Index: net/ocserv/Makefile
===================================================================
--- net/ocserv/Makefile
+++ net/ocserv/Makefile
@@ -2,12 +2,11 @@
 # $FreeBSD$
 
 PORTNAME=	ocserv
-PORTVERSION=	1.1.1
-PORTREVISION=	1
+PORTVERSION=	1.1.2
 CATEGORIES=	net net-vpn security
 MASTER_SITES=	ftp://ftp.infradead.org/pub/ocserv/
 
-MAINTAINER=	ports@FreeBSD.org
+MAINTAINER=	otis@FreeBSD.org
 COMMENT=	Server implementing the AnyConnect SSL VPN protocol
 
 LICENSE=	GPLv2+
@@ -65,8 +64,12 @@
 		${WRKSRC}/src/main-user.c
 	${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${PREFIX}/bin/ocserv\\-fw|g' \
 		${WRKSRC}/doc/ocserv.8
+	${REINPLACE_CMD} -e 's|%%PREFIX%%|${PREFIX}|g' \
+		-e 's|%%ETCDIR%%|${ETCDIR}|g' \
+		${WRKSRC}/doc/sample.config
 .if "${PREFIX}" != "" && "${PREFIX}" != "/" && "${PREFIX}" != "/usr"
 	${REINPLACE_CMD} -E 's|^(#define DEFAULT_CFG_FILE ")(/etc/ocserv/ocserv.conf")|\1${PREFIX}\2|' ${WRKSRC}/src/config.c
+	${REINPLACE_CMD} -E 's|^(#define DEFAULT_OCPASSWD ")(/etc/ocserv/ocpasswd")|\1${PREFIX}\2|' ${WRKSRC}/src/ocpasswd/ocpasswd.c
 .endif
 
 post-install:
Index: net/ocserv/distinfo
===================================================================
--- net/ocserv/distinfo
+++ net/ocserv/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1602242932
-SHA256 (ocserv-1.1.1.tar.xz) = 9c7aaf46e53e28cfa7be329b18f3951e7e851153ff6a27e946496fd4e8e5765a
-SIZE (ocserv-1.1.1.tar.xz) = 818988
+TIMESTAMP = 1611572802
+SHA256 (ocserv-1.1.2.tar.xz) = 889ccdbe8e67d3bc2bc8713b7fbb5bd4e79228abc6054e88858cb4ad6d0245dd
+SIZE (ocserv-1.1.2.tar.xz) = 824924
Index: net/ocserv/files/patch-doc_sample.config
===================================================================
--- net/ocserv/files/patch-doc_sample.config
+++ net/ocserv/files/patch-doc_sample.config
@@ -1,15 +1,42 @@
---- doc/sample.config.orig	2020-09-20 19:49:01 UTC
+--- doc/sample.config.orig	2020-12-03 22:31:10 UTC
 +++ doc/sample.config
 @@ -19,7 +19,7 @@
  #  This enabled PAM authentication of the user. The gid-min option is used
  # by auto-select-group option, in order to select the minimum valid group ID.
  #
 -# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]
-+# plain[passwd=/usr/local/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]
++# plain[passwd=%%ETCDIR%%/ocpasswd,otp=%%ETCDIR%%/users.otp]
  #  The plain option requires specifying a password file which contains
  # entries of the following format.
  # "username:groupname1,groupname2:encoded-password"
-@@ -110,8 +110,8 @@ udp-port = 443
+@@ -28,7 +28,7 @@
+ # an oath password file to be used for one time passwords; the format of
+ # the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile
+ #
+-# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
++# radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
+ #  The radius option requires specifying freeradius-client configuration
+ # file. If the groupconfig option is set, then config-per-user/group will be overridden,
+ # and all configuration will be read from radius. That also includes the
+@@ -50,7 +50,7 @@
+ #auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
+ auth = "plain[passwd=./sample.passwd]"
+ #auth = "certificate"
+-#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
++#auth = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true]"
+ 
+ # Specify alternative authentication methods that are sufficient
+ # for authentication. That is, if set, any of the methods enabled
+@@ -71,7 +71,7 @@ auth = "plain[passwd=./sample.passwd]"
+ #      PAM.
+ #
+ # Only one accounting method can be specified.
+-#acct = "radius[config=/etc/radiusclient/radiusclient.conf]"
++#acct = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf]"
+ 
+ # Use listen-host to limit to specific IPs or to the IPs of a provided
+ # hostname.
+@@ -96,8 +96,8 @@ udp-port = 443
  # The user the worker processes will be run as. This should be a dedicated
  # unprivileged user (e.g., 'ocserv') and no other services should run as this
  # user.
@@ -20,7 +47,46 @@
  
