From nobody Mon Aug 21 13:09:17 2023 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RTt9943gcz4qm3r; Mon, 21 Aug 2023 13:09:17 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RTt993W35z3Jkr; Mon, 21 Aug 2023 13:09:17 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1692623357; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=RbcnBEHRX4ZVdrh9q77Pjb8/Kf+/CRaUGhdvnh2eTpg=; b=C+mlBUm4vkPMsZhy5uGaOCG0fiTi09XFN5qOpiXtAoMCpWKeSJvPhJXVjjYlAmfiT+a+wO 9XP84pSUOkHGc4mvKyYeANWTA0xoolJ4G77jMbTG/KuJZITbmYboTROjeWQKcdWmUTVSzz 5WtqfI81yqW9UJEP31WJEeJyK9ATlrxplngZw4LjzfkTfNzsE1anB6JAuUDcrPf/WLYv7T ZIG+eKThK9Qux3e2NHd3ZzLQ3+hS1OfCJu+XEkmGzy1VK2ZbdhhORgAgZLvVpcnuTLlwD7 ekwQNnzTVipUJEiIl91rqSG+Ybsvtuy0hWxeIgkQJreK3f85rcnN1cy0bQad2Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1692623357; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=RbcnBEHRX4ZVdrh9q77Pjb8/Kf+/CRaUGhdvnh2eTpg=; b=O7jXRY81A2eX6lMbKTiNUhDK2AIWsG9Ah/oHJj/Ah2y7Fq5XSZQ4efNuyc5JCS22kkAcnH fis/gQYBwT4ivHt+kSlSuw5MV19+dd5kHrr8/3Z5HaxoUSQd96Ujn0ffvUb9RI13Dli6TX tImQoRu1n+UNDkb7SXcMpKVJ85UiRW/bD+LMG9J2kh6feZzd+ooYD2H9vjFSib+UKaKvXZ AqVYiqUlnN4JJk2WTgEwSaAHF3/GjyQY6OetOYjXaBNZoI7UcVUAOJWjWHbVkCPDfmtPdH 9L64f9Kg+bLC2hkDyir5N+DoP1QLfy+cEGZG5B8wE2o4pkQiFljelWjHPvYZuw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1692623357; a=rsa-sha256; cv=none; b=g0L4PbppNyfyK5YB7CFAV83NlpZT/obWQoS9UNbuOOLS32gsYxW0pE0mSGUFs9F6CrpawO tkVhwUGwkd4gigxAoF7ogJLmsgmj+KEEyJtry9+8GCn7ZTeKJqj3praieE6nPkq9J1GDmQ y4gSxOIg3dt9AzZM7MBjQatFH9iVD/cK7nwidlQZdfT42SQQU+rm7lSrmqMLxMMfo9saix Dj6n5Jp6t7sqDd3Vqs6ZhH6pE4Tf6Yl5PcoNwdlFZcWKgGOq1/xyJDUwa0/pC6fuoylr4r 3xT+YkHtVkZk+QllwTlyNGV9Q91/aJJHWITwzBrQpWn5otKALmkhkrhbzB5Olg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RTt992YT8z6s4; Mon, 21 Aug 2023 13:09:17 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 37LD9HsG081767; Mon, 21 Aug 2023 13:09:17 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 37LD9HnT081764; Mon, 21 Aug 2023 13:09:17 GMT (envelope-from git) Date: Mon, 21 Aug 2023 13:09:17 GMT Message-Id: <202308211309.37LD9HnT081764@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Juraj Lutter Subject: git: 944e00e9f40f - main - net/ocserv: Update to 1.2.0 List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: otis X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 944e00e9f40f573dc08548e56398332475746a44 Auto-Submitted: auto-generated The branch main has been updated by otis: URL: https://cgit.FreeBSD.org/ports/commit/?id=944e00e9f40f573dc08548e56398332475746a44 commit 944e00e9f40f573dc08548e56398332475746a44 Author: Juraj Lutter AuthorDate: 2023-08-16 09:12:39 +0000 Commit: Juraj Lutter CommitDate: 2023-08-21 13:08:57 +0000 net/ocserv: Update to 1.2.0 - Update to 1.2.0 - Adjust dependencies - Make DTLS work - Regen patches Co-authored-by: Eugene Mitrofanov --- net/ocserv/Makefile | 6 +++--- net/ocserv/distinfo | 6 +++--- net/ocserv/files/patch-configure.ac | 8 ++++---- net/ocserv/files/patch-doc_sample.config | 28 +++++++++++++++------------- net/ocserv/files/patch-src_ip-util.h | 10 ++++++++++ net/ocserv/files/patch-src_main.c | 25 +++++++++++++++++++++++++ net/ocserv/files/patch-src_occtl_occtl.c | 4 ++-- net/ocserv/files/patch-src_occtl_time.c | 6 +++--- 8 files changed, 65 insertions(+), 28 deletions(-) diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile index 6dc13dac271e..10d9f2d3d2b9 100644 --- a/net/ocserv/Makefile +++ b/net/ocserv/Makefile @@ -1,5 +1,5 @@ PORTNAME= ocserv -DISTVERSION= 1.1.7 +DISTVERSION= 1.2.0 CATEGORIES= net net-vpn security MASTER_SITES= https://www.infradead.org/ocserv/download/ @@ -23,8 +23,8 @@ LIB_DEPENDS= libev.so:devel/libev \ libtalloc.so:devel/talloc \ libtasn1.so:security/libtasn1 -USES= autoreconf cpe gperf libtool localbase ncurses pathfix \ - pkgconfig readline tar:xz +USES= autoreconf cpe gettext-tools gperf libtool localbase ncurses \ + pathfix pkgconfig readline tar:xz CPE_VENDOR= infradead USE_RC_SUBR= ocserv diff --git a/net/ocserv/distinfo b/net/ocserv/distinfo index 30465e6a2b45..c10dada0e39f 100644 --- a/net/ocserv/distinfo +++ b/net/ocserv/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1683875970 -SHA256 (ocserv-1.1.7.tar.xz) = f30f7515e1e569ca2e68a96fa5e3dd10d49a18a40c981ad95b484d10835e3aa6 -SIZE (ocserv-1.1.7.tar.xz) = 844140 +TIMESTAMP = 1692132524 +SHA256 (ocserv-1.2.0.tar.xz) = 47a66e504a6b04bb04856176d78ee392ad1385d22d1670d4ed48b7b95e9dffc5 +SIZE (ocserv-1.2.0.tar.xz) = 746968 diff --git a/net/ocserv/files/patch-configure.ac b/net/ocserv/files/patch-configure.ac index 27f60419b701..f06c82846f51 100644 --- a/net/ocserv/files/patch-configure.ac +++ b/net/ocserv/files/patch-configure.ac @@ -1,15 +1,15 @@ ---- configure.ac.orig 2020-10-09 11:32:59 UTC +--- configure.ac.orig 2023-07-11 12:47:23 UTC +++ configure.ac -@@ -15,7 +15,7 @@ AM_PROG_AR - AM_PROG_CC_C_O +@@ -16,7 +16,7 @@ AM_PROG_CC_C_O AC_PROG_SED + if test "$GCC" = "yes" && ! expr "$CC" : clang >/dev/null 2>&1;then - CFLAGS="$CFLAGS -Wall -Wno-strict-aliasing -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers -Wno-implicit-fallthrough -Wno-stringop-truncation" + CFLAGS="$CFLAGS -Wall -Wno-strict-aliasing -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers" fi AC_PATH_PROG(CTAGS, ctags, [:]) -@@ -222,7 +222,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind +@@ -223,7 +223,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind fi have_readline=no diff --git a/net/ocserv/files/patch-doc_sample.config b/net/ocserv/files/patch-doc_sample.config index f866507ac5a0..b21233ad088d 100644 --- a/net/ocserv/files/patch-doc_sample.config +++ b/net/ocserv/files/patch-doc_sample.config @@ -1,4 +1,4 @@ ---- doc/sample.config.orig 2022-12-02 18:59:51 UTC +--- doc/sample.config.orig 2023-07-11 12:54:03 UTC +++ doc/sample.config @@ -19,7 +19,7 @@ # This enabled PAM authentication of the user. The gid-min option is used @@ -91,9 +91,13 @@ # The number of sub-processes to use for the security module (authentication) # processes. Typically this should not be set as the number of processes -@@ -172,15 +169,9 @@ ca-cert = ../tests/certs/ca.pem +@@ -171,17 +168,10 @@ ca-cert = ../tests/certs/ca.pem + ### operation. If the server key changes on reload, there may be