mirror of
https://git.FreeBSD.org/ports.git
synced 2024-12-23 04:23:08 +00:00
net/ocserv: Update to 1.0.1
Changelog: https://gitlab.com/openconnect/ocserv/-/blob/1.0.1/NEWS#L1 This commit makes the following additional changes from Juraj's submission: - fix LIB_DEPENDS to libpc.so:devel/pcl (not devel/libpcl) - replace LOCALBASE by PREFIX throughout, as these are internal references - remove the src/config.c patch, it makes no sense to first statically patch and then run REINPLACE_CMD for DEFAULT_CFG_FILE - remove doc/sample.config from another REINPLACE_CMD - remove @ - it makes no sense to hide running commands - patch example configuration to avoid isolate-workers = true, which currently only works on Linux's seccomp. - in the same vein, put up a warning pkg-message that there is no worker process isolation - install the @sample file as ocserv.conf.sample, not conf.sample, so it matches the default configuration file path Things that could be done but are not: - rcfile option to configure a separate config file PR: 245521 Submitted by: Juraj Lutter <juraj@lutter.sk> Approved by: cpm@ (maintainer timeout, 15 d)
This commit is contained in:
parent
7f4c09ca63
commit
804b0f94b7
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=532955
@ -2,8 +2,7 @@
|
||||
# $FreeBSD$
|
||||
|
||||
PORTNAME= ocserv
|
||||
PORTVERSION= 0.12.4
|
||||
PORTREVISION= 2
|
||||
PORTVERSION= 1.0.1
|
||||
CATEGORIES= net net-vpn security
|
||||
MASTER_SITES= ftp://ftp.infradead.org/pub/ocserv/
|
||||
|
||||
@ -24,7 +23,7 @@ LIB_DEPENDS= liblz4.so:archivers/liblz4 \
|
||||
libtasn1.so:security/libtasn1 \
|
||||
libnettle.so:security/nettle \
|
||||
liboath.so:security/oath-toolkit \
|
||||
libpcl.so:devel/libpcl
|
||||
libpcl.so:devel/pcl
|
||||
|
||||
USES= autoreconf cpe gperf libtool localbase ncurses \
|
||||
pathfix pkgconfig readline tar:xz
|
||||
@ -53,25 +52,28 @@ GSSAPI_CONFIGURE_OFF= --without-gssapi
|
||||
RADIUS_LIB_DEPENDS= libradcli.so:net/radcli
|
||||
RADIUS_CONFIGURE_OFF= --without-radius
|
||||
|
||||
.include <bsd.port.pre.mk>
|
||||
|
||||
post-patch:
|
||||
@${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${LOCALBASE}/bin/ocserv-fw|g' \
|
||||
${WRKSRC}/src/main-user.c \
|
||||
${WRKSRC}/doc/sample.config
|
||||
@${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${LOCALBASE}/bin/ocserv\\-fw|g' \
|
||||
${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${PREFIX}/bin/ocserv-fw|g' \
|
||||
${WRKSRC}/src/main-user.c
|
||||
${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${PREFIX}/bin/ocserv\\-fw|g' \
|
||||
${WRKSRC}/doc/ocserv.8
|
||||
.if "${PREFIX}" != "" && "${PREFIX}" != "/" && "${PREFIX}" != "/usr"
|
||||
${REINPLACE_CMD} -E 's|^(#define DEFAULT_CFG_FILE ")(/etc/ocserv/ocserv.conf")|\1${PREFIX}\2|' ${WRKSRC}/src/config.c
|
||||
.endif
|
||||
|
||||
post-install:
|
||||
