git: 7f0a801fe7c3 - main - net/ocserv: Update to 1.2.3
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 27 Dec 2023 20:31:05 UTC
The branch main has been updated by otis: URL: https://cgit.FreeBSD.org/ports/commit/?id=7f0a801fe7c33d8ded65e5394daa861730bcf957 commit 7f0a801fe7c33d8ded65e5394daa861730bcf957 Author: Juraj Lutter <otis@FreeBSD.org> AuthorDate: 2023-12-27 19:08:56 +0000 Commit: Juraj Lutter <otis@FreeBSD.org> CommitDate: 2023-12-27 20:30:53 +0000 net/ocserv: Update to 1.2.3 Release notes: https://gitlab.com/openconnect/ocserv/-/releases/1.2.3 --- net/ocserv/Makefile | 9 ++-- net/ocserv/distinfo | 6 +-- net/ocserv/files/patch-configure.ac | 4 +- net/ocserv/files/patch-doc_sample.config | 84 +++++++++++++++----------------- net/ocserv/files/patch-src_ip-util.h | 6 +-- net/ocserv/files/patch-src_main-ban.c | 4 +- net/ocserv/files/patch-src_main-user.c | 11 +++++ net/ocserv/files/patch-src_occtl_occtl.c | 4 +- net/ocserv/pkg-plist | 2 +- 9 files changed, 66 insertions(+), 64 deletions(-) diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile index 808a77c12cdb..f1477ea25cb6 100644 --- a/net/ocserv/Makefile +++ b/net/ocserv/Makefile @@ -1,5 +1,5 @@ PORTNAME= ocserv -DISTVERSION= 1.2.2 +DISTVERSION= 1.2.3 CATEGORIES= net net-vpn security MASTER_SITES= https://www.infradead.org/ocserv/download/ @@ -56,15 +56,14 @@ RADIUS_CONFIGURE_OFF= --without-radius .include <bsd.port.pre.mk> post-patch: - ${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${PREFIX}/bin/ocserv-fw|g' \ - ${WRKSRC}/src/main-user.c - ${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${PREFIX}/bin/ocserv\\-fw|g' \ + ${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${PREFIX}/libexec/ocserv\\-fw|g' \ ${WRKSRC}/doc/ocserv.8 ${REINPLACE_CMD} -e 's|%%PREFIX%%|${PREFIX}|g' \ -e 's|%%ETCDIR%%|${ETCDIR}|g' \ -e 's|%%USERS%%|${USERS}|g' \ -e 's|%%GROUPS%%|${GROUPS}|g' \ - ${WRKSRC}/doc/sample.config + ${WRKSRC}/doc/sample.config \ + ${WRKSRC}/src/main-user.c .if "${PREFIX}" != "" && "${PREFIX}" != "/" && "${PREFIX}" != "/usr" ${REINPLACE_CMD} -E 's|^(#define DEFAULT_CFG_FILE ")(/etc/ocserv/ocserv.conf")|\1${PREFIX}\2|' ${WRKSRC}/src/config.c ${REINPLACE_CMD} -E 's|^(#define DEFAULT_OCPASSWD ")(/etc/ocserv/ocpasswd")|\1${PREFIX}\2|' ${WRKSRC}/src/ocpasswd/ocpasswd.c diff --git a/net/ocserv/distinfo b/net/ocserv/distinfo index eef8583eb834..5efa9abfa72d 100644 --- a/net/ocserv/distinfo +++ b/net/ocserv/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1699481326 -SHA256 (ocserv-1.2.2.tar.xz) = 6e3c7a2ee9e9b4d3621de66e155fd99eb02c0134b9f42cfbc86d3979e485c719 -SIZE (ocserv-1.2.2.tar.xz) = 751548 +TIMESTAMP = 1703628457 +SHA256 (ocserv-1.2.3.tar.xz) = 06ce0fcb59a8b33b8d65d6e551de2b5ef77b7ea641b87caa654a5ee9c49f1bbf +SIZE (ocserv-1.2.3.tar.xz) = 757484 diff --git a/net/ocserv/files/patch-configure.ac b/net/ocserv/files/patch-configure.ac index f06c82846f51..68267a953766 100644 --- a/net/ocserv/files/patch-configure.ac +++ b/net/ocserv/files/patch-configure.ac @@ -1,4 +1,4 @@ ---- configure.ac.orig 2023-07-11 12:47:23 UTC +--- configure.ac.orig 2023-12-14 11:45:13 UTC +++ configure.ac @@ -16,7 +16,7 @@ AM_PROG_CC_C_O AC_PROG_SED @@ -9,7 +9,7 @@ fi AC_PATH_PROG(CTAGS, ctags, [:]) -@@ -223,7 +223,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind +@@ -219,7 +219,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind fi have_readline=no diff --git a/net/ocserv/files/patch-doc_sample.config