Date: Mon, 21 Aug 2023 13:09:17 GMT From: Juraj Lutter <otis@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 944e00e9f40f - main - net/ocserv: Update to 1.2.0 Message-ID: <202308211309.37LD9HnT081764@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by otis: URL: https://cgit.FreeBSD.org/ports/commit/?id=944e00e9f40f573dc08548e56398332475746a44 commit 944e00e9f40f573dc08548e56398332475746a44 Author: Juraj Lutter <otis@FreeBSD.org> AuthorDate: 2023-08-16 09:12:39 +0000 Commit: Juraj Lutter <otis@FreeBSD.org> CommitDate: 2023-08-21 13:08:57 +0000 net/ocserv: Update to 1.2.0 - Update to 1.2.0 - Adjust dependencies - Make DTLS work - Regen patches Co-authored-by: Eugene Mitrofanov <emitrofanov@gmail.com> --- net/ocserv/Makefile | 6 +++--- net/ocserv/distinfo | 6 +++--- net/ocserv/files/patch-configure.ac | 8 ++++---- net/ocserv/files/patch-doc_sample.config | 28 +++++++++++++++------------- net/ocserv/files/patch-src_ip-util.h | 10 ++++++++++ net/ocserv/files/patch-src_main.c | 25 +++++++++++++++++++++++++ net/ocserv/files/patch-src_occtl_occtl.c | 4 ++-- net/ocserv/files/patch-src_occtl_time.c | 6 +++--- 8 files changed, 65 insertions(+), 28 deletions(-) diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile index 6dc13dac271e..10d9f2d3d2b9 100644 --- a/net/ocserv/Makefile +++ b/net/ocserv/Makefile @@ -1,5 +1,5 @@ PORTNAME= ocserv -DISTVERSION= 1.1.7 +DISTVERSION= 1.2.0 CATEGORIES= net net-vpn security MASTER_SITES= https://www.infradead.org/ocserv/download/ @@ -23,8 +23,8 @@ LIB_DEPENDS= libev.so:devel/libev \ libtalloc.so:devel/talloc \ libtasn1.so:security/libtasn1 -USES= autoreconf cpe gperf libtool localbase ncurses pathfix \ - pkgconfig readline tar:xz +USES= autoreconf cpe gettext-tools gperf libtool localbase ncurses \ + pathfix pkgconfig readline tar:xz CPE_VENDOR= infradead USE_RC_SUBR= ocserv diff --git a/net/ocserv/distinfo b/net/ocserv/distinfo index 30465e6a2b45..c10dada0e39f 100644 --- a/net/ocserv/distinfo +++ b/net/ocserv/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1683875970 -SHA256 (ocserv-1.1.7.tar.xz) = f30f7515e1e569ca2e68a96fa5e3dd10d49a18a40c981ad95b484d10835e3aa6 -SIZE (ocserv-1.1.7.tar.xz) = 844140 +TIMESTAMP = 1692132524 +SHA256 (ocserv-1.2.0.tar.xz) = 47a66e504a6b04bb04856176d78ee392ad1385d22d1670d4ed48b7b95e9dffc5 +SIZE (ocserv-1.2.0.tar.xz) = 746968 diff --git a/net/ocserv/files/patch-configure.ac b/net/ocserv/files/patch-configure.ac index 27f60419b701..f06c82846f51 100644 --- a/net/ocserv/files/patch-configure.ac +++ b/net/ocserv/files/patch-configure.ac @@ -1,15 +1,15 @@ ---- configure.ac.orig 2020-10-09 11:32:59 UTC +--- configure.ac.orig 2023-07-11 12:47:23 UTC +++ configure.ac -@@ -15,7 +15,7 @@ AM_PROG_AR - AM_PROG_CC_C_O +@@ -16,7 +16,7 @@ AM_PROG_CC_C_O AC_PROG_SED + if test "$GCC" = "yes" && ! expr "$CC" : clang >/dev/null 2>&1;then - CFLAGS="$CFLAGS -Wall -Wno-strict-aliasing -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers -Wno-implicit-fallthrough -Wno-stringop-truncation" + CFLAGS="$CFLAGS -Wall -Wno-strict-aliasing -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers" fi AC_PATH_PROG(CTAGS, ctags, [:]) -@@ -222,7 +222,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind +@@ -223,7 +223,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind fi have_readline=no diff --git a/net/ocserv/files/patch-doc_sample.config b/net/ocserv/files/patch-doc_sample.config index f866507ac5a0..b21233ad088d 100644 --- a/net/ocserv/files/patch-doc_sample.config +++ b/net/ocserv/files/patch-doc_sample.config @@ -1,4 +1,4 @@ ---- doc/sample.config.orig 2022-12-02 18:59:51 UTC +--- doc/sample.config.orig 2023-07-11 12:54:03 UTC +++ doc/sample.config @@ -19,7 +19,7 @@ # This enabled PAM authentication of the user. The gid-min option is used @@ -91,9 +91,13 @@ # The number of sub-processes to use for the security module (authentication) # processes. Typically this should not be set as the number of processes -@@ -172,15 +169,9 @@ ca-cert = ../tests/certs/ca.pem +@@ -171,17 +168,10 @@ ca-cert = ../tests/certs/ca.pem + ### operation. If the server key changes on reload, there may be connection ### failures during the reloading time. ++# ocserv 1.1.1 on FreeBSD does not currently support process isolation, ++# because ocserv only supports Linux's seccomp system, but not capsicum(4). ++#isolate-workers = false -# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of -# system calls allowed to a worker process, in order to reduce damage from a @@ -102,15 +106,13 @@ -# Note however, that process isolation is restricted to the specific libc versions -# the isolation was tested at. If you get random failures on worker processes, try -# disabling that option and report the failures you, along with system and debugging --# information at: https://gitlab.com/ocserv/ocserv/issues +-# information at: https://gitlab.com/openconnect/ocserv/issues -isolate-workers = true -+# ocserv 1.1.1 on FreeBSD does not currently support process isolation, -+# because ocserv only supports Linux's seccomp system, but not capsicum(4). -+#isolate-workers = false - +- # A banner to be displayed on clients after connection #banner = "Welcome" -@@ -262,7 +253,7 @@ try-mtu-discovery = false + +@@ -262,7 +252,7 @@ try-mtu-discovery = false # You can update this response periodically using: # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response # Make sure that you replace the following file in an atomic way. @@ -119,7 +121,7 @@ # The object identifier that will be used to read the user ID in the client # certificate. The object identifier should be part of the certificate's DN -@@ -281,7 +272,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1 +@@ -281,7 +271,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1 # See the manual to generate an empty CRL initially. The CRL will be reloaded # periodically when ocserv detects a change in the file. To force a reload use # SIGHUP. @@ -128,7 +130,7 @@ # Uncomment this to enable compression negotiation (LZS, LZ4). #compression = true -@@ -558,15 +549,15 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -560,15 +550,15 @@ no-route = 192.168.5.0/255.255.255.0 # Note the that following two firewalling options currently are available # in Linux systems with iptables software. @@ -147,7 +149,7 @@ # access specific ports in the network. This option can be set globally # or in the per-user configuration. #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()" -@@ -614,13 +605,13 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -616,13 +606,13 @@ no-route = 192.168.5.0/255.255.255.0 # hostname to override any proposed by the user. Note also, that, any # routes, no-routes, DNS or NBNS servers present will overwrite the global ones. @@ -165,7 +167,7 @@ # The system command to use to setup a route. %{R} will be replaced with the # route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device. -@@ -642,7 +633,7 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -644,7 +634,7 @@ no-route = 192.168.5.0/255.255.255.0 # In MIT kerberos you'll need to add in realms: # EXAMPLE.COM = { # kdc = https://ocserv.example.com/KdcProxy @@ -174,7 +176,7 @@ # } # In some distributions the krb5-k5tls plugin of kinit is required. # -@@ -722,13 +713,13 @@ client-bypass-protocol = false +@@ -747,13 +737,13 @@ camouflage_realm = "Restricted Content" [vhost:www.example.com] auth = "certificate" diff --git a/net/ocserv/files/patch-src_ip-util.h b/net/ocserv/files/patch-src_ip-util.h new file mode 100644 index 000000000000..ac62f740dc65 --- /dev/null +++ b/net/ocserv/files/patch-src_ip-util.h @@ -0,0 +1,10 @@ +--- src/ip-util.h.orig 2023-08-15 11:26:31.522070000 +0300 ++++ src/ip-util.h 2023-08-15 11:28:31.360118000 +0300 +@@ -24,6 +24,7 @@ + + #include <sys/socket.h> + #include <netinet/in.h> ++#include <sys/types.h> + + #define MAX_IP_STR 46 + // Lower MTU bound is the value defined in RFC 791 diff --git a/net/ocserv/files/patch-src_main.c b/net/ocserv/files/patch-src_main.c new file mode 100644 index 000000000000..f5c7037ce8e3 --- /dev/null +++ b/net/ocserv/files/patch-src_main.c @@ -0,0 +1,25 @@ +--- src/main.c.orig 2023-06-16 17:01:03 UTC ++++ src/main.c +@@ -215,9 +215,9 @@ int _listen_ports(void *pool, struct perm_cfg_st* conf + #endif + + y = 1; +- if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR, ++ if (setsockopt(s, SOL_SOCKET, SO_REUSEPORT, + (const void *) &y, sizeof(y)) < 0) { +- perror("setsockopt(SO_REUSEADDR) failed"); ++ perror("setsockopt(SO_REUSEPORT) failed"); + } + + if (ptr->ai_socktype == SOCK_DGRAM) { +@@ -424,8 +424,8 @@ int y; + #endif + + y = 1; +- if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (const void *) &y, sizeof(y)) < 0) { +- perror("setsockopt(SO_REUSEADDR) failed"); ++ if (setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, (const void *) &y, sizeof(y)) < 0) { ++ perror("setsockopt(SO_REUSEPORT) failed"); + } + + if (GETCONFIG(s)->try_mtu) { diff --git a/net/ocserv/files/patch-src_occtl_occtl.c b/net/ocserv/files/patch-src_occtl_occtl.c index de75a421e6fe..b7c73f0d305b 100644 --- a/net/ocserv/files/patch-src_occtl_occtl.c +++ b/net/ocserv/files/patch-src_occtl_occtl.c @@ -1,6 +1,6 @@ ---- src/occtl/occtl.c.orig 2020-08-06 18:51:31 UTC +--- src/occtl/occtl.c.orig 2023-06-16 17:01:03 UTC +++ src/occtl/occtl.c -@@ -264,7 +264,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha +@@ -257,7 +257,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha static int handle_reset_cmd(CONN_TYPE * conn, const char *arg, cmd_params_st *params) { rl_reset_terminal(NULL); diff --git a/net/ocserv/files/patch-src_occtl_time.c b/net/ocserv/files/patch-src_occtl_time.c index 85ef4c1819ec..0feb85fdffd0 100644 --- a/net/ocserv/files/patch-src_occtl_time.c +++ b/net/ocserv/files/patch-src_occtl_time.c @@ -1,16 +1,16 @@ ---- src/occtl/time.c.orig 2017-09-09 08:34:02 UTC +--- src/occtl/time.c.orig 2023-06-09 13:21:24 UTC +++ src/occtl/time.c @@ -36,7 +36,7 @@ void print_time_ival7(char output[MAX_TMPSTR_SIZE], ti { time_t t = t1 - t2; -- if ((long)t < (long)0) { +- if ((long)t < 0) { + if ((long long)t < (long long)0) { /* system clock changed? */ snprintf(output, MAX_TMPSTR_SIZE, " ? "); return; @@ -44,17 +44,17 @@ void print_time_ival7(char output[MAX_TMPSTR_SIZE], ti - + if (t >= 48 * 60 * 60) /* 2 days or more */ - snprintf(output, MAX_TMPSTR_SIZE, _("%2ludays"), (long)t / (24 * 60 * 60));
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202308211309.37LD9HnT081764>