  # socket file used for IPC with occtl. You only need to set that,
  # if you use more than a single servers.
-@@ -180,15 +180,9 @@ ca-cert = ../tests/certs/ca.pem
+@@ -124,22 +124,20 @@ socket-file = /var/run/ocserv-socket
+ # certificate renewal (they are checked and reloaded periodically;
+ # a SIGHUP signal to main server will force reload).
+ 
+-#server-cert = /etc/ocserv/server-cert.pem
+-#server-key = /etc/ocserv/server-key.pem
+-server-cert = ../tests/certs/server-cert.pem
+-server-key = ../tests/certs/server-key.pem
++server-cert = %%ETCDIR%%/server-cert.pem
++server-key = %%ETCDIR%%/server-key.pem
+ 
+ # Diffie-Hellman parameters. Only needed if for old (pre 3.6.0
+ # versions of GnuTLS for supporting DHE ciphersuites.
+ # Can be generated using:
+-# certtool --generate-dh-params --outfile /etc/ocserv/dh.pem
+-#dh-params = /etc/ocserv/dh.pem
++# certtool --generate-dh-params --outfile %%ETCDIR%%/dh.pem
++#dh-params = %%ETCDIR%%/dh.pem
+ 
+ # In case PKCS #11, TPM or encrypted keys are used the PINs should be available
+ # in files. The srk-pin-file is applicable to TPM keys only, and is the 
+ # storage root key.
+-#pin-file = /etc/ocserv/pin.txt
+-#srk-pin-file = /etc/ocserv/srkpin.txt
++#pin-file = %%ETCDIR%%/pin.txt
++#srk-pin-file = %%ETCDIR%%/srkpin.txt
+ 
+ # The password or PIN needed to unlock the key in server-key file.
+ # Only needed if the file is encrypted or a PKCS #11 object. This
+@@ -153,8 +151,7 @@ server-key = ../tests/certs/server-key.pem
+ # The Certificate Authority that will be used to verify
+ # client certificates (public keys) if certificate authentication
+ # is set.
+-#ca-cert = /etc/ocserv/ca.pem
+-ca-cert = ../tests/certs/ca.pem
++ca-cert = %%ETCDIR%%/ca.pem
+ 
+ 
+ ### All configuration options below this line are reloaded on a SIGHUP.
+@@ -166,15 +163,9 @@ ca-cert = ../tests/certs/ca.pem
  ### failures during the reloading time.
  
  
@@ -39,40 +105,75 @@
  
  # A banner to be displayed on clients after connection
  #banner = "Welcome"
-@@ -553,15 +547,15 @@ no-route = 192.168.5.0/255.255.255.0
+@@ -255,7 +246,7 @@ try-mtu-discovery = false
+ # You can update this response periodically using:
+ # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
+ # Make sure that you replace the following file in an atomic way.
+-#ocsp-response = /etc/ocserv/ocsp.der
++#ocsp-response = %%ETCDIR%%/ocsp.der
+ 
+ # The object identifier that will be used to read the user ID in the client 
+ # certificate. The object identifier should be part of the certificate's DN
+@@ -274,7 +265,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1
+ # See the manual to generate an empty CRL initially. The CRL will be reloaded
+ # periodically when ocserv detects a change in the file. To force a reload use
+ # SIGHUP.
+-#crl = /etc/ocserv/crl.pem
++#crl = %%ETCDIR%%/crl.pem
+ 
+ # Uncomment this to enable compression negotiation (LZS, LZ4).
+ #compression = true
+@@ -543,15 +534,15 @@ no-route = 192.168.5.0/255.255.255.0
  # Note the that following two firewalling options currently are available
  # in Linux systems with iptables software. 
  
 -# If set, the script /usr/bin/ocserv-fw will be called to restrict
-+# If set, the script /usr/local/bin/ocserv-fw will be called to restrict
++# If set, the script %%PREFIX%%/bin/ocserv-fw will be called to restrict
  # the user to its allowed routes and prevent him from accessing
  # any other routes. In case of defaultroute, the no-routes are restricted.
 -# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw
-+# All the routes applied by ocserv can be reverted using /usr/local/bin/ocserv-fw
++# All the routes applied by ocserv can be reverted using %%PREFIX%%/bin/ocserv-fw
  # --removeall. This option can be set globally or in the per-user configuration.
  #restrict-user-to-routes = true
  
  # This option implies restrict-user-to-routes set to true. If set, the
 -# script /usr/bin/ocserv-fw will be called to restrict the user to
-+# script /usr/local/bin/ocserv-fw will be called to restrict the user to
++# script %%PREFIX%%/bin/ocserv-fw will be called to restrict the user to
  # access specific ports in the network. This option can be set globally
  # or in the per-user configuration.
  #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
-@@ -609,13 +603,13 @@ no-route = 192.168.5.0/255.255.255.0
+@@ -599,13 +590,13 @@ no-route = 192.168.5.0/255.255.255.0
  # hostname to override any proposed by the user. Note also, that, any 
  # routes, no-routes, DNS or NBNS servers present will overwrite the global ones.
  