b/net/ocserv/files/patch-doc_sample.config index b21233ad088d..4cb7151e403a 100644 --- a/net/ocserv/files/patch-doc_sample.config +++ b/net/ocserv/files/patch-doc_sample.config @@ -1,4 +1,4 @@ ---- doc/sample.config.orig 2023-07-11 12:54:03 UTC +--- doc/sample.config.orig 2023-12-17 10:19:23 UTC +++ doc/sample.config @@ -19,7 +19,7 @@ # This enabled PAM authentication of the user. The gid-min option is used @@ -18,14 +18,12 @@ # The radius option requires specifying freeradius-client configuration # file. If the groupconfig option is set, then config-per-user/group will be overridden, # and all configuration will be read from radius. That also includes the -@@ -47,10 +47,10 @@ - +@@ -48,9 +48,9 @@ #auth = "pam" #auth = "pam[gid-min=1000]" --#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]" + #auth = "plain[passwd=./sample.passwd,otp=./sample.otp]" -auth = "plain[passwd=./sample.passwd]" -+#auth = "plain[passwd=%%ETCDIR%%/sample.passwd,otp=%%ETCDIR%%/sample.otp]" -+auth = "plain[passwd=%%ETCDIR%%/sample.passwd]" ++auth = "plain[passwd=%%ETCDIR%%/sample.passwd,otp=%%ETCDIR%%/sample.otp]" #auth = "certificate" -#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]" +#auth = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true]" @@ -41,17 +39,6 @@ # Use listen-host to limit to specific IPs or to the IPs of a provided # hostname. -@@ -96,8 +96,8 @@ udp-port = 443 - # The user the worker processes will be run as. This should be a dedicated - # unprivileged user (e.g., 'ocserv') and no other services should run as this - # user. --run-as-user = nobody --run-as-group = daemon -+run-as-user = %%USERS%% -+run-as-group = %%GROUPS%% - - # socket file used for IPC with occtl. You only need to set that, - # if you use more than a single servers. @@ -124,22 +124,20 @@ socket-file = /var/run/ocserv-socket # certificate renewal (they are checked and reloaded periodically; # a SIGHUP signal to main server will force reload). @@ -60,8 +47,8 @@ -#server-key = /etc/ocserv/server-key.pem -server-cert = ../tests/certs/server-cert.pem -server-key = ../tests/certs/server-key.pem -++server-cert = %%ETCDIR%%/server-cert.pem -++server-key = %%ETCDIR%%/server-key.pem ++server-cert = %%ETCDIR%%/server-cert.pem ++server-key = %%ETCDIR%%/server-key.pem # Diffie-Hellman parameters. Only needed if for old (pre 3.6.0 # versions of GnuTLS for supporting DHE ciphersuites. @@ -91,13 +78,9 @@ # The number of sub-processes to use for the security module (authentication) # processes. Typically this should not be set as the number of processes -@@ -171,17 +168,10 @@ ca-cert = ../tests/certs/ca.pem - ### operation. If the server key changes on reload, there may be connection +@@ -172,16 +169,6 @@ ca-cert = ../tests/certs/ca.pem ### failures during the reloading time. -+# ocserv 1.1.1 on FreeBSD does not currently support process isolation, -+# because ocserv only supports Linux's seccomp system, but not capsicum(4). -+#isolate-workers = false -# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of -# system calls allowed to a worker process, in order to reduce damage from a @@ -112,7 +95,7 @@ # A banner to be displayed on clients after connection #banner = "Welcome" -@@ -262,7 +252,7 @@ try-mtu-discovery = false +@@ -262,7 +249,7 @@ try-mtu-discovery = false # You can update this response periodically using: # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response # Make sure that you