connection ### failures during the reloading time. ++# ocserv 1.1.1 on FreeBSD does not currently support process isolation, ++# because ocserv only supports Linux's seccomp system, but not capsicum(4). ++#isolate-workers = false -# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of -# system calls allowed to a worker process, in order to reduce damage from a @@ -102,15 +106,13 @@ -# Note however, that process isolation is restricted to the specific libc versions -# the isolation was tested at. If you get random failures on worker processes, try -# disabling that option and report the failures you, along with system and debugging --# information at: https://gitlab.com/ocserv/ocserv/issues +-# information at: https://gitlab.com/openconnect/ocserv/issues -isolate-workers = true -+# ocserv 1.1.1 on FreeBSD does not currently support process isolation, -+# because ocserv only supports Linux's seccomp system, but not capsicum(4). -+#isolate-workers = false - +- # A banner to be displayed on clients after connection #banner = "Welcome" -@@ -262,7 +253,7 @@ try-mtu-discovery = false + +@@ -262,7 +252,7 @@ try-mtu-discovery = false # You can update this response periodically using: # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response # Make sure that you replace the following file in an atomic way. @@ -119,7 +121,7 @@ # The object identifier that will be used to read the user ID in the client # certificate. The object identifier should be part of the certificate's DN -@@ -281,7 +272,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1 +@@ -281,7 +271,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1 # See the manual to generate an empty CRL initially. The CRL will be reloaded # periodically when ocserv detects a change in the file. To force a reload use # SIGHUP. @@ -128,7 +130,7 @@ # Uncomment this to enable compression negotiation (LZS, LZ4). #compression = true -@@ -558,15 +549,15 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -560,15 +550,15 @@ no-route = 192.168.5.0/255.255.255.0 # Note the that following two firewalling options currently are available # in Linux systems with iptables software. @@ -147,7 +149,7 @@ # access specific ports in the network. This option can be set globally # or in the per-user configuration. #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()" -@@ -614,13 +605,13 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -616,13 +606,13 @@ no-route = 192.168.5.0/255.255.255.0 # hostname to override any proposed by the user. Note also, that, any # routes, no-routes, DNS or NBNS servers present will overwrite the global ones. @@ -165,7 +167,7 @@ # The system command to use to setup a route. %{R} will be replaced with the # route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device. -@@ -642,7 +633,7 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -644,7 +634,7 @@ no-route = 192.168.5.0/255.255.255.0 # In MIT kerberos you'll need to add in realms: # EXAMPLE.COM = { # kdc = https://ocserv.example.com/KdcProxy @@ -174,7 +176,7 @@ # } # In some distributions the krb5-k5tls plugin of kinit is required. # -@@ -722,13 +713,13 @@ client-bypass-protocol = false +@@ -747,13 +737,13 @@ camouflage_realm = "Restricted Content" [vhost:www.example.com] auth = "certificate" diff --git a/net/ocserv/files/patch-src_ip-util.h b/net/ocserv/files/patch-src_ip-util.h new file mode 100644 index 000000000000..ac62f740dc65 --- /dev/null +++ b/net/ocserv/files/patch-src_ip-util.h @@ -0,0 +1,10 @@ +--- src/ip-util.h.orig 2023-08-15 11:26:31.522070000 +0300 ++++ src/ip-util.h 2023-08-15 11:28:31.360118000 +0300 +@@ -24,6 +24,7 @@ + + #include + #include ++#include + + #define MAX_IP_STR 46 + // Lower MTU bound is the value defined in RFC 791 diff --git a/net/ocserv/files/patch-src_main.c b/net/ocserv/files/patch-src_main.c new file mode 100644 index 000000000000..f5c7037ce8e3 --- /dev/null +++ b/net/ocserv/files/patch-src_main.c @@ -0,0 +1,25 @@ +--- src/main.c.orig 2023-06-16 17:01:03 UTC ++++ src/main.c +@@ -215,9 +215,9 @@ int _listen_ports(void *pool, struct perm_cfg_st* conf + #endif + + y = 1; +- if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR, ++ if (setsockopt(s, SOL_SOCKET, SO_REUSEPORT, + (const void *) &y, sizeof(y)) < 0) { +- perror("setsockopt(SO_REUSEADDR) failed"); ++ perror("setsockopt(SO_REUSEPORT) failed"); + } + + if (ptr->ai_socktype == SOCK_DGRAM) { +@@ -424,8 +424,8 @@ int y; + #endif + + y = 1; +- if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (const void *) &y, sizeof(y)) < 0) { +- perror("setsockopt(SO_REUSEADDR) failed"); ++ if (setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, (const void *) &y, sizeof(y)) < 0) { ++ perror("setsockopt(SO_REUSEPORT) failed"); + } + + if (GETCONFIG(s)->try_mtu) { diff --git a/net/ocserv/files/patch-src_occtl_occtl.c b/net/ocserv/files/patch-src_occtl_occtl.c index de75a421e6fe..b7c73f0d305b 100644 --- a/net/ocserv/files/patch-src_occtl_occtl.c +++ b/net/ocserv/files/patch-src_occtl_occtl.c @@ -1,6 +1,6 @@ ---- src/occtl/occtl.c.orig 2020-08-06 18:51:31 UTC +--- src/occtl/occtl.c.orig 2023-06-16 17:01:03 UTC +++ src/occtl/occtl.c -@@ -264,7 +264,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha +@@ -257,7 +257,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha static int handle_reset_cmd(CONN_TYPE * conn, const char *arg, cmd_params_st *params) { rl_reset_terminal(NULL); diff --git a/net/ocserv/files/patch-src_occtl_time.c b/net/ocserv/files/patch-src_occtl_time.c index 85ef4c1819ec..0feb85fdffd0 100644 --- a/net/ocserv/files/patch-src_occtl_time.c +++ b/net/ocserv/files/patch-src_occtl_time.c @@ -1,16 +1,16 @@ ---- src/occtl/time.c.orig 2017-09-09 08:34:02 UTC +--- src/occtl/time.c.orig 2023-06-09 13:21:24 UTC +++ src/occtl/time.c @@ -36,7 +36,7 @@ void print_time_ival7(char output[MAX_TMPSTR_SIZE], ti { time_t t = t1 - t2; -- if ((long)t < (long)0) { +- if ((long)t < 0) { + if ((long long)t < (long long)0) { /* system clock changed? */ snprintf(output, MAX_TMPSTR_SIZE, " ? "); return; @@ -44,17 +44,17 @@ void print_time_ival7(char output[MAX_TMPSTR_SIZE], ti - + if (t >= 48 * 60 * 60) /* 2 days or more */ - snprintf(output, MAX_TMPSTR_SIZE, _("%2ludays"), (long)t / (24 * 60 * 60));