From owner-svn-ports-head@freebsd.org Fri Jan 29 21:26:12 2021 Return-Path: Delivered-To: svn-ports-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id AB4244F9CAC; Fri, 29 Jan 2021 21:26:12 +0000 (UTC) (envelope-from otis@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DS9Pc4Vlnz4RZD; Fri, 29 Jan 2021 21:26:12 +0000 (UTC) (envelope-from otis@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 8D6E5187E; Fri, 29 Jan 2021 21:26:12 +0000 (UTC) (envelope-from otis@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 10TLQCDl038223; Fri, 29 Jan 2021 21:26:12 GMT (envelope-from otis@FreeBSD.org) Received: (from otis@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 10TLQBR4038218; Fri, 29 Jan 2021 21:26:11 GMT (envelope-from otis@FreeBSD.org) Message-Id: <202101292126.10TLQBR4038218@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: otis set sender to otis@FreeBSD.org using -f From: Juraj Lutter Date: Fri, 29 Jan 2021 21:26:11 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r563249 - in head/net/ocserv: . files X-SVN-Group: ports-head X-SVN-Commit-Author: otis X-SVN-Commit-Paths: in head/net/ocserv: . files X-SVN-Commit-Revision: 563249 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jan 2021 21:26:12 -0000 Author: otis Date: Fri Jan 29 21:26:11 2021 New Revision: 563249 URL: https://svnweb.freebsd.org/changeset/ports/563249 Log: net/ocserv: Update to 1.1.2 - Update to 1.1.2 - Reformat Makefile according to portclippy/portfmt - Install sample config with PREFIX-ized values where apropriate. - Take MAINTAINERship Reviewed by: osa (mentor) Approved by: osa (mentor) MFH: 2021Q1 Differential Revision: https://reviews.freebsd.org/D28346 Added: head/net/ocserv/files/patch-src_main-ban.c (contents, props changed) Deleted: head/net/ocserv/files/ocserv.conf Modified: head/net/ocserv/Makefile head/net/ocserv/distinfo head/net/ocserv/files/patch-doc_sample.config head/net/ocserv/files/patch-src_occtl_occtl.c Modified: head/net/ocserv/Makefile ============================================================================== --- head/net/ocserv/Makefile Fri Jan 29 21:24:44 2021 (r563248) +++ head/net/ocserv/Makefile Fri Jan 29 21:26:11 2021 (r563249) @@ -2,12 +2,11 @@ # $FreeBSD$ PORTNAME= ocserv -PORTVERSION= 1.1.1 -PORTREVISION= 1 +DISTVERSION= 1.1.2 CATEGORIES= net net-vpn security MASTER_SITES= ftp://ftp.infradead.org/pub/ocserv/ -MAINTAINER= ports@FreeBSD.org +MAINTAINER= otis@FreeBSD.org COMMENT= Server implementing the AnyConnect SSL VPN protocol LICENSE= GPLv2+ @@ -15,49 +14,47 @@ LICENSE_FILE= ${WRKSRC}/LICENSE BUILD_DEPENDS= bash:shells/bash \ gsed:textproc/gsed -LIB_DEPENDS= liblz4.so:archivers/liblz4 \ - libiconv.so:converters/libiconv \ - libev.so:devel/libev \ - libtalloc.so:devel/talloc \ - libprotobuf-c.so:devel/protobuf-c \ +LIB_DEPENDS= libev.so:devel/libev \ libgnutls.so:security/gnutls \ - libtasn1.so:security/libtasn1 \ + libiconv.so:converters/libiconv \ + liblz4.so:archivers/liblz4 \ libnettle.so:security/nettle \ liboath.so:security/oath-toolkit \ - libpcl.so:devel/pcl + libpcl.so:devel/pcl \ + libprotobuf-c.so:devel/protobuf-c \ + libtalloc.so:devel/talloc \ + libtasn1.so:security/libtasn1 -USES= autoreconf cpe gperf libtool localbase ncurses \ - pathfix pkgconfig readline tar:xz +USES= autoreconf cpe gperf libtool localbase ncurses pathfix \ + pkgconfig readline tar:xz CPE_VENDOR= infradead +USE_RC_SUBR= ocserv GNU_CONFIGURE= yes -CONFIGURE_ARGS= --without-geoip \ - --without-http-parser \ - --disable-namespaces +CONFIGURE_ARGS= --disable-namespaces \ + --without-geoip \ + --without-http-parser USERS= _ocserv GROUPS= _ocserv -USE_RC_SUBR= ocserv - -PLIST_SUB= USERS="${USERS}" GROUPS="${GROUPS}" - -OPTIONS_DEFINE= DOCS EXAMPLES GSSAPI MAXMIND RADIUS - +PLIST_SUB= GROUPS="${GROUPS}" \ + USERS="${USERS}" PORTDOCS= AUTHORS ChangeLog NEWS README TODO PORTEXAMPLES= profile.xml sample.config sample.passwd -GSSAPI_USES= gssapi:mit +OPTIONS_DEFINE= DOCS EXAMPLES GSSAPI MAXMIND RADIUS + +MAXMIND_DESC= Use Maxmind GeoIP library + GSSAPI_LIB_DEPENDS= libkrb5support.so:security/krb5 +GSSAPI_USES= gssapi:mit GSSAPI_CONFIGURE_OFF= --without-gssapi - +MAXMIND_LIB_DEPENDS= libmaxminddb.so:net/libmaxminddb +MAXMIND_CONFIGURE_OFF= --without-maxmind RADIUS_LIB_DEPENDS= libradcli.so:net/radcli RADIUS_CONFIGURE_OFF= --without-radius -MAXMIND_DESC= Use Maxmind GeoIP library -MAXMIND_LIB_DEPENDS= libmaxminddb.so:net/libmaxminddb -MAXMIND_CONFIGURE_OFF= --without-maxmind - .include post-patch: @@ -65,13 +62,19 @@ post-patch: ${WRKSRC}/src/main-user.c ${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${PREFIX}/bin/ocserv\\-fw|g' \ ${WRKSRC}/doc/ocserv.8 + ${REINPLACE_CMD} -e 's|%%PREFIX%%|${PREFIX}|g' \ + -e 's|%%ETCDIR%%|${ETCDIR}|g' \ + -e 's|%%USERS%%|${USERS}|g' \ + -e 's|%%GROUPS%%|${GROUPS}|g' \ + ${WRKSRC}/doc/sample.config .if "${PREFIX}" != "" && "${PREFIX}" != "/" && "${PREFIX}" != "/usr" ${REINPLACE_CMD} -E 's|^(#define DEFAULT_CFG_FILE ")(/etc/ocserv/ocserv.conf")|\1${PREFIX}\2|' ${WRKSRC}/src/config.c + ${REINPLACE_CMD} -E 's|^(#define DEFAULT_OCPASSWD ")(/etc/ocserv/ocpasswd")|\1${PREFIX}\2|' ${WRKSRC}/src/ocpasswd/ocpasswd.c .endif post-install: ${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv ${STAGEDIR}/var/run/ocserv - ${INSTALL_DATA} ${FILESDIR}/ocserv.conf ${STAGEDIR}${PREFIX}/etc/ocserv/ocserv.conf.sample + ${INSTALL_DATA} ${WRKSRC}/doc/sample.config ${STAGEDIR}${PREFIX}/etc/ocserv/ocserv.conf.sample ${INSTALL_MAN} ${WRKSRC}/doc/*.8 ${STAGEDIR}${MANPREFIX}/man/man8 post-install-DOCS-on: Modified: head/net/ocserv/distinfo ============================================================================== --- head/net/ocserv/distinfo Fri Jan 29 21:24:44 2021 (r563248) +++ head/net/ocserv/distinfo Fri Jan 29 21:26:11 2021 (r563249) @@ -1,3 +1,3 @@ -TIMESTAMP = 1602242932 -SHA256 (ocserv-1.1.1.tar.xz) = 9c7aaf46e53e28cfa7be329b18f3951e7e851153ff6a27e946496fd4e8e5765a -SIZE (ocserv-1.1.1.tar.xz) = 818988 +TIMESTAMP = 1611791595 +SHA256 (ocserv-1.1.2.tar.xz) = 889ccdbe8e67d3bc2bc8713b7fbb5bd4e79228abc6054e88858cb4ad6d0245dd +SIZE (ocserv-1.1.2.tar.xz) = 824924 Modified: head/net/ocserv/files/patch-doc_sample.config ============================================================================== --- head/net/ocserv/files/patch-doc_sample.config Fri Jan 29 21:24:44 2021 (r563248) +++ head/net/ocserv/files/patch-doc_sample.config Fri Jan 29 21:26:11 2021 (r563249) @@ -1,26 +1,97 @@ ---- doc/sample.config.orig 2020-09-20 19:49:01 UTC +--- doc/sample.config.orig 2020-12-03 22:31:10 UTC +++ doc/sample.config @@ -19,7 +19,7 @@ # This enabled PAM authentication of the user. The gid-min option is used # by auto-select-group option, in order to select the minimum valid group