diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile index 808a77c12cdb..f1477ea25cb6 100644 --- a/net/ocserv/Makefile +++ b/net/ocserv/Makefile @@ -1,86 +1,85 @@ PORTNAME= ocserv -DISTVERSION= 1.2.2 +DISTVERSION= 1.2.3 CATEGORIES= net net-vpn security MASTER_SITES= https://www.infradead.org/ocserv/download/ MAINTAINER= otis@FreeBSD.org COMMENT= Server implementing the AnyConnect SSL VPN protocol WWW= https://ocserv.gitlab.io/www/index.html LICENSE= GPLv2+ LICENSE_FILE= ${WRKSRC}/COPYING BUILD_DEPENDS= bash:shells/bash \ gsed:textproc/gsed LIB_DEPENDS= libev.so:devel/libev \ libgnutls.so:security/gnutls \ libiconv.so:converters/libiconv \ liblz4.so:archivers/liblz4 \ libnettle.so:security/nettle \ liboath.so:security/oath-toolkit \ libpcl.so:devel/pcl \ libprotobuf-c.so:devel/protobuf-c \ libtalloc.so:devel/talloc \ libtasn1.so:security/libtasn1 USES= autoreconf cpe gettext-tools gperf libtool localbase ncurses \ pathfix pkgconfig readline tar:xz CPE_VENDOR= infradead USE_RC_SUBR= ocserv GNU_CONFIGURE= yes CONFIGURE_ARGS= --disable-namespaces \ --without-geoip \ --without-http-parser USERS= _ocserv GROUPS= _ocserv PLIST_SUB= GROUPS="${GROUPS}" \ USERS="${USERS}" PORTDOCS= AUTHORS ChangeLog NEWS README PORTEXAMPLES= profile.xml sample.config sample.passwd OPTIONS_DEFINE= DOCS EXAMPLES GSSAPI MAXMIND RADIUS MAXMIND_DESC= Use Maxmind GeoIP library GSSAPI_LIB_DEPENDS= libkrb5support.so:security/krb5 GSSAPI_USES= gssapi:mit GSSAPI_CONFIGURE_OFF= --without-gssapi MAXMIND_LIB_DEPENDS= libmaxminddb.so:net/libmaxminddb MAXMIND_CONFIGURE_OFF= --without-maxmind RADIUS_LIB_DEPENDS= libradcli.so:net/radcli RADIUS_CONFIGURE_OFF= --without-radius .include post-patch: - ${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${PREFIX}/bin/ocserv-fw|g' \ - ${WRKSRC}/src/main-user.c - ${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${PREFIX}/bin/ocserv\\-fw|g' \ + ${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${PREFIX}/libexec/ocserv\\-fw|g' \ ${WRKSRC}/doc/ocserv.8 ${REINPLACE_CMD} -e 's|%%PREFIX%%|${PREFIX}|g' \ -e 's|%%ETCDIR%%|${ETCDIR}|g' \ -e 's|%%USERS%%|${USERS}|g' \ -e 's|%%GROUPS%%|${GROUPS}|g' \ - ${WRKSRC}/doc/sample.config + ${WRKSRC}/doc/sample.config \ + ${WRKSRC}/src/main-user.c .if "${PREFIX}" != "" && "${PREFIX}" != "/" && "${PREFIX}" != "/usr" ${REINPLACE_CMD} -E 's|^(#define DEFAULT_CFG_FILE ")(/etc/ocserv/ocserv.conf")|\1${PREFIX}\2|' ${WRKSRC}/src/config.c ${REINPLACE_CMD} -E 's|^(#define DEFAULT_OCPASSWD ")(/etc/ocserv/ocpasswd")|\1${PREFIX}\2|' ${WRKSRC}/src/ocpasswd/ocpasswd.c .endif post-install: ${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv ${STAGEDIR}/var/run/ocserv ${INSTALL_DATA} ${WRKSRC}/doc/sample.config ${STAGEDIR}${PREFIX}/etc/ocserv/ocserv.conf.sample ${INSTALL_MAN} ${WRKSRC}/doc/*.8 ${STAGEDIR}${MANPREFIX}/man/man8 post-install-DOCS-on: ${MKDIR} ${STAGEDIR}${DOCSDIR} cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR} post-install-EXAMPLES-on: ${MKDIR} ${STAGEDIR}${EXAMPLESDIR} cd ${WRKSRC}/doc && ${INSTALL_DATA} ${PORTEXAMPLES} ${STAGEDIR}${EXAMPLESDIR} .include diff --git a/net/ocserv/distinfo b/net/ocserv/distinfo index eef8583eb834..5efa9abfa72d 100644 --- a/net/ocserv/distinfo +++ b/net/ocserv/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1699481326 -SHA256 (ocserv-1.2.2.tar.xz) = 6e3c7a2ee9e9b4d3621de66e155fd99eb02c0134b9f42cfbc86d3979e485c719 -SIZE (ocserv-1.2.2.tar.xz) = 751548 +TIMESTAMP = 1703628457 +SHA256 (ocserv-1.2.3.tar.xz) = 06ce0fcb59a8b33b8d65d6e551de2b5ef77b7ea641b87caa654a5ee9c49f1bbf +SIZE (ocserv-1.2.3.tar.xz) = 757484 diff --git a/net/ocserv/files/patch-configure.ac b/net/ocserv/files/patch-configure.ac index f06c82846f51..68267a953766 100644 --- a/net/ocserv/files/patch-configure.ac +++ b/net/ocserv/files/patch-configure.ac @@ -1,20 +1,20 @@ ---- configure.ac.orig 2023-07-11 12:47:23 UTC +--- configure.ac.orig 2023-12-14 11:45:13 UTC +++ configure.ac @@ -16,7 +16,7 @@ AM_PROG_CC_C_O AC_PROG_SED if test "$GCC" = "yes" && ! expr "$CC" : clang >/dev/null 2>&1;then - CFLAGS="$CFLAGS -Wall -Wno-strict-aliasing -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers -Wno-implicit-fallthrough -Wno-stringop-truncation" + CFLAGS="$CFLAGS -Wall -Wno-strict-aliasing -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers" fi AC_PATH_PROG(CTAGS, ctags, [:]) -@@ -223,7 +223,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind +@@ -219,7 +219,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind fi have_readline=no -AC_LIB_HAVE_LINKFLAGS(readline,, [ +AC_LIB_HAVE_LINKFLAGS(readline,ncurses, [ #include #include ], [rl_replace_line(0,0);]) if test x$ac_cv_libreadline = xyes; then diff --git a/net/ocserv/files/patch-doc_sample.config b/net/ocserv/files/patch-doc_sample.config index b21233ad088d..4cb7151e403a 100644 --- a/net/ocserv/files/patch-doc_sample.config +++ b/net/ocserv/files/patch-doc_sample.config @@ -1,195 +1,187 @@ ---- doc/sample.config.orig 2023-07-11 12:54:03 UTC +--- doc/sample.config.orig 2023-12-17 10:19:23 UTC +++ doc/sample.config @@ -19,7 +19,7 @@ # This enabled PAM authentication of the user. The gid-min option is used # by auto-select-group option, in order to select the minimum valid group ID. # -# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] +# plain[passwd=%%ETCDIR%%/ocpasswd,otp=%%ETCDIR%%/users.otp] # The plain option requires specifying a password file which contains # entries of the following format. # "username:groupname1,groupname2:encoded-password" @@ -28,7 +28,7 @@ # an oath password file to be used for one time passwords; the format of # the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile # -# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]: +# radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]: # The radius option requires specifying freeradius-client configuration # file. If the groupconfig option is set, then config-per-user/group will be overridden, # and all configuration will be read from radius. That also includes the -@@ -47,10 +47,10 @@ - +@@ -48,9 +48,9 @@ #auth = "pam" #auth = "pam[gid-min=1000]" --#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]" + #auth = "plain[passwd=./sample.passwd,otp=./sample.otp]" -auth = "plain[passwd=./sample.passwd]" -+#auth = "plain[passwd=%%ETCDIR%%/sample.passwd,otp=%%ETCDIR%%/sample.otp]" -+auth = "plain[passwd=%%ETCDIR%%/sample.passwd]" ++auth = "plain[passwd=%%ETCDIR%%/sample.passwd,otp=%%ETCDIR%%/sample.otp]" #auth = "certificate" -#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]" +#auth = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true]" # Specify alternative authentication methods that are sufficient # for authentication. That is, if set, any of the methods enabled @@ -71,7 +71,7 @@ auth = "plain[passwd=./sample.passwd]" # PAM. # # Only one accounting method can be specified. -#acct = "radius[config=/etc/radiusclient/radiusclient.conf]" +#acct = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf]" # Use listen-host to limit to specific IPs or to the IPs of a provided # hostname. -@@ -96,8 +96,8 @@ udp-port = 443 - # The user the worker processes will be run as. This should be a dedicated - # unprivileged user (e.g., 'ocserv') and no other services should run as this - # user. --run-as-user = nobody --run-as-group = daemon -+run-as-user = %%USERS%% -+run-as-group = %%GROUPS%% - - # socket file used for IPC with occtl. You only need to set that, - # if you use more than a single servers. @@ -124,22 +124,20 @@ socket-file = /var/run/ocserv-socket # certificate renewal (they