From owner-svn-ports-head@freebsd.org Sat Apr 25 14:38:22 2020 Return-Path: Delivered-To: svn-ports-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A63E92B3A1F; Sat, 25 Apr 2020 14:38:22 +0000 (UTC) (envelope-from mandree@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 498YYp3vcMz48Rf; Sat, 25 Apr 2020 14:38:22 +0000 (UTC) (envelope-from mandree@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 80F7991F5; Sat, 25 Apr 2020 14:38:22 +0000 (UTC) (envelope-from mandree@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 03PEcMFA031895; Sat, 25 Apr 2020 14:38:22 GMT (envelope-from mandree@FreeBSD.org) Received: (from mandree@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 03PEcLoS031886; Sat, 25 Apr 2020 14:38:21 GMT (envelope-from mandree@FreeBSD.org) Message-Id: <202004251438.03PEcLoS031886@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: mandree set sender to mandree@FreeBSD.org using -f From: Matthias Andree Date: Sat, 25 Apr 2020 14:38:21 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r532955 - in head/net/ocserv: . files X-SVN-Group: ports-head X-SVN-Commit-Author: mandree X-SVN-Commit-Paths: in head/net/ocserv: . files X-SVN-Commit-Revision: 532955 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Apr 2020 14:38:22 -0000 Author: mandree Date: Sat Apr 25 14:38:20 2020 New Revision: 532955 URL: https://svnweb.freebsd.org/changeset/ports/532955 Log: net/ocserv: Update to 1.0.1 Changelog: https://gitlab.com/openconnect/ocserv/-/blob/1.0.1/NEWS#L1 This commit makes the following additional changes from Juraj's submission: - fix LIB_DEPENDS to libpc.so:devel/pcl (not devel/libpcl) - replace LOCALBASE by PREFIX throughout, as these are internal references - remove the src/config.c patch, it makes no sense to first statically patch and then run REINPLACE_CMD for DEFAULT_CFG_FILE - remove doc/sample.config from another REINPLACE_CMD - remove @ - it makes no sense to hide running commands - patch example configuration to avoid isolate-workers = true, which currently only works on Linux's seccomp. - in the same vein, put up a warning pkg-message that there is no worker process isolation - install the @sample file as ocserv.conf.sample, not conf.sample, so it matches the default configuration file path Things that could be done but are not: - rcfile option to configure a separate config file PR: 245521 Submitted by: Juraj Lutter Approved by: cpm@ (maintainer timeout, 15 d) Added: head/net/ocserv/pkg-message (contents, props changed) Deleted: head/net/ocserv/files/patch-src_config.c head/net/ocserv/files/patch-src_tun.c head/net/ocserv/files/patch-src_tun.h head/net/ocserv/files/patch-src_worker-auth.c Modified: head/net/ocserv/Makefile head/net/ocserv/distinfo head/net/ocserv/files/ocserv.conf head/net/ocserv/files/patch-configure.ac head/net/ocserv/files/patch-doc_sample.config head/net/ocserv/pkg-plist Modified: head/net/ocserv/Makefile ============================================================================== --- head/net/ocserv/Makefile Sat Apr 25 14:11:29 2020 (r532954) +++ head/net/ocserv/Makefile Sat Apr 25 14:38:20 2020 (r532955) @@ -2,8 +2,7 @@ # $FreeBSD$ PORTNAME= ocserv -PORTVERSION= 0.12.4 -PORTREVISION= 2 +PORTVERSION= 1.0.1 CATEGORIES= net net-vpn security MASTER_SITES= ftp://ftp.infradead.org/pub/ocserv/ @@ -24,7 +23,7 @@ LIB_DEPENDS= liblz4.so:archivers/liblz4 \ libtasn1.so:security/libtasn1 \ libnettle.so:security/nettle \ liboath.so:security/oath-toolkit \ - libpcl.so:devel/libpcl + libpcl.so:devel/pcl USES= autoreconf cpe gperf libtool localbase ncurses \ pathfix pkgconfig readline tar:xz @@ -53,25 +52,28 @@ GSSAPI_CONFIGURE_OFF= --without-gssapi RADIUS_LIB_DEPENDS= libradcli.so:net/radcli RADIUS_CONFIGURE_OFF= --without-radius +.include + post-patch: - @${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${LOCALBASE}/bin/ocserv-fw|g' \ - ${WRKSRC}/src/main-user.c \ - ${WRKSRC}/doc/sample.config - @${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${LOCALBASE}/bin/ocserv\\-fw|g' \ + ${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${PREFIX}/bin/ocserv-fw|g' \ + ${WRKSRC}/src/main-user.c + ${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${PREFIX}/bin/ocserv\\-fw|g' \ ${WRKSRC}/doc/ocserv.8 +.if "${PREFIX}" != "" && "${PREFIX}" != "/" && "${PREFIX}" != "/usr" + ${REINPLACE_CMD} -E 's|^(#define DEFAULT_CFG_FILE ")(/etc/ocserv/ocserv.conf")|\1${PREFIX}\2|' ${WRKSRC}/src/config.c +.endif post-install: - @${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv - @${MKDIR} ${STAGEDIR}/var/run/ocserv - ${INSTALL_DATA} ${FILESDIR}/ocserv.conf ${STAGEDIR}${PREFIX}/etc/ocserv/conf.sample + ${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv ${STAGEDIR}/var/run/ocserv + ${INSTALL_DATA} ${FILESDIR}/ocserv.conf ${STAGEDIR}${PREFIX}/etc/ocserv/ocserv.conf.sample ${INSTALL_MAN} ${WRKSRC}/doc/*.8 ${STAGEDIR}${MANPREFIX}/man/man8 post-install-DOCS-on: - @${MKDIR} ${STAGEDIR}${DOCSDIR} + ${MKDIR} ${STAGEDIR}${DOCSDIR} cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR} post-install-EXAMPLES-on: - @${MKDIR} ${STAGEDIR}${EXAMPLESDIR} + ${MKDIR} ${STAGEDIR}${EXAMPLESDIR} cd ${WRKSRC}/doc && ${INSTALL_DATA} ${PORTEXAMPLES} ${STAGEDIR}${EXAMPLESDIR} -.include +.include Modified: head/net/ocserv/distinfo ============================================================================== --- head/net/ocserv/distinfo Sat Apr 25 14:11:29 2020 (r532954) +++ head/net/ocserv/distinfo Sat Apr 25 14:38:20 2020 (r532955) @@ -1,3 +1,3 @@ -TIMESTAMP = 1562531995 -SHA256 (ocserv-0.12.4.tar.xz) = 05c01effa8a7c2f022616fcb62bade4df51aa7f0035248671da12819d62cb185 -SIZE (ocserv-0.12.4.tar.xz) = 763540 +TIMESTAMP = 1586552655 +SHA256 (ocserv-1.0.1.tar.xz) = 59d9ef7a1aeb95ff6e762e2a0f231b3fae2ea420f68a1cf09d39a26395040f4b +SIZE (ocserv-1.0.1.tar.xz) = 787800 Modified: head/net/ocserv/files/ocserv.conf ============================================================================== --- head/net/ocserv/files/ocserv.conf Sat Apr 25 14:11:29 2020 (r532954) +++ head/net/ocserv/files/ocserv.conf Sat Apr 25 14:38:20 2020 (r532955) @@ -26,7 +26,7 @@ # One entry must be listed per line, and 'ocpasswd' should be used # to generate password entries. The 'otp' suboption allows one to specify # an oath password file to be used for one time passwords; the format of -# the file is described in https://code.google.com/p/mod-authn-otp/wiki/UsersFile +# the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile # # radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]: # The radius option requires specifying freeradius-client configuration @@ -77,6 +77,10 @@ auth = "plain[passwd=./sample.passwd]" # hostname. #listen-host = [IP|HOSTNAME] +# Use udp-listen-host to limit udp to specific IPs or to the IPs of a provided +# hostname. if not set, listen-host will be used +#udp-listen-host = [IP|HOSTNAME] + # When the server has a dynamic DNS address (that may change), # should set that to true to ask the client to resolve again on # reconnects. @@ -171,6 +175,9 @@ ca-cert = ../tests/certs/ca.pem ### operation. If the server key changes on reload, there may be connection ### failures during the reloading time. +# ocserv 1.0.1 on FreeBSD does not currently support process isolation, +# because ocserv only supports Linux's seccomp system, but not capsicum(4). +#isolate-workers = false # A banner to be displayed on clients #banner = "Welcome" @@ -391,7 +398,8 @@ rekey-method = ssl # client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client), # will contain a space separated list of routes or DNS servers. A version # of these variables with the 4 or 6 suffix will contain only the IPv4 or -# IPv6 values. +# IPv6 values. The connect