Index: head/net/ocserv/Makefile =================================================================== --- head/net/ocserv/Makefile (revision 552034) +++ head/net/ocserv/Makefile (revision 552035) @@ -1,80 +1,84 @@ # Created by: Carlos J Puga Medina # $FreeBSD$ PORTNAME= ocserv -PORTVERSION= 1.0.1 -PORTREVISION= 1 +PORTVERSION= 1.1.1 CATEGORIES= net net-vpn security MASTER_SITES= ftp://ftp.infradead.org/pub/ocserv/ MAINTAINER= ports@FreeBSD.org COMMENT= Server implementing the AnyConnect SSL VPN protocol LICENSE= GPLv2+ LICENSE_FILE= ${WRKSRC}/LICENSE BUILD_DEPENDS= bash:shells/bash \ gsed:textproc/gsed LIB_DEPENDS= liblz4.so:archivers/liblz4 \ libiconv.so:converters/libiconv \ libev.so:devel/libev \ libtalloc.so:devel/talloc \ libprotobuf-c.so:devel/protobuf-c \ libgnutls.so:security/gnutls \ libtasn1.so:security/libtasn1 \ libnettle.so:security/nettle \ liboath.so:security/oath-toolkit \ libpcl.so:devel/pcl USES= autoreconf cpe gperf libtool localbase ncurses \ pathfix pkgconfig readline tar:xz CPE_VENDOR= infradead GNU_CONFIGURE= yes CONFIGURE_ARGS= --without-geoip \ - --without-http-parser + --without-http-parser \ + --disable-namespaces USERS= _ocserv GROUPS= _ocserv USE_RC_SUBR= ocserv PLIST_SUB= USERS="${USERS}" GROUPS="${GROUPS}" -OPTIONS_DEFINE= DOCS EXAMPLES GSSAPI RADIUS +OPTIONS_DEFINE= DOCS EXAMPLES GSSAPI MAXMIND RADIUS PORTDOCS= AUTHORS ChangeLog NEWS README TODO PORTEXAMPLES= profile.xml sample.config sample.passwd GSSAPI_USES= gssapi:mit GSSAPI_LIB_DEPENDS= libkrb5support.so:security/krb5 GSSAPI_CONFIGURE_OFF= --without-gssapi RADIUS_LIB_DEPENDS= libradcli.so:net/radcli RADIUS_CONFIGURE_OFF= --without-radius + +MAXMIND_DESC= Use Maxmind GeoIP library +MAXMIND_LIB_DEPENDS= libmaxminddb.so:net/libmaxminddb +MAXMIND_CONFIGURE_OFF= --without-maxmind .include post-patch: ${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${PREFIX}/bin/ocserv-fw|g' \ ${WRKSRC}/src/main-user.c ${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${PREFIX}/bin/ocserv\\-fw|g' \ ${WRKSRC}/doc/ocserv.8 .if "${PREFIX}" != "" && "${PREFIX}" != "/" && "${PREFIX}" != "/usr" ${REINPLACE_CMD} -E 's|^(#define DEFAULT_CFG_FILE ")(/etc/ocserv/ocserv.conf")|\1${PREFIX}\2|' ${WRKSRC}/src/config.c .endif post-install: ${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv ${STAGEDIR}/var/run/ocserv ${INSTALL_DATA} ${FILESDIR}/ocserv.conf ${STAGEDIR}${PREFIX}/etc/ocserv/ocserv.conf.sample ${INSTALL_MAN} ${WRKSRC}/doc/*.8 ${STAGEDIR}${MANPREFIX}/man/man8 post-install-DOCS-on: ${MKDIR} ${STAGEDIR}${DOCSDIR} cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR} post-install-EXAMPLES-on: ${MKDIR} ${STAGEDIR}${EXAMPLESDIR} cd ${WRKSRC}/doc && ${INSTALL_DATA} ${PORTEXAMPLES} ${STAGEDIR}${EXAMPLESDIR} .include Index: head/net/ocserv/distinfo =================================================================== --- head/net/ocserv/distinfo (revision 552034) +++ head/net/ocserv/distinfo (revision 552035) @@ -1,3 +1,3 @@ -TIMESTAMP = 1586552655 -SHA256 (ocserv-1.0.1.tar.xz) = 59d9ef7a1aeb95ff6e762e2a0f231b3fae2ea420f68a1cf09d39a26395040f4b -SIZE (ocserv-1.0.1.tar.xz) = 787800 +TIMESTAMP = 1602242932 +SHA256 (ocserv-1.1.1.tar.xz) = 9c7aaf46e53e28cfa7be329b18f3951e7e851153ff6a27e946496fd4e8e5765a +SIZE (ocserv-1.1.1.tar.xz) = 818988 Index: head/net/ocserv/files/patch-configure.ac =================================================================== --- head/net/ocserv/files/patch-configure.ac (revision 552034) +++ head/net/ocserv/files/patch-configure.ac (revision 552035) @@ -1,20 +1,20 @@ ---- configure.ac.orig 2020-04-09 21:07:12 UTC +--- configure.ac.orig 2020-10-09 11:32:59 UTC +++ configure.ac @@ -15,7 +15,7 @@ AM_PROG_AR AM_PROG_CC_C_O AC_PROG_SED - if [ test "$GCC" = "yes" ];then + if test "$GCC" = "yes" && ! expr "$CC" : clang >/dev/null 2>&1;then - CFLAGS="$CFLAGS -Wall -Wno-strict-aliasing -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers -Wno-implicit-fallthrough -Wno-stringop-truncation" + CFLAGS="$CFLAGS -Wall -Wno-strict-aliasing -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers" fi + AC_PATH_PROG(CTAGS, ctags, [:]) - AC_PATH_PROG(CSCOPE, cscope, [:]) -@@ -199,7 +199,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind +@@ -222,7 +222,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind fi have_readline=no -AC_LIB_HAVE_LINKFLAGS(readline,, [ +AC_LIB_HAVE_LINKFLAGS(readline,ncurses, [ #include #include ], [rl_replace_line(0,0);]) if test x$ac_cv_libreadline = xyes; then Index: head/net/ocserv/files/patch-doc_sample.config =================================================================== --- head/net/ocserv/files/patch-doc_sample.config (revision 552034) +++ head/net/ocserv/files/patch-doc_sample.config (revision 552035) @@ -1,78 +1,78 @@ ---- doc/sample.config.orig 2020-04-09 20:56:20 UTC +--- doc/sample.config.orig 