are checked and reloaded periodically; # a SIGHUP signal to main server will force reload). -#server-cert = /etc/ocserv/server-cert.pem -#server-key = /etc/ocserv/server-key.pem -server-cert = ../tests/certs/server-cert.pem -server-key = ../tests/certs/server-key.pem -++server-cert = %%ETCDIR%%/server-cert.pem -++server-key = %%ETCDIR%%/server-key.pem ++server-cert = %%ETCDIR%%/server-cert.pem ++server-key = %%ETCDIR%%/server-key.pem # Diffie-Hellman parameters. Only needed if for old (pre 3.6.0 # versions of GnuTLS for supporting DHE ciphersuites. # Can be generated using: -# certtool --generate-dh-params --outfile /etc/ocserv/dh.pem -#dh-params = /etc/ocserv/dh.pem +# certtool --generate-dh-params --outfile %%ETCDIR%%/dh.pem +#dh-params = %%ETCDIR%%/dh.pem # In case PKCS #11, TPM or encrypted keys are used the PINs should be available # in files. The srk-pin-file is applicable to TPM keys only, and is the # storage root key. -#pin-file = /etc/ocserv/pin.txt -#srk-pin-file = /etc/ocserv/srkpin.txt +#pin-file = %%ETCDIR%%/pin.txt +#srk-pin-file = %%ETCDIR%%/srkpin.txt # The password or PIN needed to unlock the key in server-key file. # Only needed if the file is encrypted or a PKCS #11 object. This @@ -153,8 +151,7 @@ server-key = ../tests/certs/server-key.pem # The Certificate Authority that will be used to verify # client certificates (public keys) if certificate authentication # is set. -#ca-cert = /etc/ocserv/ca.pem -ca-cert = ../tests/certs/ca.pem +ca-cert = %%ETCDIR%%/ca.pem # The number of sub-processes to use for the security module (authentication) # processes. Typically this should not be set as the number of processes -@@ -171,17 +168,10 @@ ca-cert = ../tests/certs/ca.pem - ### operation. If the server key changes on reload, there may be connection +@@ -172,16 +169,6 @@ ca-cert = ../tests/certs/ca.pem ### failures during the reloading time. -+# ocserv 1.1.1 on FreeBSD does not currently support process isolation, -+# because ocserv only supports Linux's seccomp system, but not capsicum(4). -+#isolate-workers = false -# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of -# system calls allowed to a worker process, in order to reduce damage from a -# bug in the worker process. It is available on Linux systems at a performance cost. -# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8). -# Note however, that process isolation is restricted to the specific libc versions -# the isolation was tested at. If you get random failures on worker processes, try -# disabling that option and report the failures you, along with system and debugging -# information at: https://gitlab.com/openconnect/ocserv/issues -isolate-workers = true - # A banner to be displayed on clients after connection #banner = "Welcome" -@@ -262,7 +252,7 @@ try-mtu-discovery = false +@@ -262,7 +249,7 @@ try-mtu-discovery = false # You can update this response periodically using: # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response # Make sure that you replace the following file in an atomic way. -#ocsp-response = /etc/ocserv/ocsp.der +#ocsp-response = %%ETCDIR%%/ocsp.der # The object identifier that will be used to read the user ID in the client # certificate. The object identifier should be part of the certificate's DN -@@ -281,7 +271,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1 +@@ -281,7 +268,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1 # See the manual to generate an empty CRL initially. The CRL will be reloaded # periodically when ocserv detects a change in the file. To force a reload use # SIGHUP. -#crl = /etc/ocserv/crl.pem -+#crl = %%ETCDIR%%/crl.pem ++crl = %%ETCDIR%%/crl.pem # Uncomment this to enable compression negotiation (LZS, LZ4). #compression = true -@@ -560,15 +550,15 