Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 25 Apr 2020 14:38:21 +0000 (UTC)
From:      Matthias Andree <mandree@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r532955 - in head/net/ocserv: . files
Message-ID:  <202004251438.03PEcLoS031886@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: mandree
Date: Sat Apr 25 14:38:20 2020
New Revision: 532955
URL: https://svnweb.freebsd.org/changeset/ports/532955

Log:
  net/ocserv: Update to 1.0.1
  
  Changelog:
  https://gitlab.com/openconnect/ocserv/-/blob/1.0.1/NEWS#L1
  
  This commit makes the following additional changes from Juraj's
  submission:
  
  - fix LIB_DEPENDS to libpc.so:devel/pcl (not devel/libpcl)
  - replace LOCALBASE by PREFIX throughout, as these are internal references
  - remove the src/config.c patch, it makes no sense to first
    statically patch and then run REINPLACE_CMD for DEFAULT_CFG_FILE
  - remove doc/sample.config from another REINPLACE_CMD
  - remove @ - it makes no sense to hide running commands
  - patch example configuration to avoid isolate-workers = true, which
    currently only works on Linux's seccomp.
  - in the same vein, put up a warning pkg-message that there is no worker
    process isolation
  - install the @sample file as ocserv.conf.sample, not conf.sample,
    so it matches the default configuration file path
  
  Things that could be done but are not:
  - rcfile option to configure a separate config file
  
  PR:		245521
  Submitted by:	Juraj Lutter <juraj@lutter.sk>
  Approved by:	cpm@ (maintainer timeout, 15 d)

Added:
  head/net/ocserv/pkg-message   (contents, props changed)
Deleted:
  head/net/ocserv/files/patch-src_config.c
  head/net/ocserv/files/patch-src_tun.c
  head/net/ocserv/files/patch-src_tun.h
  head/net/ocserv/files/patch-src_worker-auth.c
Modified:
  head/net/ocserv/Makefile
  head/net/ocserv/distinfo
  head/net/ocserv/files/ocserv.conf
  head/net/ocserv/files/patch-configure.ac
  head/net/ocserv/files/patch-doc_sample.config
  head/net/ocserv/pkg-plist

Modified: head/net/ocserv/Makefile
==============================================================================
--- head/net/ocserv/Makefile	Sat Apr 25 14:11:29 2020	(r532954)
+++ head/net/ocserv/Makefile	Sat Apr 25 14:38:20 2020	(r532955)
@@ -2,8 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	ocserv
-PORTVERSION=	0.12.4
-PORTREVISION=	2
+PORTVERSION=	1.0.1
 CATEGORIES=	net net-vpn security
 MASTER_SITES=	ftp://ftp.infradead.org/pub/ocserv/
 
@@ -24,7 +23,7 @@ LIB_DEPENDS=	liblz4.so:archivers/liblz4 \
 		libtasn1.so:security/libtasn1 \
 		libnettle.so:security/nettle \
 		liboath.so:security/oath-toolkit \
-		libpcl.so:devel/libpcl
+		libpcl.so:devel/pcl
 
 USES=		autoreconf cpe gperf libtool localbase ncurses \
 		pathfix pkgconfig readline tar:xz
@@ -53,25 +52,28 @@ GSSAPI_CONFIGURE_OFF=	--without-gssapi
 RADIUS_LIB_DEPENDS=	libradcli.so:net/radcli
 RADIUS_CONFIGURE_OFF=	--without-radius
 
+.include <bsd.port.pre.mk>
+
 post-patch:
-	@${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${LOCALBASE}/bin/ocserv-fw|g' \
-		${WRKSRC}/src/main-user.c \
-		${WRKSRC}/doc/sample.config
-	@${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${LOCALBASE}/bin/ocserv\\-fw|g' \
+	${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${PREFIX}/bin/ocserv-fw|g' \
+		${WRKSRC}/src/main-user.c
+	${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${PREFIX}/bin/ocserv\\-fw|g' \
 		${WRKSRC}/doc/ocserv.8
+.if "${PREFIX}" != "" && "${PREFIX}" != "/" && "${PREFIX}" != "/usr"
+	${REINPLACE_CMD} -E 's|^(#define DEFAULT_CFG_FILE ")(/etc/ocserv/ocserv.conf")|\1${PREFIX}\2|' ${WRKSRC}/src/config.c
+.endif
 
