diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile index 934705b2df50..6dc13dac271e 100644 --- a/net/ocserv/Makefile +++ b/net/ocserv/Makefile @@ -1,86 +1,86 @@ PORTNAME= ocserv -DISTVERSION= 1.1.6 +DISTVERSION= 1.1.7 CATEGORIES= net net-vpn security MASTER_SITES= https://www.infradead.org/ocserv/download/ MAINTAINER= otis@FreeBSD.org COMMENT= Server implementing the AnyConnect SSL VPN protocol WWW= https://ocserv.gitlab.io/www/index.html LICENSE= GPLv2+ -LICENSE_FILE= ${WRKSRC}/LICENSE +LICENSE_FILE= ${WRKSRC}/COPYING BUILD_DEPENDS= bash:shells/bash \ gsed:textproc/gsed LIB_DEPENDS= libev.so:devel/libev \ libgnutls.so:security/gnutls \ libiconv.so:converters/libiconv \ liblz4.so:archivers/liblz4 \ libnettle.so:security/nettle \ liboath.so:security/oath-toolkit \ libpcl.so:devel/pcl \ libprotobuf-c.so:devel/protobuf-c \ libtalloc.so:devel/talloc \ libtasn1.so:security/libtasn1 USES= autoreconf cpe gperf libtool localbase ncurses pathfix \ pkgconfig readline tar:xz CPE_VENDOR= infradead USE_RC_SUBR= ocserv GNU_CONFIGURE= yes CONFIGURE_ARGS= --disable-namespaces \ --without-geoip \ --without-http-parser USERS= _ocserv GROUPS= _ocserv PLIST_SUB= GROUPS="${GROUPS}" \ USERS="${USERS}" PORTDOCS= AUTHORS ChangeLog NEWS README TODO PORTEXAMPLES= profile.xml sample.config sample.passwd OPTIONS_DEFINE= DOCS EXAMPLES GSSAPI MAXMIND RADIUS MAXMIND_DESC= Use Maxmind GeoIP library GSSAPI_LIB_DEPENDS= libkrb5support.so:security/krb5 GSSAPI_USES= gssapi:mit GSSAPI_CONFIGURE_OFF= --without-gssapi MAXMIND_LIB_DEPENDS= libmaxminddb.so:net/libmaxminddb MAXMIND_CONFIGURE_OFF= --without-maxmind RADIUS_LIB_DEPENDS= libradcli.so:net/radcli RADIUS_CONFIGURE_OFF= --without-radius .include post-patch: ${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${PREFIX}/bin/ocserv-fw|g' \ ${WRKSRC}/src/main-user.c ${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${PREFIX}/bin/ocserv\\-fw|g' \ ${WRKSRC}/doc/ocserv.8 ${REINPLACE_CMD} -e 's|%%PREFIX%%|${PREFIX}|g' \ -e 's|%%ETCDIR%%|${ETCDIR}|g' \ -e 's|%%USERS%%|${USERS}|g' \ -e 's|%%GROUPS%%|${GROUPS}|g' \ ${WRKSRC}/doc/sample.config .if "${PREFIX}" != "" && "${PREFIX}" != "/" && "${PREFIX}" != "/usr" ${REINPLACE_CMD} -E 's|^(#define DEFAULT_CFG_FILE ")(/etc/ocserv/ocserv.conf")|\1${PREFIX}\2|' ${WRKSRC}/src/config.c ${REINPLACE_CMD} -E 's|^(#define DEFAULT_OCPASSWD ")(/etc/ocserv/ocpasswd")|\1${PREFIX}\2|' ${WRKSRC}/src/ocpasswd/ocpasswd.c .endif post-install: ${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv ${STAGEDIR}/var/run/ocserv ${INSTALL_DATA} ${WRKSRC}/doc/sample.config ${STAGEDIR}${PREFIX}/etc/ocserv/ocserv.conf.sample ${INSTALL_MAN} ${WRKSRC}/doc/*.8 ${STAGEDIR}${MANPREFIX}/man/man8 post-install-DOCS-on: ${MKDIR} ${STAGEDIR}${DOCSDIR} cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR} post-install-EXAMPLES-on: ${MKDIR} ${STAGEDIR}${EXAMPLESDIR} cd ${WRKSRC}/doc && ${INSTALL_DATA} ${PORTEXAMPLES} ${STAGEDIR}${EXAMPLESDIR} .include diff --git a/net/ocserv/distinfo b/net/ocserv/distinfo index c8d80b9bcbf2..30465e6a2b45 100644 --- a/net/ocserv/distinfo +++ b/net/ocserv/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1661367781 -SHA256 (ocserv-1.1.6.tar.xz) = 6a6cbe92212e32280426a51c634adc3d4803579dd049cfdb7e014714cc82c693 -SIZE (ocserv-1.1.6.tar.xz) = 839744 +TIMESTAMP = 1683875970 +SHA256 (ocserv-1.1.7.tar.xz) = f30f7515e1e569ca2e68a96fa5e3dd10d49a18a40c981ad95b484d10835e3aa6 +SIZE (ocserv-1.1.7.tar.xz) = 844140 diff --git a/net/ocserv/files/patch-doc_sample.config b/net/ocserv/files/patch-doc_sample.config index 415691eb9b3a..f866507ac5a0 100644 --- a/net/ocserv/files/patch-doc_sample.config +++ b/net/ocserv/files/patch-doc_sample.config @@ -1,193 +1,193 @@ ---- doc/sample.config.orig 2020-12-03 22:31:10 UTC +--- doc/sample.config.orig 2022-12-02 18:59:51 UTC +++ doc/sample.config @@ -19,7 +19,7 @@ # This enabled PAM authentication of the user. The gid-min option is used # by auto-select-group option, in order to select the minimum valid group ID. # -# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] +# plain[passwd=%%ETCDIR%%/ocpasswd,otp=%%ETCDIR%%/users.otp] # The plain option requires specifying a password file which contains # entries of the following format. # "username:groupname1,groupname2:encoded-password" @@ -28,7 +28,7 @@ # an oath password file to be used for one time passwords; the format of # the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile # -# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]: +# radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]: # The radius option requires specifying freeradius-client configuration # file. If the groupconfig option is set, then config-per-user/group will be overridden, # and all configuration will be read from radius. That also includes the @@ -47,10 +47,10 @@ #auth = "pam" #auth = "pam[gid-min=1000]" -#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]" -auth = "plain[passwd=./sample.passwd]" +#auth = "plain[passwd=%%ETCDIR%%/sample.passwd,otp=%%ETCDIR%%/sample.otp]" +auth = "plain[passwd=%%ETCDIR%%/sample.passwd]" #auth = "certificate" -#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]" +#auth = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true]" # Specify alternative authentication methods that are sufficient # for authentication. That is, if set, any of the methods enabled @@ -71,7 +71,7 @@ auth = "plain[passwd=./sample.passwd]" # PAM. # # Only one accounting method can be specified. -#acct = "radius[config=/etc/radiusclient/radiusclient.conf]" +#acct = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf]" # Use listen-host to limit to specific IPs or to the IPs of a provided # hostname. @@ -96,8 +96,8 @@ udp-port = 443 # The user the worker processes will be run as. This should be a dedicated # unprivileged user (e.g., 'ocserv') and no other services should run as this # user. -run-as-user = nobody -run-as-group = daemon +run-as-user = %%USERS%% +run-as-group = %%GROUPS%% # socket file used for IPC with occtl. You only need to set that, # if you use more than a single servers. @@ -124,22 +124,20 @@ socket-file = /var/run/ocserv-socket # certificate renewal (they are checked and reloaded periodically; # a SIGHUP signal to main server will force reload). -#server-cert = /etc/ocserv/server-cert.pem -#server-key = /etc/ocserv/server-key.pem -server-cert = ../tests/certs/server-cert.pem -server-key = ../tests/certs/server-key.pem -+server-cert = %%ETCDIR%%/server-cert.pem -+server-key = %%ETCDIR%%/server-key.pem +++server-cert = %%ETCDIR%%/server-cert.pem +++server-key = %%ETCDIR%%/server-key.pem # Diffie-Hellman parameters. Only needed if for old (pre 3.6.0 # versions of GnuTLS for supporting DHE ciphersuites. # Can be generated using: -# certtool --generate-dh-params --outfile /etc/ocserv/dh.pem -#dh-params = /etc/ocserv/dh.pem +# certtool --generate-dh-params --outfile %%ETCDIR%%/dh.pem +#dh-params = %%ETCDIR%%/dh.pem # In case PKCS #11, TPM or encrypted keys are used the PINs should be available - # in files. The srk-pin-file is applicable to TPM keys only, and is the + # in files. The srk-pin-file is applicable to TPM keys only, and is the # storage root key. -#pin-file = /etc/ocserv/pin.txt -#srk-pin-file = /etc/ocserv/srkpin.txt +#pin-file = %%ETCDIR%%/pin.txt +#srk-pin-file = %%ETCDIR%%/srkpin.txt # The password or PIN needed to unlock the key in server-key file. # Only needed if the file is encrypted or a PKCS #11 object. This @@ -153,8 +151,7 @@ server-key = ../tests/certs/server-key.pem # The Certificate Authority that will be used to verify # client certificates (public keys) if certificate authentication # is set. -#ca-cert = /etc/ocserv/ca.pem -ca-cert = ../tests/certs/ca.pem +ca-cert = %%ETCDIR%%/ca.pem - - ### All configuration options below this line are reloaded on a SIGHUP. -@@ -166,15 +163,9 @@ ca-cert = ../tests/certs/ca.pem + # The number of sub-processes to use for the security module (authentication) + # processes. Typically this should not be set as the number of processes +@@ -172,15 +169,9 @@ ca-cert = ../tests/certs/ca.pem ### failures during the reloading time. --# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of +-# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of -# system calls allowed to a worker process, in order to reduce damage from a -# bug in the worker process. It is available on Linux systems at a performance cost. -# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8). -# Note however, that process isolation is restricted to the specific libc versions -# the isolation was tested at. If you get random failures on worker processes, try -# disabling that option and report the failures you, along with system and debugging -# information at: https://gitlab.com/ocserv/ocserv/issues -isolate-workers = true +# ocserv 1.1.1 on FreeBSD does not currently support process isolation, +# because ocserv only supports Linux's seccomp system, but not capsicum(4). +#isolate-workers = false # A banner to be displayed on clients after connection #banner = "Welcome" -@@ -255,7 +246,7 @@ try-mtu-discovery = false +@@ -262,7 +253,7 @@ try-mtu-discovery = false # You can update this response periodically using: # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response # Make sure that you replace the following file in an atomic way. -#ocsp-response = /etc/ocserv/ocsp.der +#ocsp-response = %%ETCDIR%%/ocsp.der - # The object identifier that will be used to read the user ID in the client + # The object identifier that will be used to read the user ID in the client # certificate. The object identifier should be part of the certificate's DN -@@ -274,7 +265,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1 +@@ -281,7 +272,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1 # See the manual to generate an empty CRL initially. The CRL will be reloaded # periodically when ocserv detects a change in the file. To force a reload use # SIGHUP. -#crl = /etc/ocserv/crl.pem +#crl = %%ETCDIR%%/crl.pem # Uncomment this to enable compression negotiation (LZS, LZ4). #compression = true -@@ -543,15 +534,15 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -558,15 +549,15 @@ no-route = 192.168.5.0/255.255.255.0 # Note the that following two firewalling options currently are available - # in Linux systems with iptables software. + # in Linux systems with iptables software. -# If set, the script /usr/bin/ocserv-fw will be called to restrict +# If set, the script %%PREFIX%%/bin/ocserv-fw will be called to restrict # the user to its allowed routes and prevent him from accessing # any other routes. In case of defaultroute, the no-routes are restricted. -# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw +# All the routes applied by ocserv can be reverted using %%PREFIX%%/bin/ocserv-fw # --removeall. This option can be set globally or in