@${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv
|
||||
@${MKDIR} ${STAGEDIR}/var/run/ocserv
|
||||
${INSTALL_DATA} ${FILESDIR}/ocserv.conf ${STAGEDIR}${PREFIX}/etc/ocserv/conf.sample
|
||||
${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv ${STAGEDIR}/var/run/ocserv
|
||||
${INSTALL_DATA} ${FILESDIR}/ocserv.conf ${STAGEDIR}${PREFIX}/etc/ocserv/ocserv.conf.sample
|
||||
${INSTALL_MAN} ${WRKSRC}/doc/*.8 ${STAGEDIR}${MANPREFIX}/man/man8
|
||||
|
||||
post-install-DOCS-on:
|
||||
@${MKDIR} ${STAGEDIR}${DOCSDIR}
|
||||
${MKDIR} ${STAGEDIR}${DOCSDIR}
|
||||
cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR}
|
||||
|
||||
post-install-EXAMPLES-on:
|
||||
@${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
|
||||
${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
|
||||
cd ${WRKSRC}/doc && ${INSTALL_DATA} ${PORTEXAMPLES} ${STAGEDIR}${EXAMPLESDIR}
|
||||
|
||||
.include <bsd.port.mk>
|
||||
.include <bsd.port.post.mk>
|
||||
|
@ -1,3 +1,3 @@
|
||||
TIMESTAMP = 1562531995
|
||||
SHA256 (ocserv-0.12.4.tar.xz) = 05c01effa8a7c2f022616fcb62bade4df51aa7f0035248671da12819d62cb185
|
||||
SIZE (ocserv-0.12.4.tar.xz) = 763540
|
||||
TIMESTAMP = 1586552655
|
||||
SHA256 (ocserv-1.0.1.tar.xz) = 59d9ef7a1aeb95ff6e762e2a0f231b3fae2ea420f68a1cf09d39a26395040f4b
|
||||
SIZE (ocserv-1.0.1.tar.xz) = 787800
|
||||
|
@ -26,7 +26,7 @@
|
||||
# One entry must be listed per line, and 'ocpasswd' should be used
|
||||
# to generate password entries. The 'otp' suboption allows one to specify
|
||||
# an oath password file to be used for one time passwords; the format of
|
||||
# the file is described in https://code.google.com/p/mod-authn-otp/wiki/UsersFile
|
||||
# the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile
|
||||
#
|
||||
# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
|
||||
# The radius option requires specifying freeradius-client configuration
|
||||
@ -77,6 +77,10 @@ auth = "plain[passwd=./sample.passwd]"
|
||||
# hostname.
|
||||
#listen-host = [IP|HOSTNAME]
|
||||
|
||||
# Use udp-listen-host to limit udp to specific IPs or to the IPs of a provided
|
||||
# hostname. if not set, listen-host will be used
|
||||
#udp-listen-host = [IP|HOSTNAME]
|
||||
|
||||
# When the server has a dynamic DNS address (that may change),
|
||||
# should set that to true to ask the client to resolve again on
|
||||
# reconnects.
|
||||
@ -171,6 +175,9 @@ ca-cert = ../tests/certs/ca.pem
|
||||
### operation. If the server key changes on reload, there may be connection
|
||||
### failures during the reloading time.
|
||||
|
||||
# ocserv 1.0.1 on FreeBSD does not currently support process isolation,
|
||||
# because ocserv only supports Linux's seccomp system, but not capsicum(4).
|
||||
#isolate-workers = false
|
||||
|
||||
# A banner to be displayed on clients
|
||||
#banner = "Welcome"
