1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-12-23 04:23:08 +00:00

net/ocserv: Update to 1.0.1

Changelog:
https://gitlab.com/openconnect/ocserv/-/blob/1.0.1/NEWS#L1

This commit makes the following additional changes from Juraj's
submission:

- fix LIB_DEPENDS to libpc.so:devel/pcl (not devel/libpcl)
- replace LOCALBASE by PREFIX throughout, as these are internal references
- remove the src/config.c patch, it makes no sense to first
  statically patch and then run REINPLACE_CMD for DEFAULT_CFG_FILE
- remove doc/sample.config from another REINPLACE_CMD
- remove @ - it makes no sense to hide running commands
- patch example configuration to avoid isolate-workers = true, which
  currently only works on Linux's seccomp.
- in the same vein, put up a warning pkg-message that there is no worker
  process isolation
- install the @sample file as ocserv.conf.sample, not conf.sample,
  so it matches the default configuration file path

Things that could be done but are not:
- rcfile option to configure a separate config file

PR:		245521
Submitted by:	Juraj Lutter <juraj@lutter.sk>
Approved by:	cpm@ (maintainer timeout, 15 d)
This commit is contained in:
Matthias Andree 2020-04-25 14:38:20 +00:00
parent 7f4c09ca63
commit 804b0f94b7
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=532955
11 changed files with 48 additions and 88 deletions

View File

@ -2,8 +2,7 @@
# $FreeBSD$
PORTNAME= ocserv
PORTVERSION= 0.12.4
PORTREVISION= 2
PORTVERSION= 1.0.1
CATEGORIES= net net-vpn security
MASTER_SITES= ftp://ftp.infradead.org/pub/ocserv/
@ -24,7 +23,7 @@ LIB_DEPENDS= liblz4.so:archivers/liblz4 \
libtasn1.so:security/libtasn1 \
libnettle.so:security/nettle \
liboath.so:security/oath-toolkit \
libpcl.so:devel/libpcl
libpcl.so:devel/pcl
USES= autoreconf cpe gperf libtool localbase ncurses \
pathfix pkgconfig readline tar:xz
@ -53,25 +52,28 @@ GSSAPI_CONFIGURE_OFF= --without-gssapi
RADIUS_LIB_DEPENDS= libradcli.so:net/radcli
RADIUS_CONFIGURE_OFF= --without-radius
.include <bsd.port.pre.mk>
post-patch:
@${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${LOCALBASE}/bin/ocserv-fw|g' \
${WRKSRC}/src/main-user.c \
${WRKSRC}/doc/sample.config
@${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${LOCALBASE}/bin/ocserv\\-fw|g' \
${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${PREFIX}/bin/ocserv-fw|g' \
${WRKSRC}/src/main-user.c
${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${PREFIX}/bin/ocserv\\-fw|g' \
${WRKSRC}/doc/ocserv.8
.if "${PREFIX}" != "" && "${PREFIX}" != "/" && "${PREFIX}" != "/usr"
${REINPLACE_CMD} -E 's|^(#define DEFAULT_CFG_FILE ")(/etc/ocserv/ocserv.conf")|\1${PREFIX}\2|' ${WRKSRC}/src/config.c
.endif
post-install:
@${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv
@${MKDIR} ${STAGEDIR}/var/run/ocserv
${INSTALL_DATA} ${FILESDIR}/ocserv.conf ${STAGEDIR}${PREFIX}/etc/ocserv/conf.sample
${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv ${STAGEDIR}/var/run/ocserv
${INSTALL_DATA} ${FILESDIR}/ocserv.conf ${STAGEDIR}${PREFIX}/etc/ocserv/ocserv.conf.sample
${INSTALL_MAN} ${WRKSRC}/doc/*.8 ${STAGEDIR}${MANPREFIX}/man/man8
post-install-DOCS-on:
@${MKDIR} ${STAGEDIR}${DOCSDIR}
${MKDIR} ${STAGEDIR}${DOCSDIR}
cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR}
post-install-EXAMPLES-on:
@${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
cd ${WRKSRC}/doc && ${INSTALL_DATA} ${PORTEXAMPLES} ${STAGEDIR}${EXAMPLESDIR}
.include <bsd.port.mk>
.include <bsd.port.post.mk>