replace the following file in an atomic way. @@ -121,35 +104,53 @@ # The object identifier that will be used to read the user ID in the client # certificate. The object identifier should be part of the certificate's DN -@@ -281,7 +271,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1 +@@ -281,7 +268,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1 # See the manual to generate an empty CRL initially. The CRL will be reloaded # periodically when ocserv detects a change in the file. To force a reload use # SIGHUP. -#crl = /etc/ocserv/crl.pem -+#crl = %%ETCDIR%%/crl.pem ++crl = %%ETCDIR%%/crl.pem # Uncomment this to enable compression negotiation (LZS, LZ4). #compression = true -@@ -560,15 +550,15 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -415,14 +402,14 @@ rekey-method = ssl + # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes + # output from the tun device, and the duration of the session in seconds. + +-#connect-script = /usr/bin/myscript +-#disconnect-script = /usr/bin/myscript ++#connect-script = %%PREFIX%%/bin/myscript ++#disconnect-script = %%PREFIX%%/bin/myscript + + # This script is to be called when the client's advertised hostname becomes + # available. It will contain REASON with "host-update" value and the + # variable REMOTE_HOSTNAME in addition to the connect variables. + +-#host-update-script = /usr/bin/myhostnamescript ++#host-update-script = %%PREFIX%%/bin/myhostnamescript + + # UTMP + # Register the connected clients to utmp. This will allow viewing +@@ -563,15 +550,15 @@ no-route = 192.168.5.0/255.255.255.0 # Note the that following two firewalling options currently are available # in Linux systems with iptables software. --# If set, the script /usr/bin/ocserv-fw will be called to restrict -+# If set, the script %%PREFIX%%/bin/ocserv-fw will be called to restrict +-# If set, the script /usr/libexec/ocserv-fw will be called to restrict ++# If set, the script %%PREFIX%%/libexec/ocserv-fw will be called to restrict # the user to its allowed routes and prevent him from accessing # any other routes. In case of defaultroute, the no-routes are restricted. --# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw -+# All the routes applied by ocserv can be reverted using %%PREFIX%%/bin/ocserv-fw +-# All the routes applied by ocserv can be reverted using /usr/libexec/ocserv-fw ++# All the routes applied by ocserv can be reverted using %%PREFIX%%/libexec/ocserv-fw # --removeall. This option can be set globally or in the per-user configuration. #restrict-user-to-routes = true # This option implies restrict-user-to-routes set to true. If set, the --# script /usr/bin/ocserv-fw will be called to restrict the user to -+# script %%PREFIX%%/bin/ocserv-fw will be called to restrict the user to +-# script /usr/libexec/ocserv-fw will be called to restrict the user to ++# script %%PREFIX%%/libexec/ocserv-fw will be called to restrict the user to # access specific ports in the network. This option can be set globally # or in the per-user configuration. #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()" -@@ -616,13 +606,13 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -619,13 +606,13 @@ no-route = 192.168.5.0/255.255.255.0 # hostname to override any proposed by the user. Note also, that, any # routes, no-routes, DNS or NBNS servers present will overwrite the global ones. @@ -167,21 +168,12 @@ # The system command to use to setup a route. %{R} will