.pem
-server-key = ../tests/certs/server-key.pem -server-key = ../tests/certs/server-key.pem
++server-cert = %%ETCDIR%%/server-cert.pem +server-cert = %%ETCDIR%%/server-cert.pem
++server-key = %%ETCDIR%%/server-key.pem +server-key = %%ETCDIR%%/server-key.pem
# Diffie-Hellman parameters. Only needed if for old (pre 3.6.0 # Diffie-Hellman parameters. Only needed if for old (pre 3.6.0
# versions of GnuTLS for supporting DHE ciphersuites. # versions of GnuTLS for supporting DHE ciphersuites.
@ -91,13 +78,9 @@
# The number of sub-processes to use for the security module (authentication) # The number of sub-processes to use for the security module (authentication)
# processes. Typically this should not be set as the number of processes # processes. Typically this should not be set as the number of processes
@@ -171,17 +168,10 @@ ca-cert = ../tests/certs/ca.pem @@ -172,16 +169,6 @@ ca-cert = ../tests/certs/ca.pem
### operation. If the server key changes on reload, there may be connection
### failures during the reloading time. ### failures during the reloading time.
+# ocserv 1.1.1 on FreeBSD does not currently support process isolation,
+# because ocserv only supports Linux's seccomp system, but not capsicum(4).
+#isolate-workers = false
-# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of -# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of
-# system calls allowed to a worker process, in order to reduce damage from a -# system calls allowed to a worker process, in order to reduce damage from a
@ -112,7 +95,7 @@
# A banner to be displayed on clients after connection # A banner to be displayed on clients after connection
#banner = "Welcome" #banner = "Welcome"
@@ -262,7 +252,7 @@ try-mtu-discovery = false @@ -262,7 +249,7 @@ try-mtu-discovery = false
# You can update this response periodically using: # You can update this response periodically using:
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
# Make sure that you replace the following file in an atomic way. # Make sure that you replace the following file in an atomic way.
@ -121,35 +104,53 @@
# The object identifier that will be used to read the user ID in the client # The object identifier that will be used to read the user ID in the client
# certificate. The object identifier should be part of the certificate's DN # certificate. The object identifier should be part of the certificate's DN
@@ -281,7 +271,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1 @@ -281,7 +268,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1
# See the manual to generate an empty CRL initially. The CRL will be reloaded # See the manual to generate an empty CRL initially. The CRL will be reloaded
# periodically when ocserv detects a change in the file. To force a reload use # periodically when ocserv detects a change in the file. To force a reload use
# SIGHUP. # SIGHUP.
-#crl = /etc/ocserv/crl.pem -#crl = /etc/ocserv/crl.pem
+#crl = %%ETCDIR%%/crl.pem +crl = %%ETCDIR%%/crl.pem
# Uncomment this to enable compression negotiation (LZS, LZ4). # Uncomment this to enable compression negotiation (LZS, LZ4).
#compression = true #compression = true
@@ -560,15 +550,15 @@ no-route = 192.168.5.0/255.255.255.0 @@ -415,14 +402,14 @@ rekey-method = ssl
# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes
# output from the tun device, and the duration of the session in seconds.
-#connect-script = /usr/bin/myscript
-#disconnect-script = /usr/bin/myscript
+#connect-script = %%PREFIX%%/bin/myscript
+#disconnect-script = %%PREFIX%%/bin/myscript
# This script is to be called when the client's advertised hostname becomes
# available. It will contain REASON with "host-update" value and the
# variable REMOTE_HOSTNAME in addition to the connect variables.
-#host-update-script = /usr/bin/myhostnamescript
+#host-update-script = %%PREFIX%%/bin/myhostnamescript
# UTMP
# Register the connected clients to utmp. This will allow viewing
@@ -563,15 +550,15 @@ no-route = 192.168.5.0/255.255.255.0
# Note the that following two firewalling options currently are available # Note the that following two firewalling options currently are available
# in Linux systems with iptables software. # in Linux systems with iptables software.
-# If set, the script /usr/bin/ocserv-fw will be called to restrict -# If set, the script /usr/libexec/ocserv-fw will be called to restrict
+# If set, the script %%PREFIX%%/bin/ocserv-fw will be called to restrict +# If set, the script %%PREFIX%%/libexec/ocserv-fw will be called to restrict
# the user to its allowed routes and prevent him from accessing # the user to its allowed routes and prevent him from accessing
# any other routes. In case of defaultroute, the no-routes are restricted. # any other routes. In case of defaultroute, the no-routes are restricted.
-# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw -# All the routes applied by ocserv can be reverted using /usr/libexec/ocserv-fw
+# All the routes applied by ocserv can be reverted using %%PREFIX%%/bin/ocserv-fw +# All the routes applied by ocserv can be reverted using %%PREFIX%%/libexec/ocserv-fw
# --removeall. This option can be set globally or in the per-user configuration. # --removeall. This option can be set globally or in the per-user configuration.
#restrict-user-to-routes = true #restrict-user-to-routes = true
# This option implies restrict-user-to-routes set to true. If set, the # This option implies restrict-user-to-routes set to true. If set, the
-# script /usr/bin/ocserv-fw will be called to restrict the user to -# script /usr/libexec/ocserv-fw will be called to restrict the user to
+# script %%PREFIX%%/bin/ocserv-fw will be called to restrict the user to +# script %%PREFIX%%/libexec/ocserv-fw will be called to restrict the user to
# access specific ports in the network. This option can be set globally # access specific ports in the network. This option can be set globally
# or in the per-user configuration. # or in the per-user configuration.
#restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()" #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
@@ -616,13 +606,13 @@ no-route = 192.168.5.0/255.255.255.0 @@ -619,13 +606,13 @@ no-route = 192.168.5.0/255.255.255.0
# hostname to override any proposed by the user. Note also, that, any # hostname to override any proposed by the user. Note also, that, any
# routes, no-routes, DNS or NBNS servers present will overwrite the global ones. # routes, no-routes, DNS or NBNS servers present will overwrite the global ones.
@ -167,21 +168,12 @@
# The system command to use to setup a route. %{R} will be replaced with the # The system command to use to setup a route. %{R} will be replaced with the
# route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device. # route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device.
@@ -644,7 +634,7 @@ no-route = 192.168.5.0/255.255.255.0 @@ -750,13 +737,13 @@ camouflage_realm = "Restricted Content"
# In MIT kerberos you'll need to add in realms:
# EXAMPLE.COM = {
# kdc = https://ocserv.example.com/KdcProxy
-# http_anchors = FILE:/etc/ocserv-ca.pem
+# http_anchors = FILE:%%ETCDIR%%/ocserv-ca.pem
# }
# In some distributions the krb5-k5tls plugin of kinit is required.
#
@@ -747,13 +737,13 @@ camouflage_realm = "Restricted Content"
[vhost:www.example.com] [vhost:www.example.com]
auth = "certificate" auth = "certificate"
-ca-cert = ../tests/certs/ca.pem -ca-cert = ../tests/certs/ca.pem
+ca-cert = %%ETCDIR%%/ca.pem +ca-cert = %%ETCDIR%%/www.example.com-ca.pem
# The certificate set here must include a 'dns_name' corresponding to # The certificate set here must include a 'dns_name' corresponding to
# the virtual host name. # the virtual host name.