View File

@ -1,3 +1,3 @@
TIMESTAMP = 1562531995
SHA256 (ocserv-0.12.4.tar.xz) = 05c01effa8a7c2f022616fcb62bade4df51aa7f0035248671da12819d62cb185
SIZE (ocserv-0.12.4.tar.xz) = 763540
TIMESTAMP = 1586552655
SHA256 (ocserv-1.0.1.tar.xz) = 59d9ef7a1aeb95ff6e762e2a0f231b3fae2ea420f68a1cf09d39a26395040f4b
SIZE (ocserv-1.0.1.tar.xz) = 787800

View File

@ -26,7 +26,7 @@
# One entry must be listed per line, and 'ocpasswd' should be used
# to generate password entries. The 'otp' suboption allows one to specify
# an oath password file to be used for one time passwords; the format of
# the file is described in https://code.google.com/p/mod-authn-otp/wiki/UsersFile
# the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile
#
# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
# The radius option requires specifying freeradius-client configuration
@ -77,6 +77,10 @@ auth = "plain[passwd=./sample.passwd]"
# hostname.
#listen-host = [IP|HOSTNAME]
# Use udp-listen-host to limit udp to specific IPs or to the IPs of a provided
# hostname. if not set, listen-host will be used
#udp-listen-host = [IP|HOSTNAME]
# When the server has a dynamic DNS address (that may change),
# should set that to true to ask the client to resolve again on
# reconnects.
@ -171,6 +175,9 @@ ca-cert = ../tests/certs/ca.pem
### operation. If the server key changes on reload, there may be connection
### failures during the reloading time.
# ocserv 1.0.1 on FreeBSD does not currently support process isolation,
# because ocserv only supports Linux's seccomp system, but not capsicum(4).
#isolate-workers = false
# A banner to be displayed on clients
#banner = "Welcome"
@ -391,7 +398,8 @@ rekey-method = ssl
# client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client),
# will contain a space separated list of routes or DNS servers. A version
# of these variables with the 4 or 6 suffix will contain only the IPv4 or
# IPv6 values.
# IPv6 values. The connect script must return zero as exit code, or the
# client connection will be refused.
# The disconnect script will receive the additional values: STATS_BYTES_IN,
# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes
@ -566,7 +574,7 @@ no-route = 192.168.5.0/255.255.255.0
# keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns,
# restrict-user-to-routes, user-profile, cgroup, stats-report-time,
# mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports,
# and session-timeout.
# split-dns and session-timeout.
#
# Note that the 'iroute' option allows one to add routes on the server
# based on a user or group. The syntax depends on the input accepted

View File

@ -1,4 +1,4 @@
--- configure.ac.orig 2018-04-22 08:43:20 UTC
--- configure.ac.orig 2020-04-09 21:07:12 UTC
+++ configure.ac
@@ -15,7 +15,7 @@ AM_PROG_AR
AM_PROG_CC_C_O
@ -9,7 +9,7 @@
fi
AC_PATH_PROG(CTAGS, ctags, [:])
AC_PATH_PROG(CSCOPE, cscope, [:])
@@ -168,7 +168,7 @@ if test "$test_for_geoip" = yes;then
@@ -199,7 +199,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind
fi
have_readline=no