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -415,14 +402,14 @@ rekey-method = ssl + # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes + # output from the tun device, and the duration of the session in seconds. + +-#connect-script = /usr/bin/myscript +-#disconnect-script = /usr/bin/myscript ++#connect-script = %%PREFIX%%/bin/myscript ++#disconnect-script = %%PREFIX%%/bin/myscript + + # This script is to be called when the client's advertised hostname becomes + # available. It will contain REASON with "host-update" value and the + # variable REMOTE_HOSTNAME in addition to the connect variables. + +-#host-update-script = /usr/bin/myhostnamescript ++#host-update-script = %%PREFIX%%/bin/myhostnamescript + + # UTMP + # Register the connected clients to utmp. This will allow viewing +@@ -563,15 +550,15 @@ no-route = 192.168.5.0/255.255.255.0 # Note the that following two firewalling options currently are available # in Linux systems with iptables software. --# If set, the script /usr/bin/ocserv-fw will be called to restrict -+# If set, the script %%PREFIX%%/bin/ocserv-fw will be called to restrict +-# If set, the script /usr/libexec/ocserv-fw will be called to restrict ++# If set, the script %%PREFIX%%/libexec/ocserv-fw will be called to restrict # the user to its allowed routes and prevent him from accessing # any other routes. In case of defaultroute, the no-routes are restricted. --# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw -+# All the routes applied by ocserv can be reverted using %%PREFIX%%/bin/ocserv-fw +-# All the routes applied by ocserv can be reverted using /usr/libexec/ocserv-fw ++# All the routes applied by ocserv can be reverted using %%PREFIX%%/libexec/ocserv-fw # --removeall. This option can be set globally or in the per-user configuration. #restrict-user-to-routes = true # This option implies restrict-user-to-routes set to true. If set, the --# script /usr/bin/ocserv-fw will be called to restrict the user to -+# script %%PREFIX%%/bin/ocserv-fw will be called to restrict the user to +-# script /usr/libexec/ocserv-fw will be called to restrict the user to ++# script %%PREFIX%%/libexec/ocserv-fw will be called to restrict the user to # access specific ports in the network. This option can be set globally # or in the per-user configuration. #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()" -@@ -616,13 +606,13 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -619,13 +606,13 @@ no-route = 192.168.5.0/255.255.255.0 # hostname to override any proposed by the user. Note also, that, any # routes, no-routes, DNS or NBNS servers present will overwrite the global ones. -#config-per-user = /etc/ocserv/config-per-user/ -#config-per-group = /etc/ocserv/config-per-group/ +#config-per-user = %%ETCDIR%%/config-per-user/ +#config-per-group = %%ETCDIR%%/config-per-group/ # When config-per-xxx is specified and there is no group or user that # matches, then utilize the following configuration. -#default-user-config = /etc/ocserv/defaults/user.conf -#default-group-config = /etc/ocserv/defaults/group.conf +#default-user-config = %%ETCDIR%%/defaults/user.conf +#default-group-config = %%ETCDIR%%/defaults/group.conf # The system command to use to setup a route. %{R} will be replaced with the # route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device. -@@ -644,7 +634,7 @@ no-route = 192.168.5.0/255.255.255.0 - # In MIT kerberos you'll need to add in realms: - # EXAMPLE.COM = { - # kdc = https://ocserv.example.com/KdcProxy --# http_anchors = FILE:/etc/ocserv-ca.pem -+# http_anchors = FILE:%%ETCDIR%%/ocserv-ca.pem - # } - # In some distributions the krb5-k5tls plugin of kinit is required. - # -@@ -747,13 +737,13 @@ camouflage_realm = "Restricted Content" +@@ -750,13 +737,13 @@ camouflage_realm = "Restricted Content" [vhost:www.example.com] auth = "certificate" -ca-cert = ../tests/certs/ca.pem -+ca-cert = %%ETCDIR%%/ca.pem ++ca-cert = %%ETCDIR%%/www.example.com-ca.pem # The certificate set here must include a 'dns_name' corresponding to # the virtual host name. -server-cert = ../tests/certs/server-cert-secp521r1.pem -server-key = ../tests/certs/server-key-secp521r1.pem +server-cert = %%ETCDIR%%/server-cert-secp521r1.pem +server-key = %%ETCDIR%%/server-key-secp521r1.pem ipv4-network = 192.168.2.0 ipv4-netmask = 255.255.255.0 diff --git a/net/ocserv/files/patch-src_ip-util.h b/net/ocserv/files/patch-src_ip-util.h index ac62f740dc65..dfd23017f08b 100644 --- a/net/ocserv/files/patch-src_ip-util.h +++ b/net/ocserv/files/patch-src_ip-util.h @@ -1,10 +1,10 @@ ---- src/ip-util.h.orig 2023-08-15 11:26:31.522070000 +0300 -+++ src/ip-util.h 2023-08-15 11:28:31.360118000 +0300 +--- src/ip-util.h.orig 2023-12-16 05:18:58 UTC ++++ src/ip-util.h @@ -24,6 +24,7 @@ #include #include +#include - #define MAX_IP_STR 46 // Lower MTU bound is the value defined in RFC 791 + #define RFC_791_MTU (68) diff --git a/net/ocserv/files/patch-src_main-ban.c b/net/ocserv/files/patch-src_main-ban.c index 86483cf2e9f7..59e7229084ff 100644 --- a/net/ocserv/files/patch-src_main-ban.c +++ b/net/ocserv/files/patch-src_main-ban.c @@ -1,13 +1,13 @@ ---- src/main-ban.c.orig 2023-01-29 14:09:45 UTC +--- src/main-ban.c.orig 2023-12-17 10:19:23 UTC +++ src/main-ban.c -@@ -408,8 +408,8 @@ static bool test_local_ipv6(struct sockaddr_in6 * remo +@@ -407,8 +407,8 @@ static bool test_local_ipv6(struct sockaddr_in6 * remo unsigned index = 0; for (index = 0; index < 4; index ++) { - uint32_t l = local->sin6_addr.s6_addr32[index] & network->sin6_addr.s6_addr32[index]; - uint32_t r = remote->sin6_addr.s6_addr32[index] & network->sin6_addr.s6_addr32[index]; + uint32_t l = local->sin6_addr.__u6_addr.__u6_addr32[index] & network->sin6_addr.__u6_addr.__u6_addr32[index]; + uint32_t r = remote->sin6_addr.__u6_addr.__u6_addr32[index] & network->sin6_addr.__u6_addr.__u6_addr32[index]; if (l != r) return false; } diff --git a/net/ocserv/files/patch-src_main-user.c b/net/ocserv/files/patch-src_main-user.c new file mode 100644 index 000000000000..611524eee4c0 --- /dev/null +++ b/net/ocserv/files/patch-src_main-user.c @@ -0,0 +1,11 @@ +--- src/main-user.c.orig 2023-12-27 19:54:08 UTC ++++ src/main-user.c +@@ -47,7 +47,7 @@ + #include + #include + +-#define OCSERV_FW_SCRIPT "/usr/libexec/ocserv-fw" ++#define OCSERV_FW_SCRIPT "%%PREFIX%%/libexec/ocserv-fw" + + #define APPEND_TO_STR(str, val) \ + do { \ diff --git a/net/ocserv/files/patch-src_occtl_occtl.c b/net/ocserv/files/patch-src_occtl_occtl.c index b7c73f0d305b..e40bd9f8d9d7 100644 --- a/net/ocserv/files/patch-src_occtl_occtl.c +++ b/net/ocserv/files/patch-src_occtl_occtl.c @@ -1,11 +1,11 @@ ---- src/occtl/occtl.c.orig 2023-06-16 17:01:03 UTC +--- src/occtl/occtl.c.orig 2023-12-17 10:19:23 UTC +++ src/occtl/occtl.c -@@ -257,7 +257,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha +@@ -260,7 +260,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha static int handle_reset_cmd(CONN_TYPE * conn, const char *arg, cmd_params_st *params) { rl_reset_terminal(NULL); -#ifdef HAVE_ORIG_READLINE +#if defined(HAVE_ORIG_READLINE) && !defined(__FreeBSD__) rl_reset_screen_size(); #endif diff --git a/net/ocserv/pkg-plist b/net/ocserv/pkg-plist index 8d684679a078..2ffb05c47a27 100644 --- a/net/ocserv/pkg-plist +++ b/net/ocserv/pkg-plist @@ -1,10 +1,10 @@ bin/occtl bin/ocpasswd -bin/ocserv-fw +libexec/ocserv-fw man/man8/occtl.8.gz man/man8/ocpasswd.8.gz man/man8/ocserv.8.gz @sample etc/ocserv/ocserv.conf.sample sbin/ocserv sbin/ocserv-worker @dir(%%USERS%%,%%GROUPS%%,750) /var/run/ocserv