the per-user configuration. #restrict-user-to-routes = true # This option implies restrict-user-to-routes set to true. If set, the -# script /usr/bin/ocserv-fw will be called to restrict the user to +# script %%PREFIX%%/bin/ocserv-fw will be called to restrict the user to # access specific ports in the network. This option can be set globally # or in the per-user configuration. #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()" -@@ -599,13 +590,13 @@ no-route = 192.168.5.0/255.255.255.0 - # hostname to override any proposed by the user. Note also, that, any +@@ -614,13 +605,13 @@ no-route = 192.168.5.0/255.255.255.0 + # hostname to override any proposed by the user. Note also, that, any # routes, no-routes, DNS or NBNS servers present will overwrite the global ones. -#config-per-user = /etc/ocserv/config-per-user/ -#config-per-group = /etc/ocserv/config-per-group/ +#config-per-user = %%ETCDIR%%/config-per-user/ +#config-per-group = %%ETCDIR%%/config-per-group/ # When config-per-xxx is specified and there is no group or user that # matches, then utilize the following configuration. -#default-user-config = /etc/ocserv/defaults/user.conf -#default-group-config = /etc/ocserv/defaults/group.conf +#default-user-config = %%ETCDIR%%/defaults/user.conf +#default-group-config = %%ETCDIR%%/defaults/group.conf # The system command to use to setup a route. %{R} will be replaced with the # route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device. -@@ -627,7 +618,7 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -642,7 +633,7 @@ no-route = 192.168.5.0/255.255.255.0 # In MIT kerberos you'll need to add in realms: # EXAMPLE.COM = { # kdc = https://ocserv.example.com/KdcProxy -# http_anchors = FILE:/etc/ocserv-ca.pem +# http_anchors = FILE:%%ETCDIR%%/ocserv-ca.pem # } # In some distributions the krb5-k5tls plugin of kinit is required. # -@@ -701,13 +692,13 @@ dtls-legacy = true +@@ -722,13 +713,13 @@ client-bypass-protocol = false [vhost:www.example.com] auth = "certificate" -ca-cert = ../tests/certs/ca.pem +ca-cert = %%ETCDIR%%/ca.pem # The certificate set here must include a 'dns_name' corresponding to # the virtual host name. -server-cert = ../tests/certs/server-cert-secp521r1.pem -server-key = ../tests/certs/server-key-secp521r1.pem +server-cert = %%ETCDIR%%/server-cert-secp521r1.pem +server-key = %%ETCDIR%%/server-key-secp521r1.pem ipv4-network = 192.168.2.0 ipv4-netmask = 255.255.255.0 diff --git a/net/ocserv/files/patch-src_main-ban.c b/net/ocserv/files/patch-src_main-ban.c index 2a4446d29abb..86483cf2e9f7 100644 --- a/net/ocserv/files/patch-src_main-ban.c +++ b/net/ocserv/files/patch-src_main-ban.c @@ -1,20 +1,13 @@ ---- src/main-ban.c.orig 2021-01-26 17:01:03 UTC +--- src/main-ban.c.orig 2023-01-29 14:09:45 UTC +++ src/main-ban.c -@@ -403,8 +403,8 @@ static bool test_local_ipv6(struct sockaddr_in6 * remo +@@ -408,8 +408,8 @@ static bool test_local_ipv6(struct sockaddr_in6 * remo unsigned index = 0; - + for (index = 0; index < 4; index ++) { - uint32_t l = local->sin6_addr.s6_addr32[index] & network->sin6_addr.s6_addr32[index]; - uint32_t r = remote->sin6_addr.s6_addr32[index] & network->sin6_addr.s6_addr32[index]; + uint32_t l = local->sin6_addr.__u6_addr.__u6_addr32[index] & network->sin6_addr.__u6_addr.__u6_addr32[index]; + uint32_t r = remote->sin6_addr.__u6_addr.__u6_addr32[index] & network->sin6_addr.__u6_addr.__u6_addr32[index]; - if (l != r) + if (l != r) return false; } -@@ -443,4 +443,4 @@ void if_address_cleanup(main_server_st * s) - - s->if_addresses = NULL; - s->if_addresses_count = 0; --} -\ No newline at end of file -+}