2020-09-20 19:49:01 UTC +++ doc/sample.config @@ -19,7 +19,7 @@ # This enabled PAM authentication of the user. The gid-min option is used # by auto-select-group option, in order to select the minimum valid group ID. # -# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] +# plain[passwd=/usr/local/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] # The plain option requires specifying a password file which contains # entries of the following format. # "username:groupname1,groupname2:encoded-password" -@@ -106,8 +106,8 @@ udp-port = 443 - - # The user the worker processes will be run as. It should be - # unique (no other services run as this user). +@@ -110,8 +110,8 @@ udp-port = 443 + # The user the worker processes will be run as. This should be a dedicated + # unprivileged user (e.g., 'ocserv') and no other services should run as this + # user. -run-as-user = nobody -run-as-group = daemon +run-as-user = _ocserv +run-as-group = _ocserv # socket file used for IPC with occtl. You only need to set that, # if you use more than a single servers. -@@ -176,15 +176,9 @@ ca-cert = ../tests/certs/ca.pem +@@ -180,15 +180,9 @@ ca-cert = ../tests/certs/ca.pem ### failures during the reloading time. -# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of -# system calls allowed to a worker process, in order to reduce damage from a -# bug in the worker process. It is available on Linux systems at a performance cost. -# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8). -# Note however, that process isolation is restricted to the specific libc versions -# the isolation was tested at. If you get random failures on worker processes, try -# disabling that option and report the failures you, along with system and debugging -# information at: https://gitlab.com/ocserv/ocserv/issues -isolate-workers = true -+# ocserv 1.0.1 on FreeBSD does not currently support process isolation, ++# ocserv 1.1.1 on FreeBSD does not currently support process isolation, +# because ocserv only supports Linux's seccomp system, but not capsicum(4). +#isolate-workers = false - # A banner to be displayed on clients + # A banner to be displayed on clients after connection #banner = "Welcome" -@@ -535,15 +529,15 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -553,15 +547,15 @@ no-route = 192.168.5.0/255.255.255.0 # Note the that following two firewalling options currently are available # in Linux systems with iptables software. -# If set, the script /usr/bin/ocserv-fw will be called to restrict +# If set, the script /usr/local/bin/ocserv-fw will be called to restrict # the user to its allowed routes and prevent him from accessing # any other routes. In case of defaultroute, the no-routes are restricted. -# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw +# All the routes applied by ocserv can be reverted using /usr/local/bin/ocserv-fw # --removeall. This option can be set globally or in the per-user configuration. #restrict-user-to-routes = true # This option implies restrict-user-to-routes set to true. If set, the -# script /usr/bin/ocserv-fw will be called to restrict the user to +# script /usr/local/bin/ocserv-fw will be called to restrict the user to # access specific ports in the network. This option can be set globally # or in the per-user configuration. #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()" -@@ -591,13 +585,13 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -609,13 +603,13 @@ no-route = 192.168.5.0/255.255.255.0 # hostname to override any proposed by the user. Note also, that, any # routes, no-routes, DNS or NBNS servers present will overwrite the global ones. -#config-per-user = /etc/ocserv/config-per-user/ -#config-per-group = /etc/ocserv/config-per-group/ +#config-per-user = /usr/local/etc/ocserv/config-per-user/ +#config-per-group = /usr/local/etc/ocserv/config-per-group/ # When config-per-xxx is specified and there is no group or user that # matches, then utilize the following configuration. -#default-user-config = /etc/ocserv/defaults/user.conf -#default-group-config = /etc/ocserv/defaults/group.conf +#default-user-config = /usr/local/etc/ocserv/defaults/user.conf +#default-group-config = /usr/local/etc/ocserv/defaults/group.conf # The system command to use to setup a route. %{R} will be replaced with the # route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device. Index: head/net/ocserv/pkg-plist =================================================================== --- head/net/ocserv/pkg-plist (revision 552034) +++ head/net/ocserv/pkg-plist (revision 552035) @@ -1,9 +1,10 @@ bin/occtl bin/ocpasswd bin/ocserv-fw man/man8/occtl.8.gz man/man8/ocpasswd.8.gz man/man8/ocserv.8.gz @sample etc/ocserv/ocserv.conf.sample sbin/ocserv +sbin/ocserv-worker @dir(%%USERS%%,%%GROUPS%%,750) /var/run/ocserv