 -#config-per-user = /etc/ocserv/config-per-user/
 -#config-per-group = /etc/ocserv/config-per-group/
-+#config-per-user = /usr/local/etc/ocserv/config-per-user/
-+#config-per-group = /usr/local/etc/ocserv/config-per-group/
++#config-per-user = %%ETCDIR%%/config-per-user/
++#config-per-group = %%ETCDIR%%/config-per-group/
  
  # When config-per-xxx is specified and there is no group or user that
  # matches, then utilize the following configuration.
 -#default-user-config = /etc/ocserv/defaults/user.conf
 -#default-group-config = /etc/ocserv/defaults/group.conf
-+#default-user-config = /usr/local/etc/ocserv/defaults/user.conf
-+#default-group-config = /usr/local/etc/ocserv/defaults/group.conf
++#default-user-config = %%ETCDIR%%/defaults/user.conf
++#default-group-config = %%ETCDIR%%/defaults/group.conf
  
  # The system command to use to setup a route. %{R} will be replaced with the
  # route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device.
+@@ -701,13 +692,13 @@ dtls-legacy = true
+ [vhost:www.example.com]
+ auth = "certificate"
+ 
+-ca-cert = ../tests/certs/ca.pem
++ca-cert = %%ETCDIR%%/ca.pem
+ 
+ # The certificate set here must include a 'dns_name' corresponding to
+ # the virtual host name.
+ 
+-server-cert = ../tests/certs/server-cert-secp521r1.pem
+-server-key = ../tests/certs/server-key-secp521r1.pem
++server-cert = %%ETCDIR%%/server-cert-secp521r1.pem
++server-key = %%ETCDIR%%/server-key-secp521r1.pem
+ 
+ ipv4-network = 192.168.2.0
+ ipv4-netmask = 255.255.255.0
Index: net/ocserv/files/patch-src_main-ban.c
===================================================================
--- /dev/null
+++ net/ocserv/files/patch-src_main-ban.c
@@ -0,0 +1,20 @@
+--- src/main-ban.c.orig	2021-01-26 17:01:03 UTC
++++ src/main-ban.c
+@@ -403,8 +403,8 @@ static bool test_local_ipv6(struct sockaddr_in6 * remo
+ 	unsigned index = 0;
+ 	
+ 	for (index = 0; index < 4; index ++) {
+-		uint32_t l = local->sin6_addr.s6_addr32[index] & network->sin6_addr.s6_addr32[index];
+-		uint32_t r = remote->sin6_addr.s6_addr32[index] & network->sin6_addr.s6_addr32[index];
++		uint32_t l = local->sin6_addr.__u6_addr.__u6_addr32[index] & network->sin6_addr.__u6_addr.__u6_addr32[index];
++		uint32_t r = remote->sin6_addr.__u6_addr.__u6_addr32[index] & network->sin6_addr.__u6_addr.__u6_addr32[index];
+ 		if (l != r) 
+ 			return false;
+ 	}
+@@ -443,4 +443,4 @@ void if_address_cleanup(main_server_st * s)
+ 
+ 	s->if_addresses = NULL;
+ 	s->if_addresses_count = 0;
+-}
+\ No newline at end of file
++}
Index: net/ocserv/files/patch-src_occtl_occtl.c
===================================================================
--- net/ocserv/files/patch-src_occtl_occtl.c
+++ net/ocserv/files/patch-src_occtl_occtl.c
@@ -1,6 +1,6 @@
---- src/occtl/occtl.c.orig	2018-01-14 16:25:24 UTC
+--- src/occtl/occtl.c.orig	2020-08-06 18:51:31 UTC
 +++ src/occtl/occtl.c
-@@ -249,7 +249,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha
+@@ -264,7 +264,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha
  static int handle_reset_cmd(CONN_TYPE * conn, const char *arg, cmd_params_st *params)
  {
  	rl_reset_terminal(NULL);