 post-install:
-	@${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv
-	@${MKDIR} ${STAGEDIR}/var/run/ocserv
-	${INSTALL_DATA} ${FILESDIR}/ocserv.conf ${STAGEDIR}${PREFIX}/etc/ocserv/conf.sample
+	${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv ${STAGEDIR}/var/run/ocserv
+	${INSTALL_DATA} ${FILESDIR}/ocserv.conf ${STAGEDIR}${PREFIX}/etc/ocserv/ocserv.conf.sample
 	${INSTALL_MAN} ${WRKSRC}/doc/*.8 ${STAGEDIR}${MANPREFIX}/man/man8
 
 post-install-DOCS-on:
-	@${MKDIR} ${STAGEDIR}${DOCSDIR}
+	${MKDIR} ${STAGEDIR}${DOCSDIR}
 	cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR}
 
 post-install-EXAMPLES-on:
-	@${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
+	${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
 	cd ${WRKSRC}/doc && ${INSTALL_DATA} ${PORTEXAMPLES} ${STAGEDIR}${EXAMPLESDIR}
 
-.include <bsd.port.mk>
+.include <bsd.port.post.mk>

Modified: head/net/ocserv/distinfo
==============================================================================
--- head/net/ocserv/distinfo	Sat Apr 25 14:11:29 2020	(r532954)
+++ head/net/ocserv/distinfo	Sat Apr 25 14:38:20 2020	(r532955)
@@ -1,3 +1,3 @@
-TIMESTAMP = 1562531995
-SHA256 (ocserv-0.12.4.tar.xz) = 05c01effa8a7c2f022616fcb62bade4df51aa7f0035248671da12819d62cb185
-SIZE (ocserv-0.12.4.tar.xz) = 763540
+TIMESTAMP = 1586552655
+SHA256 (ocserv-1.0.1.tar.xz) = 59d9ef7a1aeb95ff6e762e2a0f231b3fae2ea420f68a1cf09d39a26395040f4b
+SIZE (ocserv-1.0.1.tar.xz) = 787800

Modified: head/net/ocserv/files/ocserv.conf
==============================================================================
--- head/net/ocserv/files/ocserv.conf	Sat Apr 25 14:11:29 2020	(r532954)
+++ head/net/ocserv/files/ocserv.conf	Sat Apr 25 14:38:20 2020	(r532955)
@@ -26,7 +26,7 @@
 # One entry must be listed per line, and 'ocpasswd' should be used
 # to generate password entries. The 'otp' suboption allows one to specify
 # an oath password file to be used for one time passwords; the format of
-# the file is described in https://code.google.com/p/mod-authn-otp/wiki/UsersFile
+# the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile
 #
 # radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
 #  The radius option requires specifying freeradius-client configuration
@@ -77,6 +77,10 @@ auth = "plain[passwd=./sample.passwd]"
 # hostname.
 #listen-host = [IP|HOSTNAME]
 
+# Use udp-listen-host to limit udp to specific IPs or to the IPs of a provided
+# hostname. if not set, listen-host will be used
+#udp-listen-host = [IP|HOSTNAME]
+
 # When the server has a dynamic DNS address (that may change),
 # should set that to true to ask the client to resolve again on
 # reconnects.
@@ -171,6 +175,9 @@ ca-cert = ../tests/certs/ca.pem
 ### operation. If the server key changes on reload, there may be connection
 ### failures during the reloading time.
 
+# ocserv 1.0.1 on FreeBSD does not currently support process isolation,
+# because ocserv only supports Linux's seccomp system, but not capsicum(4).
+#isolate-workers = false
 
 # A banner to be displayed on clients
 #banner = "Welcome"
@@ -391,7 +398,8 @@ rekey-method = ssl
 # client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client),
 # will contain a space separated list of routes or DNS servers. A version
 # of these variables with the 4 or 6 suffix will contain only the IPv4 or
-# IPv6 values.
+# IPv6 values. The connect script must return zero as exit code, or the
+# client connection will be refused.
 
 # The disconnect script will receive the additional values: STATS_BYTES_IN,
 # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes 
@@ -566,7 +574,7 @@ no-route = 192.168.5.0/255.255.255.0
 #  keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns,
 #  restrict-user-to-routes, user-profile, cgroup, stats-report-time,
 #  mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports,
-#  and session-timeout.
+#  split-dns and session-timeout.
 #
 # Note that the 'iroute' option allows one to add routes on the server
 # based on a user or group. The syntax depends on the input accepted