be replaced with the # route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device. -@@ -644,7 +634,7 @@ no-route = 192.168.5.0/255.255.255.0 - # In MIT kerberos you'll need to add in realms: - # EXAMPLE.COM = { - # kdc = https://ocserv.example.com/KdcProxy --# http_anchors = FILE:/etc/ocserv-ca.pem -+# http_anchors = FILE:%%ETCDIR%%/ocserv-ca.pem - # } - # In some distributions the krb5-k5tls plugin of kinit is required. - # -@@ -747,13 +737,13 @@ camouflage_realm = "Restricted Content" +@@ -750,13 +737,13 @@ camouflage_realm = "Restricted Content" [vhost:www.example.com] auth = "certificate" -ca-cert = ../tests/certs/ca.pem -+ca-cert = %%ETCDIR%%/ca.pem ++ca-cert = %%ETCDIR%%/www.example.com-ca.pem # The certificate set here must include a 'dns_name' corresponding to # the virtual host name. diff --git a/net/ocserv/files/patch-src_ip-util.h b/net/ocserv/files/patch-src_ip-util.h index ac62f740dc65..dfd23017f08b 100644 --- a/net/ocserv/files/patch-src_ip-util.h +++ b/net/ocserv/files/patch-src_ip-util.h @@ -1,10 +1,10 @@ ---- src/ip-util.h.orig 2023-08-15 11:26:31.522070000 +0300 -+++ src/ip-util.h 2023-08-15 11:28:31.360118000 +0300 +--- src/ip-util.h.orig 2023-12-16 05:18:58 UTC ++++ src/ip-util.h @@ -24,6 +24,7 @@ #include <sys/socket.h> #include <netinet/in.h> +#include <sys/types.h> - #define MAX_IP_STR 46 // Lower MTU bound is the value defined in RFC 791 + #define RFC_791_MTU (68) diff --git a/net/ocserv/files/patch-src_main-ban.c b/net/ocserv/files/patch-src_main-ban.c index 86483cf2e9f7..59e7229084ff 100644 --- a/net/ocserv/files/patch-src_main-ban.c +++ b/net/ocserv/files/patch-src_main-ban.c @@ -1,6 +1,6 @@ ---- src/main-ban.c.orig 2023-01-29 14:09:45 UTC +--- src/main-ban.c.orig 2023-12-17 10:19:23 UTC +++ src/main-ban.c -@@ -408,8 +408,8 @@ static bool test_local_ipv6(struct sockaddr_in6 * remo +@@ -407,8 +407,8 @@ static bool test_local_ipv6(struct sockaddr_in6 * remo unsigned index = 0; for (index = 0; index < 4; index ++) { diff --git a/net/ocserv/files/patch-src_main-user.c b/net/ocserv/files/patch-src_main-user.c new file mode 100644 index 000000000000..611524eee4c0 --- /dev/null +++ b/net/ocserv/files/patch-src_main-user.c @@ -0,0 +1,11 @@ +--- src/main-user.c.orig 2023-12-27 19:54:08 UTC ++++ src/main-user.c +@@ -47,7 +47,7 @@ + #include <script-list.h> + #include <ccan/list/list.h> + +-#define OCSERV_FW_SCRIPT "/usr/libexec/ocserv-fw" ++#define OCSERV_FW_SCRIPT "%%PREFIX%%/libexec/ocserv-fw" + + #define APPEND_TO_STR(str, val) \ + do { \ diff --git a/net/ocserv/files/patch-src_occtl_occtl.c b/net/ocserv/files/patch-src_occtl_occtl.c index b7c73f0d305b..e40bd9f8d9d7 100644 --- a/net/ocserv/files/patch-src_occtl_occtl.c +++ b/net/ocserv/files/patch-src_occtl_occtl.c @@ -1,6 +1,6 @@ ---- src/occtl/occtl.c.orig 2023-06-16 17:01:03 UTC +--- src/occtl/occtl.c.orig 2023-12-17 10:19:23 UTC +++ src/occtl/occtl.c -@@ -257,7 +257,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha +@@ -260,7 +260,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha static int handle_reset_cmd(CONN_TYPE * conn, const char *arg, cmd_params_st *params) { rl_reset_terminal(NULL); diff --git a/net/ocserv/pkg-plist b/net/ocserv/pkg-plist index 8d684679a078..2ffb05c47a27 100644 --- a/net/ocserv/pkg-plist +++ b/net/ocserv/pkg-plist @@ -1,6 +1,6 @@ bin/occtl bin/ocpasswd -bin/ocserv-fw +libexec/ocserv-fw man/man8/occtl.8.gz man/man8/ocpasswd.8.gz man/man8/ocserv.8.gz