|
||||
@ -391,7 +398,8 @@ rekey-method = ssl
|
||||
# client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client),
|
||||
# will contain a space separated list of routes or DNS servers. A version
|
||||
# of these variables with the 4 or 6 suffix will contain only the IPv4 or
|
||||
# IPv6 values.
|
||||
# IPv6 values. The connect script must return zero as exit code, or the
|
||||
# client connection will be refused.
|
||||
|
||||
# The disconnect script will receive the additional values: STATS_BYTES_IN,
|
||||
# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes
|
||||
@ -566,7 +574,7 @@ no-route = 192.168.5.0/255.255.255.0
|
||||
# keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns,
|
||||
# restrict-user-to-routes, user-profile, cgroup, stats-report-time,
|
||||
# mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports,
|
||||
# and session-timeout.
|
||||
# split-dns and session-timeout.
|
||||
#
|
||||
# Note that the 'iroute' option allows one to add routes on the server
|
||||
# based on a user or group. The syntax depends on the input accepted
|
||||
|
@ -1,4 +1,4 @@
|
||||
--- configure.ac.orig 2018-04-22 08:43:20 UTC
|
||||
--- configure.ac.orig 2020-04-09 21:07:12 UTC
|
||||
+++ configure.ac
|
||||
@@ -15,7 +15,7 @@ AM_PROG_AR
|
||||
AM_PROG_CC_C_O
|
||||
@ -9,7 +9,7 @@
|
||||
fi
|
||||
AC_PATH_PROG(CTAGS, ctags, [:])
|
||||
AC_PATH_PROG(CSCOPE, cscope, [:])
|
||||
@@ -168,7 +168,7 @@ if test "$test_for_geoip" = yes;then
|
||||
@@ -199,7 +199,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind
|
||||
fi
|
||||
|
||||
have_readline=no
|
||||
|
@ -1,4 +1,4 @@
|
||||
--- doc/sample.config.orig 2018-04-15 19:13:39 UTC
|
||||
--- doc/sample.config.orig 2020-04-09 20:56:20 UTC
|
||||
+++ doc/sample.config
|
||||
@@ -19,7 +19,7 @@
|
||||
# This enabled PAM authentication of the user. The gid-min option is used
|
||||
@ -9,7 +9,7 @@
|
||||
# The plain option requires specifying a password file which contains
|
||||
# entries of the following format.
|
||||
# "username:groupname1,groupname2:encoded-password"
|
||||
@@ -102,8 +102,8 @@ udp-port = 443
|
||||
@@ -106,8 +106,8 @@ udp-port = 443
|
||||
|
||||
# The user the worker processes will be run as. It should be
|
||||
# unique (no other services run as this user).
|
||||
@ -20,7 +20,7 @@
|
||||
|
||||
# socket file used for IPC with occtl. You only need to set that,
|
||||
# if you use more than a single servers.
|
||||
@@ -172,16 +172,6 @@ ca-cert = ../tests/certs/ca.pem
|
||||
@@ -176,15 +176,9 @@ ca-cert = ../tests/certs/ca.pem
|
||||
### failures during the reloading time.
|
||||
|
||||
|
||||
@ -33,11 +33,13 @@
|
||||
-# disabling that option and report the failures you, along with system and debugging
|
||||
-# information at: https://gitlab.com/ocserv/ocserv/issues
|
||||
-isolate-workers = true
|
||||
-
|
||||
+# ocserv 1.0.1 on FreeBSD does not currently support process isolation,
|
||||
+# because ocserv only supports Linux's seccomp system, but not capsicum(4).
|
||||
+#isolate-workers = false
|
||||
|
||||
# A banner to be displayed on clients
|
||||
#banner = "Welcome"