View File

@ -1,4 +1,4 @@
--- doc/sample.config.orig 2018-04-15 19:13:39 UTC
--- doc/sample.config.orig 2020-04-09 20:56:20 UTC
+++ doc/sample.config
@@ -19,7 +19,7 @@
# This enabled PAM authentication of the user. The gid-min option is used
@ -9,7 +9,7 @@
# The plain option requires specifying a password file which contains
# entries of the following format.
# "username:groupname1,groupname2:encoded-password"
@@ -102,8 +102,8 @@ udp-port = 443
@@ -106,8 +106,8 @@ udp-port = 443
# The user the worker processes will be run as. It should be
# unique (no other services run as this user).
@ -20,7 +20,7 @@
# socket file used for IPC with occtl. You only need to set that,
# if you use more than a single servers.
@@ -172,16 +172,6 @@ ca-cert = ../tests/certs/ca.pem
@@ -176,15 +176,9 @@ ca-cert = ../tests/certs/ca.pem
### failures during the reloading time.
@ -33,11 +33,13 @@
-# disabling that option and report the failures you, along with system and debugging
-# information at: https://gitlab.com/ocserv/ocserv/issues
-isolate-workers = true
-
+# ocserv 1.0.1 on FreeBSD does not currently support process isolation,
+# because ocserv only supports Linux's seccomp system, but not capsicum(4).
+#isolate-workers = false
# A banner to be displayed on clients
#banner = "Welcome"
@@ -530,15 +520,15 @@ no-route = 192.168.5.0/255.255.255.0
@@ -535,15 +529,15 @@ no-route = 192.168.5.0/255.255.255.0
# Note the that following two firewalling options currently are available
# in Linux systems with iptables software.
@ -56,7 +58,7 @@
# access specific ports in the network. This option can be set globally
# or in the per-user configuration.
#restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
@@ -586,13 +576,13 @@ no-route = 192.168.5.0/255.255.255.0
@@ -591,13 +585,13 @@ no-route = 192.168.5.0/255.255.255.0
# hostname to override any proposed by the user. Note also, that, any
# routes, no-routes, DNS or NBNS servers present will overwrite the global ones.

View File

@ -1,11 +0,0 @@
--- src/config.c.orig 2018-04-15 19:13:39 UTC
+++ src/config.c
@@ -57,7 +57,7 @@
#include <getopt.h>
#define OLD_DEFAULT_CFG_FILE "/etc/ocserv.conf"
-#define DEFAULT_CFG_FILE "/etc/ocserv/ocserv.conf"
+#define DEFAULT_CFG_FILE "/usr/local/etc/ocserv/conf"
static void print_version(void);

View File

@ -1,25 +0,0 @@
--- src/tun.c.orig 2018-04-14 07:52:35 UTC
+++ src/tun.c
@@ -895,3 +895,22 @@ ssize_t tun_read(int sockfd, void *buf, size_t len)
return read(sockfd, buf, len);
}
#endif
+
+#ifndef __FreeBSD__
+int tun_claim(int sockfd)
+{
+
+ return (0);
+}
+#else
+/*
+ * FreeBSD has a mechanism by which a tunnel has a single controlling process,
+ * and only that one process may close it. When the controlling process closes
+ * the tunnel, the state is torn down.
+ */
+int tun_claim(int sockfd)
+{
+
+ return (ioctl(sockfd, TUNSIFPID, 0));
+}
+#endif /* !__FreeBSD__ */

View File

@ -1,9 +0,0 @@
--- src/tun.h.orig 2018-01-13 18:43:41 UTC
+++ src/tun.h
@@ -35,5 +35,6 @@ struct tun_lease_st {
ssize_t tun_write(int sockfd, const void *buf, size_t len);
ssize_t tun_read(int sockfd, void *buf, size_t len);
+int tun_claim(int sockfd);
#endif

View File

@ -1,14 +0,0 @@
--- src/worker-auth.c.orig 2019-01-19 18:47:47 UTC
+++ src/worker-auth.c
@@ -605,7 +605,10 @@ static int recv_cookie_auth_reply(worker_st * ws)
case AUTH__REP__OK:
if (socketfd != -1) {
ws->tun_fd = socketfd;
-
+ if (tun_claim(ws->tun_fd) != 0) {
+ ret = ERR_AUTH_FAIL;
+ goto cleanup;
+ }
if (msg->vname == NULL || msg->config == NULL || msg->user_name == NULL || msg->sid.len != sizeof(ws->sid)) {
ret = ERR_AUTH_FAIL;
goto cleanup;

7
net/ocserv/pkg-message Normal file
View File

@ -0,0 +1,7 @@
[
{ message: <<EOM
SECURITY NOTE: ocserv 1.0.1 currently cannot isolate workers processes
on FreeBSD, it only supports Linux's seccomp, but not FreeBSD's capsicum.
EOM
}
]

View File

@ -4,6 +4,6 @@ bin/ocserv-fw
man/man8/occtl.8.gz
man/man8/ocpasswd.8.gz
man/man8/ocserv.8.gz
@sample etc/ocserv/conf.sample
@sample etc/ocserv/ocserv.conf.sample
sbin/ocserv
@dir(%%USERS%%,%%GROUPS%%,750) /var/run/ocserv