script must return zero as exit code, or the +# client connection will be refused. # The disconnect script will receive the additional values: STATS_BYTES_IN, # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes @@ -566,7 +574,7 @@ no-route = 192.168.5.0/255.255.255.0 # keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns, # restrict-user-to-routes, user-profile, cgroup, stats-report-time, # mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports, -# and session-timeout. +# split-dns and session-timeout. # # Note that the 'iroute' option allows one to add routes on the server # based on a user or group. The syntax depends on the input accepted Modified: head/net/ocserv/files/patch-configure.ac ============================================================================== --- head/net/ocserv/files/patch-configure.ac Sat Apr 25 14:11:29 2020 (r532954) +++ head/net/ocserv/files/patch-configure.ac Sat Apr 25 14:38:20 2020 (r532955) @@ -1,4 +1,4 @@ ---- configure.ac.orig 2018-04-22 08:43:20 UTC +--- configure.ac.orig 2020-04-09 21:07:12 UTC +++ configure.ac @@ -15,7 +15,7 @@ AM_PROG_AR AM_PROG_CC_C_O @@ -9,7 +9,7 @@ fi AC_PATH_PROG(CTAGS, ctags, [:]) AC_PATH_PROG(CSCOPE, cscope, [:]) -@@ -168,7 +168,7 @@ if test "$test_for_geoip" = yes;then +@@ -199,7 +199,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind fi have_readline=no Modified: head/net/ocserv/files/patch-doc_sample.config ============================================================================== --- head/net/ocserv/files/patch-doc_sample.config Sat Apr 25 14:11:29 2020 (r532954) +++ head/net/ocserv/files/patch-doc_sample.config Sat Apr 25 14:38:20 2020 (r532955) @@ -1,4 +1,4 @@ ---- doc/sample.config.orig 2018-04-15 19:13:39 UTC +--- doc/sample.config.orig 2020-04-09 20:56:20 UTC +++ doc/sample.config @@ -19,7 +19,7 @@ # This enabled PAM authentication of the user. The gid-min option is used @@ -9,7 +9,7 @@ # The plain option requires specifying a password file which contains # entries of the following format. # "username:groupname1,groupname2:encoded-password" -@@ -102,8 +102,8 @@ udp-port = 443 +@@ -106,8 +106,8 @@ udp-port = 443 # The user the worker processes will be run as. It should be # unique (no other services run as this user). @@ -20,7 +20,7 @@ # socket file used for IPC with occtl. You only need to set that, # if you use more than a single servers. -@@ -172,16 +172,6 @@ ca-cert = ../tests/certs/ca.pem +@@ -176,15 +176,9 @@ ca-cert = ../tests/certs/ca.pem ### failures during the reloading time. @@ -33,11 +33,13 @@ -# disabling that option and report the failures you, along with system and debugging -# information at: https://gitlab.com/ocserv/ocserv/issues -isolate-workers = true -- ++# ocserv 1.0.1 on FreeBSD does not currently support process isolation, ++# because ocserv only supports Linux's seccomp system, but not capsicum(4). ++#isolate-workers = false + # A banner to be displayed on clients #banner = "Welcome" - -@@ -530,15 +520,15 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -535,15 +529,15 @@ no-route = 192.168.5.0/255.255.255.0 # Note the that following two firewalling options currently are available # in Linux systems with iptables software. @@ -56,7 +58,7 @@ # access specific ports in the network. This option can be set globally # or in the per-user configuration. #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()" -@@ -586,13 +576,13 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -591,13 +585,13 @@ no-route = 192.168.5.0/255.255.255.0 # hostname to override any proposed by the user. Note also, that, any # routes, no-routes, DNS or NBNS servers present will overwrite the global ones. Added: head/net/ocserv/pkg-message ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/net/ocserv/pkg-message Sat Apr 25 14:38:20 2020 (r532955) @@ -0,0 +1,7 @@ +[ +{ message: <