diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile index 6dc13dac271e..10d9f2d3d2b9 100644 --- a/net/ocserv/Makefile +++ b/net/ocserv/Makefile @@ -1,86 +1,86 @@ PORTNAME= ocserv -DISTVERSION= 1.1.7 +DISTVERSION= 1.2.0 CATEGORIES= net net-vpn security MASTER_SITES= https://www.infradead.org/ocserv/download/ MAINTAINER= otis@FreeBSD.org COMMENT= Server implementing the AnyConnect SSL VPN protocol WWW= https://ocserv.gitlab.io/www/index.html LICENSE= GPLv2+ LICENSE_FILE= ${WRKSRC}/COPYING BUILD_DEPENDS= bash:shells/bash \ gsed:textproc/gsed LIB_DEPENDS= libev.so:devel/libev \ libgnutls.so:security/gnutls \ libiconv.so:converters/libiconv \ liblz4.so:archivers/liblz4 \ libnettle.so:security/nettle \ liboath.so:security/oath-toolkit \ libpcl.so:devel/pcl \ libprotobuf-c.so:devel/protobuf-c \ libtalloc.so:devel/talloc \ libtasn1.so:security/libtasn1 -USES= autoreconf cpe gperf libtool localbase ncurses pathfix \ - pkgconfig readline tar:xz +USES= autoreconf cpe gettext-tools gperf libtool localbase ncurses \ + pathfix pkgconfig readline tar:xz CPE_VENDOR= infradead USE_RC_SUBR= ocserv GNU_CONFIGURE= yes CONFIGURE_ARGS= --disable-namespaces \ --without-geoip \ --without-http-parser USERS= _ocserv GROUPS= _ocserv PLIST_SUB= GROUPS="${GROUPS}" \ USERS="${USERS}" PORTDOCS= AUTHORS ChangeLog NEWS README TODO PORTEXAMPLES= profile.xml sample.config sample.passwd OPTIONS_DEFINE= DOCS EXAMPLES GSSAPI MAXMIND RADIUS MAXMIND_DESC= Use Maxmind GeoIP library GSSAPI_LIB_DEPENDS= libkrb5support.so:security/krb5 GSSAPI_USES= gssapi:mit GSSAPI_CONFIGURE_OFF= --without-gssapi MAXMIND_LIB_DEPENDS= libmaxminddb.so:net/libmaxminddb MAXMIND_CONFIGURE_OFF= --without-maxmind RADIUS_LIB_DEPENDS= libradcli.so:net/radcli RADIUS_CONFIGURE_OFF= --without-radius .include post-patch: ${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${PREFIX}/bin/ocserv-fw|g' \ ${WRKSRC}/src/main-user.c ${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${PREFIX}/bin/ocserv\\-fw|g' \ ${WRKSRC}/doc/ocserv.8 ${REINPLACE_CMD} -e 's|%%PREFIX%%|${PREFIX}|g' \ -e 's|%%ETCDIR%%|${ETCDIR}|g' \ -e 's|%%USERS%%|${USERS}|g' \ -e 's|%%GROUPS%%|${GROUPS}|g' \ ${WRKSRC}/doc/sample.config .if "${PREFIX}" != "" && "${PREFIX}" != "/" && "${PREFIX}" != "/usr" ${REINPLACE_CMD} -E 's|^(#define DEFAULT_CFG_FILE ")(/etc/ocserv/ocserv.conf")|\1${PREFIX}\2|' ${WRKSRC}/src/config.c ${REINPLACE_CMD} -E 's|^(#define DEFAULT_OCPASSWD ")(/etc/ocserv/ocpasswd")|\1${PREFIX}\2|' ${WRKSRC}/src/ocpasswd/ocpasswd.c .endif post-install: ${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv ${STAGEDIR}/var/run/ocserv ${INSTALL_DATA} ${WRKSRC}/doc/sample.config ${STAGEDIR}${PREFIX}/etc/ocserv/ocserv.conf.sample ${INSTALL_MAN} ${WRKSRC}/doc/*.8 ${STAGEDIR}${MANPREFIX}/man/man8 post-install-DOCS-on: ${MKDIR} ${STAGEDIR}${DOCSDIR} cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR} post-install-EXAMPLES-on: ${MKDIR} ${STAGEDIR}${EXAMPLESDIR} cd ${WRKSRC}/doc && ${INSTALL_DATA} ${PORTEXAMPLES} ${STAGEDIR}${EXAMPLESDIR} .include diff --git a/net/ocserv/distinfo b/net/ocserv/distinfo index 30465e6a2b45..c10dada0e39f 100644 --- a/net/ocserv/distinfo +++ b/net/ocserv/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1683875970 -SHA256 (ocserv-1.1.7.tar.xz) = f30f7515e1e569ca2e68a96fa5e3dd10d49a18a40c981ad95b484d10835e3aa6 -SIZE (ocserv-1.1.7.tar.xz) = 844140 +TIMESTAMP = 1692132524 +SHA256 (ocserv-1.2.0.tar.xz) = 47a66e504a6b04bb04856176d78ee392ad1385d22d1670d4ed48b7b95e9dffc5 +SIZE (ocserv-1.2.0.tar.xz) = 746968 diff --git a/net/ocserv/files/patch-configure.ac b/net/ocserv/files/patch-configure.ac index 27f60419b701..f06c82846f51 100644 --- a/net/ocserv/files/patch-configure.ac +++ b/net/ocserv/files/patch-configure.ac @@ -1,20 +1,20 @@ ---- configure.ac.orig 2020-10-09 11:32:59 UTC +--- configure.ac.orig 2023-07-11 12:47:23 UTC +++ configure.ac -@@ -15,7 +15,7 @@ AM_PROG_AR - AM_PROG_CC_C_O +@@ -16,7 +16,7 @@ AM_PROG_CC_C_O AC_PROG_SED + if test "$GCC" = "yes" && ! expr "$CC" : clang >/dev/null 2>&1;then - CFLAGS="$CFLAGS -Wall -Wno-strict-aliasing -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers -Wno-implicit-fallthrough -Wno-stringop-truncation" + CFLAGS="$CFLAGS -Wall -Wno-strict-aliasing -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers" fi AC_PATH_PROG(CTAGS, ctags, [:]) -@@ -222,7 +222,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind +@@ -223,7 +223,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind fi have_readline=no -AC_LIB_HAVE_LINKFLAGS(readline,, [ +AC_LIB_HAVE_LINKFLAGS(readline,ncurses, [ #include #include ], [rl_replace_line(0,0);]) if test x$ac_cv_libreadline = xyes; then diff --git a/net/ocserv/files/patch-doc_sample.config b/net/ocserv/files/patch-doc_sample.config index f866507ac5a0..b21233ad088d 100644 --- a/net/ocserv/files/patch-doc_sample.config +++ b/net/ocserv/files/patch-doc_sample.config @@ -1,193 +1,195 @@ ---- doc/sample.config.orig 2022-12-02 18:59:51 UTC +--- doc/sample.config.orig 2023-07-11 12:54:03 UTC +++ doc/sample.config @@ -19,7 +19,7 @@ # This enabled PAM authentication of the user. The gid-min option is used # by auto-select-group option, in order to select the minimum valid group ID. # -# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] +# plain[passwd=%%ETCDIR%%/ocpasswd,otp=%%ETCDIR%%/users.otp] # The plain option requires specifying a password file which contains # entries of the following format. # "username:groupname1,groupname2:encoded-password" @@ -28,7 +28,7 @@ # an oath password file to be used for one time passwords; the format of # the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile # -# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]: +# radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]: # The radius option requires specifying freeradius-client configuration # file. If the groupconfig option is set, then config-per-user/group will be overridden, # and all configuration will be read from radius. That also includes the @@ -47,10 +47,10 @@ #auth = "pam" #auth = "pam[gid-min=1000]" -#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]" -auth = "plain[passwd=./sample.passwd]" +#auth = "plain[passwd=%%ETCDIR%%/sample.passwd,otp=%%ETCDIR%%/sample.otp]" +auth = "plain[passwd=%%ETCDIR%%/sample.passwd]" #auth = "certificate" -#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]" +#auth = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true]" # Specify alternative authentication methods that are sufficient # for authentication. That is, if set, any of the methods enabled @@ -71,7 +71,7 @@ auth = "plain[passwd=./sample.passwd]" # PAM. # # Only one accounting method can be specified. -#acct = "radius[config=/etc/radiusclient/radiusclient.conf]" +#acct = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf]" # Use listen-host to limit to specific IPs or to the IPs of a provided # hostname. @@ -96,8 +96,8 @@ udp-port = 443 # The user the worker processes will be run as. This should be a dedicated # unprivileged user (e.g., 'ocserv') and no other services should run as this # user. -run-as-user = nobody -run-as-group = daemon +run-as-user = %%USERS%% +run-as-group = %%GROUPS%% # socket file used for IPC with occtl. You only need to set that, # if you use more than a single servers. @@ -124,22 +124,20 @@ socket-file = /var/run/ocserv-socket # certificate renewal (they are checked and reloaded periodically; # a SIGHUP signal to main server will force reload). -#server-cert = /etc/ocserv/server-cert.pem -#server-key = /etc/ocserv/server-key.pem -server-cert = ../tests/certs/server-cert.pem -server-key = ../tests/certs/server-key.pem ++server-cert = %%ETCDIR%%/server-cert.pem ++server-key = %%ETCDIR%%/server-key.pem # Diffie-Hellman parameters. Only needed if for old (pre 3.6.0 # versions of GnuTLS for supporting DHE ciphersuites. # Can be generated using: -# certtool --generate-dh-params --outfile /etc/ocserv/dh.pem -#dh-params = /etc/ocserv/dh.pem +# certtool --generate-dh-params --outfile %%ETCDIR%%/dh.pem +#dh-params = %%ETCDIR%%/dh.pem # In case PKCS #11, TPM or encrypted keys are used the PINs should be available # in files. The srk-pin-file is applicable to TPM keys only, and is the # storage root key. -#pin-file = /etc/ocserv/pin.txt -#srk-pin-file = /etc/ocserv/srkpin.txt +#pin-file = %%ETCDIR%%/pin.txt +#srk-pin-file = %%ETCDIR%%/srkpin.txt # The password or PIN needed to unlock the key in server-key file. # Only needed if the file is encrypted or a PKCS #11 object. This @@ -153,8 +151,7 @@ server-key = ../tests/certs/server-key.pem # The Certificate Authority that will be used to verify # client certificates (public keys) if certificate authentication # is set. -#ca-cert = /etc/ocserv/ca.pem -ca-cert = ../tests/certs/ca.pem +ca-cert = %%ETCDIR%%/ca.pem # The number of sub-processes to use for the security module (authentication) # processes. Typically this should not be set as the number of processes -@@ -172,15 +169,9 @@ ca-cert = ../tests/certs/ca.pem +@@ -171,17 +168,10 @@ ca-cert = ../tests/certs/ca.pem + ### operation. If the server key changes on reload, there may be connection ### failures during the reloading time. ++# ocserv 1.1.1 on FreeBSD does not currently support process isolation, ++# because ocserv only supports Linux's seccomp system, but not capsicum(4). ++#isolate-workers = false -# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of -# system calls allowed to a worker process, in order to reduce damage from a -# bug in the worker process. It is available on Linux systems at a performance cost. -# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8). -# Note however, that process isolation is restricted to the specific libc versions -# the isolation was tested at. If you get random failures on worker processes, try -# disabling that option and report the failures you, along with system and debugging --# information at: https://gitlab.com/ocserv/ocserv/issues +-# information at: https://gitlab.com/openconnect/ocserv/issues -isolate-workers = true -+# ocserv 1.1.1 on FreeBSD does not currently support process isolation, -+# because ocserv only supports Linux's seccomp system, but not capsicum(4). -+#isolate-workers = false - +- # A banner to be displayed on clients after connection #banner = "Welcome" -@@ -262,7 +253,7 @@ try-mtu-discovery = false + +@@ -262,7 +252,7 @@ try-mtu-discovery = false # You can update this response periodically using: # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response # Make sure that you replace the following file in an atomic way. -#ocsp-response = /etc/ocserv/ocsp.der +#ocsp-response = %%ETCDIR%%/ocsp.der # The object identifier that will be used to read the user ID in the client # certificate. The object identifier should be part of the certificate's DN -@@ -281,7 +272,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1 +@@ -281,7 +271,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1 # See the manual to generate an empty CRL initially. The CRL will be reloaded # periodically when ocserv detects a change in the file. To force a reload use # SIGHUP. -#crl = /etc/ocserv/crl.pem +#crl = %%ETCDIR%%/crl.pem # Uncomment this to enable compression negotiation (LZS, LZ4). #compression = true -@@ -558,15 +549,15 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -560,15 +550,15 @@ no-route = 192.168.5.0/255.255.255.0 # Note the that following two firewalling options currently are available # in Linux systems with iptables software. -# If set, the script /usr/bin/ocserv-fw will be called to restrict +# If set, the script %%PREFIX%%/bin/ocserv-fw will be called to restrict # the user to its allowed routes and prevent him from accessing # any other routes. In case of defaultroute, the no-routes are restricted. -# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw +# All the routes applied by ocserv can be reverted using %%PREFIX%%/bin/ocserv-fw # --removeall. This option can be set globally or in the per-user configuration. #restrict-user-to-routes = true # This option implies restrict-user-to-routes set to true. If set, the -# script /usr/bin/ocserv-fw will be called to restrict the user to +# script %%PREFIX%%/bin/ocserv-fw will be called to restrict the user to # access specific ports in the network. This option can be set globally # or in the per-user configuration. #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()" -@@ -614,13 +605,13 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -616,13 +606,13 @@ no-route = 192.168.5.0/255.255.255.0 # hostname to override any proposed by the user. Note also, that, any # routes, no-routes, DNS or NBNS servers present will overwrite the global ones. -#config-per-user = /etc/ocserv/config-per-user/ -#config-per-group = /etc/ocserv/config-per-group/ +#config-per-user = %%ETCDIR%%/config-per-user/ +#config-per-group = %%ETCDIR%%/config-per-group/ # When config-per-xxx is specified and there is no group or user that # matches, then utilize the following configuration. -#default-user-config = /etc/ocserv/defaults/user.conf -#default-group-config = /etc/ocserv/defaults/group.conf +#default-user-config = %%ETCDIR%%/defaults/user.conf +#default-group-config = %%ETCDIR%%/defaults/group.conf # The system command to use to setup a route. %{R} will be replaced with the # route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device. -@@ -642,7 +633,7 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -644,7 +634,7 @@ no-route = 192.168.5.0/255.255.255.0 # In MIT kerberos you'll need to add in realms: # EXAMPLE.COM = { # kdc = https://ocserv.example.com/KdcProxy -# http_anchors = FILE:/etc/ocserv-ca.pem +# http_anchors = FILE:%%ETCDIR%%/ocserv-ca.pem # } # In some distributions the krb5-k5tls plugin of kinit is required. # -@@ -722,13 +713,13 @@ client-bypass-protocol = false +@@ -747,13 +737,13 @@ camouflage_realm = "Restricted Content" [vhost:www.example.com] auth = "certificate" -ca-cert = ../tests/certs/ca.pem +ca-cert = %%ETCDIR%%/ca.pem # The certificate set here must include a 'dns_name' corresponding to # the virtual host name. -server-cert = ../tests/certs/server-cert-secp521r1.pem -server-key = ../tests/certs/server-key-secp521r1.pem +server-cert = %%ETCDIR%%/server-cert-secp521r1.pem +server-key = %%ETCDIR%%/server-key-secp521r1.pem ipv4-network = 192.168.2.0 ipv4-netmask = 255.255.255.0 diff --git a/net/ocserv/files/patch-src_ip-util.h b/net/ocserv/files/patch-src_ip-util.h new file mode 100644 index 000000000000..ac62f740dc65 --- /dev/null +++ b/net/ocserv/files/patch-src_ip-util.h @@ -0,0 +1,10 @@ +--- src/ip-util.h.orig 2023-08-15 11:26:31.522070000 +0300 ++++ src/ip-util.h 2023-08-15 11:28:31.360118000 +0300 +@@ -24,6 +24,7 @@ + + #include + #include ++#include + + #define MAX_IP_STR 46 + // Lower MTU bound is the value defined in RFC 791 diff --git a/net/ocserv/files/patch-src_main.c b/net/ocserv/files/patch-src_main.c new file mode 100644 index 000000000000..f5c7037ce8e3 --- /dev/null +++ b/net/ocserv/files/patch-src_main.c @@ -0,0 +1,25 @@ +--- src/main.c.orig 2023-06-16 17:01:03 UTC ++++ src/main.c +@@ -215,9 +215,9 @@ int _listen_ports(void *pool, struct perm_cfg_st* conf + #endif + + y = 1; +- if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR, ++ if (setsockopt(s, SOL_SOCKET, SO_REUSEPORT, + (const void *) &y, sizeof(y)) < 0) { +- perror("setsockopt(SO_REUSEADDR) failed"); ++ perror("setsockopt(SO_REUSEPORT) failed"); + } + + if (ptr->ai_socktype == SOCK_DGRAM) { +@@ -424,8 +424,8 @@ int y; + #endif + + y = 1; +- if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (const void *) &y, sizeof(y)) < 0) { +- perror("setsockopt(SO_REUSEADDR) failed"); ++ if (setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, (const void *) &y, sizeof(y)) < 0) { ++ perror("setsockopt(SO_REUSEPORT) failed"); + } + + if (GETCONFIG(s)->try_mtu) { diff --git a/net/ocserv/files/patch-src_occtl_occtl.c b/net/ocserv/files/patch-src_occtl_occtl.c index de75a421e6fe..b7c73f0d305b 100644 --- a/net/ocserv/files/patch-src_occtl_occtl.c +++ b/net/ocserv/files/patch-src_occtl_occtl.c @@ -1,11 +1,11 @@ ---- src/occtl/occtl.c.orig 2020-08-06 18:51:31 UTC +--- src/occtl/occtl.c.orig 2023-06-16 17:01:03 UTC +++ src/occtl/occtl.c -@@ -264,7 +264,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha +@@ -257,7 +257,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha static int handle_reset_cmd(CONN_TYPE * conn, const char *arg, cmd_params_st *params) { rl_reset_terminal(NULL); -#ifdef HAVE_ORIG_READLINE +#if defined(HAVE_ORIG_READLINE) && !defined(__FreeBSD__) rl_reset_screen_size(); #endif diff --git a/net/ocserv/files/patch-src_occtl_time.c b/net/ocserv/files/patch-src_occtl_time.c index 85ef4c1819ec..0feb85fdffd0 100644 --- a/net/ocserv/files/patch-src_occtl_time.c +++ b/net/ocserv/files/patch-src_occtl_time.c @@ -1,33 +1,33 @@ ---- src/occtl/time.c.orig 2017-09-09 08:34:02 UTC +--- src/occtl/time.c.orig 2023-06-09 13:21:24 UTC +++ src/occtl/time.c @@ -36,7 +36,7 @@ void print_time_ival7(char output[MAX_TMPSTR_SIZE], ti { time_t t = t1 - t2; -- if ((long)t < (long)0) { +- if ((long)t < 0) { + if ((long long)t < (long long)0) { /* system clock changed? */ snprintf(output, MAX_TMPSTR_SIZE, " ? "); return; @@ -44,17 +44,17 @@ void print_time_ival7(char output[MAX_TMPSTR_SIZE], ti - + if (t >= 48 * 60 * 60) /* 2 days or more */ - snprintf(output, MAX_TMPSTR_SIZE, _("%2ludays"), (long)t / (24 * 60 * 60)); + snprintf(output, MAX_TMPSTR_SIZE, _("%2lludays"), (long long)t / (24 * 60 * 60)); else if (t >= 60 * 60) /* 1 hour or more */ /* Translation Hint: Hours:Minutes */ - snprintf(output, MAX_TMPSTR_SIZE, _("%2luh:%02um"), (long)t / (60 * 60), + snprintf(output, MAX_TMPSTR_SIZE, _("%2lluh:%02um"), (long long)t / (60 * 60), (unsigned)((t / 60) % 60)); else if (t > 60) /* 1 minute or more */ /* Translation Hint: Minutes:Seconds */ - snprintf(output, MAX_TMPSTR_SIZE, "%2lum:%02us", (long)t / 60, (unsigned)t % 60); + snprintf(output, MAX_TMPSTR_SIZE, "%2llum:%02us", (long long)t / 60, (unsigned)t % 60); else /* Translation Hint: Seconds:Centiseconds */ - snprintf(output, MAX_TMPSTR_SIZE, _("%5lus"), (long)t); + snprintf(output, MAX_TMPSTR_SIZE, _("%5llus"), (long long)t); }