ID. # -# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] -+# plain[passwd=/usr/local/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] ++# plain[passwd=%%ETCDIR%%/ocpasswd,otp=%%ETCDIR%%/users.otp] # The plain option requires specifying a password file which contains # entries of the following format. # "username:groupname1,groupname2:encoded-password" -@@ -110,8 +110,8 @@ udp-port = 443 +@@ -28,7 +28,7 @@ + # an oath password file to be used for one time passwords; the format of + # the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile + # +-# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]: ++# radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]: + # The radius option requires specifying freeradius-client configuration + # file. If the groupconfig option is set, then config-per-user/group will be overridden, + # and all configuration will be read from radius. That also includes the +@@ -47,10 +47,10 @@ + + #auth = "pam" + #auth = "pam[gid-min=1000]" +-#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]" +-auth = "plain[passwd=./sample.passwd]" ++#auth = "plain[passwd=%%ETCDIR%%/sample.passwd,otp=%%ETCDIR%%/sample.otp]" ++auth = "plain[passwd=%%ETCDIR%%/sample.passwd]" + #auth = "certificate" +-#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]" ++#auth = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true]" + + # Specify alternative authentication methods that are sufficient + # for authentication. That is, if set, any of the methods enabled +@@ -71,7 +71,7 @@ auth = "plain[passwd=./sample.passwd]" + # PAM. + # + # Only one accounting method can be specified. +-#acct = "radius[config=/etc/radiusclient/radiusclient.conf]" ++#acct = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf]" + + # Use listen-host to limit to specific IPs or to the IPs of a provided + # hostname. +@@ -96,8 +96,8 @@ udp-port = 443 # The user the worker processes will be run as. This should be a dedicated # unprivileged user (e.g., 'ocserv') and no other services should run as this # user. -run-as-user = nobody -run-as-group = daemon -+run-as-user = _ocserv -+run-as-group = _ocserv ++run-as-user = %%USERS%% ++run-as-group = %%GROUPS%% # socket file used for IPC with occtl. You only need to set that, # if you use more than a single servers. -@@ -180,15 +180,9 @@ ca-cert = ../tests/certs/ca.pem +@@ -124,22 +124,20 @@ socket-file = /var/run/ocserv-socket + # certificate renewal (they are checked and reloaded periodically; + # a SIGHUP signal to main server will force reload). + +-#server-cert = /etc/ocserv/server-cert.pem +-#server-key = /etc/ocserv/server-key.pem +-server-cert = ../tests/certs/server-cert.pem +-server-key = ../tests/certs/server-key.pem ++server-cert = %%ETCDIR%%/server-cert.pem ++server-key = %%ETCDIR%%/server-key.pem + + # Diffie-Hellman parameters. Only needed if for old (pre 3.6.0 + # versions of GnuTLS for supporting DHE ciphersuites. + # Can be generated using: +-# certtool --generate-dh-params --outfile /etc/ocserv/dh.pem +-#dh-params = /etc/ocserv/dh.pem ++# certtool --generate-dh-params --outfile %%ETCDIR%%/dh.pem ++#dh-params = %%ETCDIR%%/dh.pem + + # In case PKCS #11, TPM or encrypted keys are used the PINs should be available + # in files. The srk-pin-file is applicable to TPM keys only, and is the + # storage root key. +-#pin-file = /etc/ocserv/pin.txt +-#srk-pin-file = /etc/ocserv/srkpin.txt ++#pin-file = %%ETCDIR%%/pin.txt ++#srk-pin-file = %%ETCDIR%%/srkpin.txt + + # The password or PIN needed to unlock the key in server-key file. + # Only needed if the file is encrypted or a PKCS #11 object. This +@@ -153,8 +151,7 @@ server-key = ../tests/certs/server-key.pem + # The Certificate Authority that will be used to verify + # client certificates (public keys) if certificate authentication + # is set. +-#ca-cert = /etc/ocserv/ca.pem +-ca-cert = ../tests/certs/ca.pem ++ca-cert = %%ETCDIR%%/ca.pem + + + ### All configuration options below this line are reloaded on a SIGHUP. +@@ -166,15 +163,9 @@ ca-cert = ../tests/certs/ca.pem ### failures during the reloading time. @@ -39,40 +110,84 @@ # A banner to be displayed on clients after connection #banner = "Welcome" -@@ -553,15 +547,15 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -255,7 +246,7 @@ try-mtu-discovery = false + # You can update this response periodically using: + # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response + # Make sure that you replace the following file in an atomic way. +-#ocsp-response = /etc/ocserv/ocsp.der ++#ocsp-response = %%ETCDIR%%/ocsp.der + + # The object identifier that will be used to read the user ID in the client + # certificate. The object identifier should be part of the certificate's DN +@@ -274,7 +265,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1 + # See the manual to generate an empty CRL initially. The CRL will be reloaded + # periodically when ocserv detects a change in the file. To force a reload use + # SIGHUP. +-#crl = /etc/ocserv/crl.pem ++#crl = %%ETCDIR%%/crl.pem + + # Uncomment this to enable compression negotiation (LZS, LZ4). + #compression = true +@@ -543,15 +534,15 @@ no-route = 192.168.5.0/255.255.255.0 # Note the that following two firewalling options currently are available # in Linux systems with iptables software. -# If set, the script /usr/bin/ocserv-fw will be called to restrict -+# If set, the script /usr/local/bin/ocserv-fw will be called to restrict ++# If set, the script %%PREFIX%%/bin/ocserv-fw will be called to restrict # the user to its allowed routes and prevent him from accessing # any other routes. In case of defaultroute, the no-routes are restricted. -# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw -+# All the routes applied by ocserv can be reverted using /usr/local/bin/ocserv-fw ++# All the routes applied by ocserv can be reverted using %%PREFIX%%/bin/ocserv-fw # --removeall. This option can be set globally or in the per-user configuration. #restrict-user-to-routes = true # This option implies restrict-user-to-routes set to true. If set, the -# script /usr/bin/ocserv-fw will be called to restrict the user to -+# script /usr/local/bin/ocserv-fw will be called to restrict the user to ++# script %%PREFIX%%/bin/ocserv-fw will be called to restrict the user to # access specific ports in the network. This option can be set globally # or in the per-user configuration. #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()" -@@ -609,13 +603,13 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -599,13 +590,13 @@ no-route = 192.168.5.0/255.255.255.0 # hostname to override any proposed by the user. Note also, that, any # routes, no-routes, DNS or NBNS servers present will overwrite the global ones. -#config-per-user = /etc/ocserv/config-per-user/ -#config-per-group = /etc/ocserv/config-per-group/ -+#config-per-user = /usr/local/etc/ocserv/config-per-user/ -+#config-per-group = /usr/local/etc/ocserv/config-per-group/ ++#config-per-user = %%ETCDIR%%/config-per-user/ ++#config-per-group = %%ETCDIR%%/config-per-group/ # When config-per-xxx is specified and there is no group or user that # matches, then utilize the following configuration. -#default-user-config = /etc/ocserv/defaults/user.conf -#default-group-config = /etc/ocserv/defaults/group.conf -+#default-user-config = /usr/local/etc/ocserv/defaults/user.conf -+#default-group-config = /usr/local/etc/ocserv/defaults/group.conf ++#default-user-config = %%ETCDIR%%/defaults/user.conf ++#default-group-config = %%ETCDIR%%/defaults/group.conf # The system command to use to setup a route. %{R} will be replaced with the # route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device. +@@ -627,7 +618,7 @@ no-route = 192.168.5.0/255.255.255.0 + # In MIT kerberos you'll need to add in realms: + # EXAMPLE.COM = { + # kdc = https://ocserv.example.com/KdcProxy +-# http_anchors = FILE:/etc/ocserv-ca.pem ++# http_anchors = FILE:%%ETCDIR%%/ocserv-ca.pem + # } + # In some distributions the krb5-k5tls plugin of kinit is required. + # +@@ -701,13 +692,13 @@ dtls-legacy = true + [vhost:www.example.com] + auth = "certificate" + +-ca-cert = ../tests/certs/ca.pem ++ca-cert = %%ETCDIR%%/ca.pem + + # The certificate set here must include a 'dns_name' corresponding to + # the virtual host name. + +-server-cert = ../tests/certs/server-cert-secp521r1.pem +-server-key = ../tests/certs/server-key-secp521r1.pem ++server-cert = %%ETCDIR%%/server-cert-secp521r1.pem ++server-key = %%ETCDIR%%/server-key-secp521r1.pem + + ipv4-network = 192.168.2.0 + ipv4-netmask = 255.255.255.0 Added: head/net/ocserv/files/patch-src_main-ban.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/net/ocserv/files/patch-src_main-ban.c Fri Jan 29 21:26:11 2021 (r563249) @@ -0,0 +1,20 @@ +--- src/main-ban.c.orig 2021-01-26 17:01:03 UTC ++++ src/main-ban.c +@@ -403,8 +403,8 @@ static bool test_local_ipv6(struct sockaddr_in6 * remo + unsigned index = 0; + + for (index = 0; index < 4; index ++) { +- uint32_t l = local->sin6_addr.s6_addr32[index] & network->sin6_addr.s6_addr32[index]; +- uint32_t r = remote->sin6_addr.s6_addr32[index] & network->sin6_addr.s6_addr32[index]; ++ uint32_t l = local->sin6_addr.__u6_addr.__u6_addr32[index] & network->sin6_addr.__u6_addr.__u6_addr32[index]; ++ uint32_t r = remote->sin6_addr.__u6_addr.__u6_addr32[index] & network->sin6_addr.__u6_addr.__u6_addr32[index]; + if (l != r) + return false; + } +@@ -443,4 +443,4 @@ void if_address_cleanup(main_server_st * s) + + s->if_addresses = NULL; + s->if_addresses_count = 0; +-} +\ No newline at end of file ++} Modified: head/net/ocserv/files/patch-src_occtl_occtl.c ============================================================================== --- head/net/ocserv/files/patch-src_occtl_occtl.c Fri Jan 29 21:24:44 2021 (r563248) +++ head/net/ocserv/files/patch-src_occtl_occtl.c Fri Jan 29 21:26:11 2021 (r563249) @@ -1,6 +1,6 @@ ---- src/occtl/occtl.c.orig 2018-01-14 16:25:24 UTC +--- src/occtl/occtl.c.orig 2020-08-06 18:51:31 UTC +++ src/occtl/occtl.c -@@ -249,7 +249,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha +@@ -264,7 +264,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha static int handle_reset_cmd(CONN_TYPE * conn, const char *arg, cmd_params_st *params) { rl_reset_terminal(NULL);