6
net/ocserv/files/patch-src_ip-util.h
View file

@ -1,10 +1,10 @@
--- src/ip-util.h.orig 2023-08-15 11:26:31.522070000 +0300 --- src/ip-util.h.orig 2023-12-16 05:18:58 UTC
+++ src/ip-util.h 2023-08-15 11:28:31.360118000 +0300 +++ src/ip-util.h
@@ -24,6 +24,7 @@ @@ -24,6 +24,7 @@
#include <sys/socket.h> #include <sys/socket.h>
#include <netinet/in.h> #include <netinet/in.h>
+#include <sys/types.h> +#include <sys/types.h>
#define MAX_IP_STR 46
// Lower MTU bound is the value defined in RFC 791 // Lower MTU bound is the value defined in RFC 791
#define RFC_791_MTU (68)

4
net/ocserv/files/patch-src_main-ban.c
View file

@ -1,6 +1,6 @@
--- src/main-ban.c.orig 2023-01-29 14:09:45 UTC --- src/main-ban.c.orig 2023-12-17 10:19:23 UTC
+++ src/main-ban.c +++ src/main-ban.c
@@ -408,8 +408,8 @@ static bool test_local_ipv6(struct sockaddr_in6 * remo @@ -407,8 +407,8 @@ static bool test_local_ipv6(struct sockaddr_in6 * remo
unsigned index = 0; unsigned index = 0;
for (index = 0; index < 4; index ++) { for (index = 0; index < 4; index ++) {

11
net/ocserv/files/patch-src_main-user.c Normal file
View file

@ -0,0 +1,11 @@
--- src/main-user.c.orig 2023-12-27 19:54:08 UTC
+++ src/main-user.c
@@ -47,7 +47,7 @@
#include <script-list.h>
#include <ccan/list/list.h>
-#define OCSERV_FW_SCRIPT "/usr/libexec/ocserv-fw"
+#define OCSERV_FW_SCRIPT "%%PREFIX%%/libexec/ocserv-fw"
#define APPEND_TO_STR(str, val) \
do { \

4
net/ocserv/files/patch-src_occtl_occtl.c
View file

@ -1,6 +1,6 @@
--- src/occtl/occtl.c.orig 2023-06-16 17:01:03 UTC --- src/occtl/occtl.c.orig 2023-12-17 10:19:23 UTC
+++ src/occtl/occtl.c +++ src/occtl/occtl.c
@@ -257,7 +257,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha @@ -260,7 +260,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha
static int handle_reset_cmd(CONN_TYPE * conn, const char *arg, cmd_params_st *params) static int handle_reset_cmd(CONN_TYPE * conn, const char *arg, cmd_params_st *params)
{ {
rl_reset_terminal(NULL); rl_reset_terminal(NULL);

2
net/ocserv/pkg-plist
View file

@ -1,6 +1,6 @@
bin/occtl bin/occtl
bin/ocpasswd bin/ocpasswd
bin/ocserv-fw libexec/ocserv-fw
man/man8/occtl.8.gz man/man8/occtl.8.gz
man/man8/ocpasswd.8.gz man/man8/ocpasswd.8.gz
man/man8/ocserv.8.gz man/man8/ocserv.8.gz