From 804b0f94b784e98c6bde97ffbae26cdeb1716ff6 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Sat, 25 Apr 2020 14:38:20 +0000 Subject: [PATCH] net/ocserv: Update to 1.0.1 Changelog: https://gitlab.com/openconnect/ocserv/-/blob/1.0.1/NEWS#L1 This commit makes the following additional changes from Juraj's submission: - fix LIB_DEPENDS to libpc.so:devel/pcl (not devel/libpcl) - replace LOCALBASE by PREFIX throughout, as these are internal references - remove the src/config.c patch, it makes no sense to first statically patch and then run REINPLACE_CMD for DEFAULT_CFG_FILE - remove doc/sample.config from another REINPLACE_CMD - remove @ - it makes no sense to hide running commands - patch example configuration to avoid isolate-workers = true, which currently only works on Linux's seccomp. - in the same vein, put up a warning pkg-message that there is no worker process isolation - install the @sample file as ocserv.conf.sample, not conf.sample, so it matches the default configuration file path Things that could be done but are not: - rcfile option to configure a separate config file PR: 245521 Submitted by: Juraj Lutter Approved by: cpm@ (maintainer timeout, 15 d) --- net/ocserv/Makefile | 28 +++++++++++++----------- net/ocserv/distinfo | 6 ++--- net/ocserv/files/ocserv.conf | 14 +++++++++--- net/ocserv/files/patch-configure.ac | 4 ++-- net/ocserv/files/patch-doc_sample.config | 16 ++++++++------ net/ocserv/files/patch-src_config.c | 11 ---------- net/ocserv/files/patch-src_tun.c | 25 --------------------- net/ocserv/files/patch-src_tun.h | 9 -------- net/ocserv/files/patch-src_worker-auth.c | 14 ------------ net/ocserv/pkg-message | 7 ++++++ net/ocserv/pkg-plist | 2 +- 11 files changed, 48 insertions(+), 88 deletions(-) delete mode 100644 net/ocserv/files/patch-src_config.c delete mode 100644 net/ocserv/files/patch-src_tun.c delete mode 100644 net/ocserv/files/patch-src_tun.h delete mode 100644 net/ocserv/files/patch-src_worker-auth.c create mode 100644 net/ocserv/pkg-message diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile index b2875639ce3e..ba1438bca71d 100644 --- a/net/ocserv/Makefile +++ b/net/ocserv/Makefile @@ -2,8 +2,7 @@ # $FreeBSD$ PORTNAME= ocserv -PORTVERSION= 0.12.4 -PORTREVISION= 2 +PORTVERSION= 1.0.1 CATEGORIES= net net-vpn security MASTER_SITES= ftp://ftp.infradead.org/pub/ocserv/ @@ -24,7 +23,7 @@ LIB_DEPENDS= liblz4.so:archivers/liblz4 \ libtasn1.so:security/libtasn1 \ libnettle.so:security/nettle \ liboath.so:security/oath-toolkit \ - libpcl.so:devel/libpcl + libpcl.so:devel/pcl USES= autoreconf cpe gperf libtool localbase ncurses \ pathfix pkgconfig readline tar:xz @@ -53,25 +52,28 @@ GSSAPI_CONFIGURE_OFF= --without-gssapi RADIUS_LIB_DEPENDS= libradcli.so:net/radcli RADIUS_CONFIGURE_OFF= --without-radius +.include + post-patch: - @${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${LOCALBASE}/bin/ocserv-fw|g' \ - ${WRKSRC}/src/main-user.c \ - ${WRKSRC}/doc/sample.config - @${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${LOCALBASE}/bin/ocserv\\-fw|g' \ + ${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${PREFIX}/bin/ocserv-fw|g' \ + ${WRKSRC}/src/main-user.c + ${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${PREFIX}/bin/ocserv\\-fw|g' \ ${WRKSRC}/doc/ocserv.8 +.if "${PREFIX}" != "" && "${PREFIX}" != "/" && "${PREFIX}" != "/usr" + ${REINPLACE_CMD} -E 's|^(#define DEFAULT_CFG_FILE ")(/etc/ocserv/ocserv.conf")|\1${PREFIX}\2|' ${WRKSRC}/src/config.c +.endif post-install: - @${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv - @${MKDIR} ${STAGEDIR}/var/run/ocserv - ${INSTALL_DATA} ${FILESDIR}/ocserv.conf ${STAGEDIR}${PREFIX}/etc/ocserv/conf.sample + ${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv ${STAGEDIR}/var/run/ocserv + ${INSTALL_DATA} ${FILESDIR}/ocserv.conf ${STAGEDIR}${PREFIX}/etc/ocserv/ocserv.conf.sample ${INSTALL_MAN} ${WRKSRC}/doc/*.8 ${STAGEDIR}${MANPREFIX}/man/man8 post-install-DOCS-on: - @${MKDIR} ${STAGEDIR}${DOCSDIR} + ${MKDIR} ${STAGEDIR}${DOCSDIR} cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR} post-install-EXAMPLES-on: - @${MKDIR} ${STAGEDIR}${EXAMPLESDIR} + ${MKDIR} ${STAGEDIR}${EXAMPLESDIR} cd ${WRKSRC}/doc && ${INSTALL_DATA} ${PORTEXAMPLES} ${STAGEDIR}${EXAMPLESDIR} -.include +.include diff --git a/net/ocserv/distinfo b/net/ocserv/distinfo index c14282c66ad5..949c48c6a695 100644 --- a/net/ocserv/distinfo +++ b/net/ocserv/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1562531995 -SHA256 (ocserv-0.12.4.tar.xz) = 05c01effa8a7c2f022616fcb62bade4df51aa7f0035248671da12819d62cb185 -SIZE (ocserv-0.12.4.tar.xz) = 763540 +TIMESTAMP = 1586552655 +SHA256 (ocserv-1.0.1.tar.xz) = 59d9ef7a1aeb95ff6e762e2a0f231b3fae2ea420f68a1cf09d39a26395040f4b +SIZE (ocserv-1.0.1.tar.xz) = 787800 diff --git a/net/ocserv/files/ocserv.conf b/net/ocserv/files/ocserv.conf index cf0f1eebd140..39c3a303bad1 100644 --- a/net/ocserv/files/ocserv.conf +++ b/net/ocserv/files/ocserv.conf @@ -26,7 +26,7 @@ # One entry must be listed per line, and 'ocpasswd' should be used # to generate password entries. The 'otp' suboption allows one to specify # an oath password file to be used for one time passwords; the format of -# the file is described in https://code.google.com/p/mod-authn-otp/wiki/UsersFile +# the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile # # radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]: # The radius option requires specifying freeradius-client configuration @@ -77,6 +77,10 @@ auth = "plain[passwd=./sample.passwd]" # hostname. #listen-host = [IP|HOSTNAME] +# Use udp-listen-host to limit udp to specific IPs or to the IPs of a provided +# hostname. if not set, listen-host will be used +#udp-listen-host = [IP|HOSTNAME] + # When the server has a dynamic DNS address (that may change), # should set that to true to ask the client to resolve again on # reconnects. @@ -171,6 +175,9 @@ ca-cert = ../tests/certs/ca.pem ### operation. If the server key changes on reload, there may be connection ### failures during the reloading time. +# ocserv 1.0.1 on FreeBSD does not currently support process isolation, +# because ocserv only supports Linux's seccomp system, but not capsicum(4). +#isolate-workers = false # A banner to be displayed on clients #banner = "Welcome" @@ -391,7 +398,8 @@ rekey-method = ssl # client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client), # will contain a space separated list of routes or DNS servers. A version # of these variables with the 4 or 6 suffix will contain only the IPv4 or -# IPv6 values. +# IPv6 values. The connect script must return zero as exit code, or the +# client connection will be refused. # The disconnect script will receive the additional values: STATS_BYTES_IN, # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes @@ -566,7 +574,7 @@ no-route = 192.168.5.0/255.255.255.0 # keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns, # restrict-user-to-routes, user-profile, cgroup, stats-report-time, # mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports, -# and session-timeout. +# split-dns and session-timeout. # # Note that the 'iroute' option allows one to add routes on the server # based on a user or group. The syntax depends on the input accepted diff --git a/net/ocserv/files/patch-configure.ac b/net/ocserv/files/patch-configure.ac index 08394c7146c5..d7a63c6cb88f 100644 --- a/net/ocserv/files/patch-configure.ac +++ b/net/ocserv/files/patch-configure.ac @@ -1,4 +1,4 @@ ---- configure.ac.orig 2018-04-22 08:43:20 UTC +--- configure.ac.orig 2020-04-09 21:07:12 UTC +++ configure.ac @@ -15,7 +15,7 @@ AM_PROG_AR AM_PROG_CC_C_O @@ -9,7 +9,7 @@ fi AC_PATH_PROG(CTAGS, ctags, [:]) AC_PATH_PROG(CSCOPE, cscope, [:]) -@@ -168,7 +168,7 @@ if test "$test_for_geoip" = yes;then +@@ -199,7 +199,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind fi have_readline=no diff --git a/net/ocserv/files/patch-doc_sample.config b/net/ocserv/files/patch-doc_sample.config index c511b6163590..9793353efa4b 100644 --- a/net/ocserv/files/patch-doc_sample.config +++ b/net/ocserv/files/patch-doc_sample.config @@ -1,4 +1,4 @@ ---- doc/sample.config.orig 2018-04-15 19:13:39 UTC +--- doc/sample.config.orig 2020-04-09 20:56:20 UTC +++ doc/sample.config @@ -19,7 +19,7 @@ # This enabled PAM authentication of the user. The gid-min option is used @@ -9,7 +9,7 @@ # The plain option requires specifying a password file which contains # entries of the following format. # "username:groupname1,groupname2:encoded-password" -@@ -102,8 +102,8 @@ udp-port = 443 +@@ -106,8 +106,8 @@ udp-port = 443 # The user the worker processes will be run as. It should be # unique (no other services run as this user). @@ -20,7 +20,7 @@ # socket file used for IPC with occtl. You only need to set that, # if you use more than a single servers. -@@ -172,16 +172,6 @@ ca-cert = ../tests/certs/ca.pem +@@ -176,15 +176,9 @@ ca-cert = ../tests/certs/ca.pem ### failures during the reloading time. @@ -33,11 +33,13 @@ -# disabling that option and report the failures you, along with system and debugging -# information at: https://gitlab.com/ocserv/ocserv/issues -isolate-workers = true -- ++# ocserv 1.0.1 on FreeBSD does not currently support process isolation, ++# because ocserv only supports Linux's seccomp system, but not capsicum(4). ++#isolate-workers = false + # A banner to be displayed on clients #banner = "Welcome" - -@@ -530,15 +520,15 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -535,15 +529,15 @@ no-route = 192.168.5.0/255.255.255.0 # Note the that following two firewalling options currently are available # in Linux systems with iptables software. @@ -56,7 +58,7 @@ # access specific ports in the network. This option can be set globally # or in the per-user configuration. #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()" -@@ -586,13 +576,13 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -591,13 +585,13 @@ no-route = 192.168.5.0/255.255.255.0 # hostname to override any proposed by the user. Note also, that, any # routes, no-routes, DNS or NBNS servers present will overwrite the global ones. diff --git a/net/ocserv/files/patch-src_config.c b/net/ocserv/files/patch-src_config.c deleted file mode 100644 index 46cdb1798c5b..000000000000 --- a/net/ocserv/files/patch-src_config.c +++ /dev/null @@ -1,11 +0,0 @@ ---- src/config.c.orig 2018-04-15 19:13:39 UTC -+++ src/config.c -@@ -57,7 +57,7 @@ - #include - - #define OLD_DEFAULT_CFG_FILE "/etc/ocserv.conf" --#define DEFAULT_CFG_FILE "/etc/ocserv/ocserv.conf" -+#define DEFAULT_CFG_FILE "/usr/local/etc/ocserv/conf" - - static void print_version(void); - diff --git a/net/ocserv/files/patch-src_tun.c b/net/ocserv/files/patch-src_tun.c deleted file mode 100644 index 6fe5ed5e6246..000000000000 --- a/net/ocserv/files/patch-src_tun.c +++ /dev/null @@ -1,25 +0,0 @@ ---- src/tun.c.orig 2018-04-14 07:52:35 UTC -+++ src/tun.c -@@ -895,3 +895,22 @@ ssize_t tun_read(int sockfd, void *buf, size_t len) - return read(sockfd, buf, len); - } - #endif -+ -+#ifndef __FreeBSD__ -+int tun_claim(int sockfd) -+{ -+ -+ return (0); -+} -+#else -+/* -+ * FreeBSD has a mechanism by which a tunnel has a single controlling process, -+ * and only that one process may close it. When the controlling process closes -+ * the tunnel, the state is torn down. -+ */ -+int tun_claim(int sockfd) -+{ -+ -+ return (ioctl(sockfd, TUNSIFPID, 0)); -+} -+#endif /* !__FreeBSD__ */ diff --git a/net/ocserv/files/patch-src_tun.h b/net/ocserv/files/patch-src_tun.h deleted file mode 100644 index 0311177f3f78..000000000000 --- a/net/ocserv/files/patch-src_tun.h +++ /dev/null @@ -1,9 +0,0 @@ ---- src/tun.h.orig 2018-01-13 18:43:41 UTC -+++ src/tun.h -@@ -35,5 +35,6 @@ struct tun_lease_st { - - ssize_t tun_write(int sockfd, const void *buf, size_t len); - ssize_t tun_read(int sockfd, void *buf, size_t len); -+int tun_claim(int sockfd); - - #endif diff --git a/net/ocserv/files/patch-src_worker-auth.c b/net/ocserv/files/patch-src_worker-auth.c deleted file mode 100644 index f7e01eeed392..000000000000 --- a/net/ocserv/files/patch-src_worker-auth.c +++ /dev/null @@ -1,14 +0,0 @@ ---- src/worker-auth.c.orig 2019-01-19 18:47:47 UTC -+++ src/worker-auth.c -@@ -605,7 +605,10 @@ static int recv_cookie_auth_reply(worker_st * ws) - case AUTH__REP__OK: - if (socketfd != -1) { - ws->tun_fd = socketfd; -- -+ if (tun_claim(ws->tun_fd) != 0) { -+ ret = ERR_AUTH_FAIL; -+ goto cleanup; -+ } - if (msg->vname == NULL || msg->config == NULL || msg->user_name == NULL || msg->sid.len != sizeof(ws->sid)) { - ret = ERR_AUTH_FAIL; - goto cleanup; diff --git a/net/ocserv/pkg-message b/net/ocserv/pkg-message new file mode 100644 index 000000000000..71bdb86b7e13 --- /dev/null +++ b/net/ocserv/pkg-message @@ -0,0 +1,7 @@ +[ +{ message: <