Modified: head/net/ocserv/files/patch-configure.ac
==============================================================================
--- head/net/ocserv/files/patch-configure.ac	Sat Apr 25 14:11:29 2020	(r532954)
+++ head/net/ocserv/files/patch-configure.ac	Sat Apr 25 14:38:20 2020	(r532955)
@@ -1,4 +1,4 @@
---- configure.ac.orig	2018-04-22 08:43:20 UTC
+--- configure.ac.orig	2020-04-09 21:07:12 UTC
 +++ configure.ac
 @@ -15,7 +15,7 @@ AM_PROG_AR
  AM_PROG_CC_C_O
@@ -9,7 +9,7 @@
  fi
  AC_PATH_PROG(CTAGS, ctags, [:])
  AC_PATH_PROG(CSCOPE, cscope, [:])
-@@ -168,7 +168,7 @@ if test "$test_for_geoip" = yes;then
+@@ -199,7 +199,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind
  fi
  
  have_readline=no

Modified: head/net/ocserv/files/patch-doc_sample.config
==============================================================================
--- head/net/ocserv/files/patch-doc_sample.config	Sat Apr 25 14:11:29 2020	(r532954)
+++ head/net/ocserv/files/patch-doc_sample.config	Sat Apr 25 14:38:20 2020	(r532955)
@@ -1,4 +1,4 @@
---- doc/sample.config.orig	2018-04-15 19:13:39 UTC
+--- doc/sample.config.orig	2020-04-09 20:56:20 UTC
 +++ doc/sample.config
 @@ -19,7 +19,7 @@
  #  This enabled PAM authentication of the user. The gid-min option is used
@@ -9,7 +9,7 @@
  #  The plain option requires specifying a password file which contains
  # entries of the following format.
  # "username:groupname1,groupname2:encoded-password"
-@@ -102,8 +102,8 @@ udp-port = 443
+@@ -106,8 +106,8 @@ udp-port = 443
  
  # The user the worker processes will be run as. It should be
  # unique (no other services run as this user).
@@ -20,7 +20,7 @@
  
  # socket file used for IPC with occtl. You only need to set that,
  # if you use more than a single servers.
-@@ -172,16 +172,6 @@ ca-cert = ../tests/certs/ca.pem
+@@ -176,15 +176,9 @@ ca-cert = ../tests/certs/ca.pem
  ### failures during the reloading time.
  
  
@@ -33,11 +33,13 @@
 -# disabling that option and report the failures you, along with system and debugging
 -# information at: https://gitlab.com/ocserv/ocserv/issues
 -isolate-workers = true
--
++# ocserv 1.0.1 on FreeBSD does not currently support process isolation,
++# because ocserv only supports Linux's seccomp system, but not capsicum(4).
++#isolate-workers = false
+ 
  # A banner to be displayed on clients
  #banner = "Welcome"
- 
-@@ -530,15 +520,15 @@ no-route = 192.168.5.0/255.255.255.0
+@@ -535,15 +529,15 @@ no-route = 192.168.5.0/255.255.255.0
  # Note the that following two firewalling options currently are available
  # in Linux systems with iptables software. 
  
@@ -56,7 +58,7 @@
  # access specific ports in the network. This option can be set globally
  # or in the per-user configuration.
  #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
-@@ -586,13 +576,13 @@ no-route = 192.168.5.0/255.255.255.0
+@@ -591,13 +585,13 @@ no-route = 192.168.5.0/255.255.255.0
  # hostname to override any proposed by the user. Note also, that, any 
  # routes, no-routes, DNS or NBNS servers present will overwrite the global ones.
  

Added: head/net/ocserv/pkg-message
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/net/ocserv/pkg-message	Sat Apr 25 14:38:20 2020	(r532955)
@@ -0,0 +1,7 @@
+[
+{ message: <<EOM
+SECURITY NOTE: ocserv 1.0.1 currently cannot isolate workers processes
+on FreeBSD, it only supports Linux's seccomp, but not FreeBSD's capsicum.
+EOM
+}
+]

Modified: head/net/ocserv/pkg-plist
==============================================================================
--- head/net/ocserv/pkg-plist	Sat Apr 25 14:11:29 2020	(r532954)
+++ head/net/ocserv/pkg-plist	Sat Apr 25 14:38:20 2020	(r532955)
@@ -4,6 +4,6 @@ bin/ocserv-fw
 man/man8/occtl.8.gz
 man/man8/ocpasswd.8.gz
 man/man8/ocserv.8.gz
-@sample etc/ocserv/conf.sample
+@sample etc/ocserv/ocserv.conf.sample
 sbin/ocserv
 @dir(%%USERS%%,%%GROUPS%%,750) /var/run/ocserv



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202004251438.03PEcLoS031886>