|
||||
|
||||
@@ -530,15 +520,15 @@ no-route = 192.168.5.0/255.255.255.0
|
||||
@@ -535,15 +529,15 @@ no-route = 192.168.5.0/255.255.255.0
|
||||
# Note the that following two firewalling options currently are available
|
||||
# in Linux systems with iptables software.
|
||||
|
||||
@ -56,7 +58,7 @@
|
||||
# access specific ports in the network. This option can be set globally
|
||||
# or in the per-user configuration.
|
||||
#restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
|
||||
@@ -586,13 +576,13 @@ no-route = 192.168.5.0/255.255.255.0
|
||||
@@ -591,13 +585,13 @@ no-route = 192.168.5.0/255.255.255.0
|
||||
# hostname to override any proposed by the user. Note also, that, any
|
||||
# routes, no-routes, DNS or NBNS servers present will overwrite the global ones.
|
||||
|
||||
|
@ -1,11 +0,0 @@
|
||||
--- src/config.c.orig 2018-04-15 19:13:39 UTC
|
||||
+++ src/config.c
|
||||
@@ -57,7 +57,7 @@
|
||||
#include <getopt.h>
|
||||
|
||||
#define OLD_DEFAULT_CFG_FILE "/etc/ocserv.conf"
|
||||
-#define DEFAULT_CFG_FILE "/etc/ocserv/ocserv.conf"
|
||||
+#define DEFAULT_CFG_FILE "/usr/local/etc/ocserv/conf"
|
||||
|
||||
static void print_version(void);
|
||||
|
@ -1,25 +0,0 @@
|
||||
--- src/tun.c.orig 2018-04-14 07:52:35 UTC
|
||||
+++ src/tun.c
|
||||
@@ -895,3 +895,22 @@ ssize_t tun_read(int sockfd, void *buf, size_t len)
|
||||
return read(sockfd, buf, len);
|
||||
}
|
||||
#endif
|
||||
+
|
||||
+#ifndef __FreeBSD__
|
||||
+int tun_claim(int sockfd)
|
||||
+{
|
||||
+
|
||||
+ return (0);
|
||||
+}
|
||||
+#else
|
||||
+/*
|
||||
+ * FreeBSD has a mechanism by which a tunnel has a single controlling process,
|
||||
+ * and only that one process may close it. When the controlling process closes
|
||||
+ * the tunnel, the state is torn down.
|
||||
+ */
|
||||
+int tun_claim(int sockfd)
|
||||
+{
|
||||
+
|
||||
+ return (ioctl(sockfd, TUNSIFPID, 0));
|
||||
+}
|
||||
+#endif /* !__FreeBSD__ */
|
@ -1,9 +0,0 @@
|
||||
--- src/tun.h.orig 2018-01-13 18:43:41 UTC
|
||||
+++ src/tun.h
|
||||
@@ -35,5 +35,6 @@ struct tun_lease_st {
|
||||
|
||||
ssize_t tun_write(int sockfd, const void *buf, size_t len);
|
||||
ssize_t tun_read(int sockfd, void *buf, size_t len);
|
||||
+int tun_claim(int sockfd);
|
||||
|
||||
#endif
|
@ -1,14 +0,0 @@
|
||||
--- src/worker-auth.c.orig 2019-01-19 18:47:47 UTC
|
||||
+++ src/worker-auth.c
|
||||
@@ -605,7 +605,10 @@ static int recv_cookie_auth_reply(worker_st * ws)
|
||||
case AUTH__REP__OK:
|
||||
if (socketfd != -1) {
|
||||
ws->tun_fd = socketfd;
|
||||
-
|
||||
+ if (tun_claim(ws->tun_fd) != 0) {
|
||||
+ ret = ERR_AUTH_FAIL;
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
if (msg->vname == NULL || msg->config == NULL || msg->user_name == NULL || msg->sid.len != sizeof(ws->sid)) {
|
||||
ret = ERR_AUTH_FAIL;
|
||||
goto cleanup;
|
7
net/ocserv/pkg-message
Normal file
7
net/ocserv/pkg-message
Normal file
@ -0,0 +1,7 @@
|
||||
[
|
||||
{ message: <<EOM
|
||||
SECURITY NOTE: ocserv 1.0.1 currently cannot isolate workers processes
|
||||
on FreeBSD, it only supports Linux's seccomp, but not FreeBSD's capsicum.
|
||||
EOM
|
||||
}
|
||||
]
|
@ -4,6 +4,6 @@ bin/ocserv-fw
|
||||
man/man8/occtl.8.gz
|
||||
man/man8/ocpasswd.8.gz
|
||||
man/man8/ocserv.8.gz
|
||||
@sample etc/ocserv/conf.sample
|
||||
@sample etc/ocserv/ocserv.conf.sample
|
||||
sbin/ocserv
|
||||
@dir(%%USERS%%,%%GROUPS%%,750) /var/run/ocserv
|
||||
|
Loading…
Reference in New Issue
Block a user