svn commit: r563251 - in branches/2021Q1/net/ocserv: . files
Juraj Lutter
otis at FreeBSD.org
Fri Jan 29 21:28:41 UTC 2021
Author: otis
Date: Fri Jan 29 21:28:38 2021
New Revision: 563251
URL: https://svnweb.freebsd.org/changeset/ports/563251
Log:
MFH: r563249
net/ocserv: Update to 1.1.2
- Update to 1.1.2
- Reformat Makefile according to portclippy/portfmt
- Install sample config with PREFIX-ized values where
apropriate.
- Take MAINTAINERship
Reviewed by: osa (mentor)
Approved by: osa (mentor)
Differential Revision: https://reviews.freebsd.org/D28346
Added:
branches/2021Q1/net/ocserv/files/patch-src_main-ban.c
- copied unchanged from r563249, head/net/ocserv/files/patch-src_main-ban.c
Deleted:
branches/2021Q1/net/ocserv/files/ocserv.conf
Modified:
branches/2021Q1/net/ocserv/Makefile
branches/2021Q1/net/ocserv/distinfo
branches/2021Q1/net/ocserv/files/patch-doc_sample.config
branches/2021Q1/net/ocserv/files/patch-src_occtl_occtl.c
Directory Properties:
branches/2021Q1/ (props changed)
Modified: branches/2021Q1/net/ocserv/Makefile
==============================================================================
--- branches/2021Q1/net/ocserv/Makefile Fri Jan 29 21:28:31 2021 (r563250)
+++ branches/2021Q1/net/ocserv/Makefile Fri Jan 29 21:28:38 2021 (r563251)
@@ -2,12 +2,11 @@
# $FreeBSD$
PORTNAME= ocserv
-PORTVERSION= 1.1.1
-PORTREVISION= 1
+DISTVERSION= 1.1.2
CATEGORIES= net net-vpn security
MASTER_SITES= ftp://ftp.infradead.org/pub/ocserv/
-MAINTAINER= ports at FreeBSD.org
+MAINTAINER= otis at FreeBSD.org
COMMENT= Server implementing the AnyConnect SSL VPN protocol
LICENSE= GPLv2+
@@ -15,49 +14,47 @@ LICENSE_FILE= ${WRKSRC}/LICENSE
BUILD_DEPENDS= bash:shells/bash \
gsed:textproc/gsed
-LIB_DEPENDS= liblz4.so:archivers/liblz4 \
- libiconv.so:converters/libiconv \
- libev.so:devel/libev \
- libtalloc.so:devel/talloc \
- libprotobuf-c.so:devel/protobuf-c \
+LIB_DEPENDS= libev.so:devel/libev \
libgnutls.so:security/gnutls \
- libtasn1.so:security/libtasn1 \
+ libiconv.so:converters/libiconv \
+ liblz4.so:archivers/liblz4 \
libnettle.so:security/nettle \
liboath.so:security/oath-toolkit \
- libpcl.so:devel/pcl
+ libpcl.so:devel/pcl \
+ libprotobuf-c.so:devel/protobuf-c \
+ libtalloc.so:devel/talloc \
+ libtasn1.so:security/libtasn1
-USES= autoreconf cpe gperf libtool localbase ncurses \
- pathfix pkgconfig readline tar:xz
+USES= autoreconf cpe gperf libtool localbase ncurses pathfix \
+ pkgconfig readline tar:xz
CPE_VENDOR= infradead
+USE_RC_SUBR= ocserv
GNU_CONFIGURE= yes
-CONFIGURE_ARGS= --without-geoip \
- --without-http-parser \
- --disable-namespaces
+CONFIGURE_ARGS= --disable-namespaces \
+ --without-geoip \
+ --without-http-parser
USERS= _ocserv
GROUPS= _ocserv
-USE_RC_SUBR= ocserv
-
-PLIST_SUB= USERS="${USERS}" GROUPS="${GROUPS}"
-
-OPTIONS_DEFINE= DOCS EXAMPLES GSSAPI MAXMIND RADIUS
-
+PLIST_SUB= GROUPS="${GROUPS}" \
+ USERS="${USERS}"
PORTDOCS= AUTHORS ChangeLog NEWS README TODO
PORTEXAMPLES= profile.xml sample.config sample.passwd
-GSSAPI_USES= gssapi:mit
+OPTIONS_DEFINE= DOCS EXAMPLES GSSAPI MAXMIND RADIUS
+
+MAXMIND_DESC= Use Maxmind GeoIP library
+
GSSAPI_LIB_DEPENDS= libkrb5support.so:security/krb5
+GSSAPI_USES= gssapi:mit
GSSAPI_CONFIGURE_OFF= --without-gssapi
-
+MAXMIND_LIB_DEPENDS= libmaxminddb.so:net/libmaxminddb
+MAXMIND_CONFIGURE_OFF= --without-maxmind
RADIUS_LIB_DEPENDS= libradcli.so:net/radcli
RADIUS_CONFIGURE_OFF= --without-radius
-MAXMIND_DESC= Use Maxmind GeoIP library
-MAXMIND_LIB_DEPENDS= libmaxminddb.so:net/libmaxminddb
-MAXMIND_CONFIGURE_OFF= --without-maxmind
-
.include <bsd.port.pre.mk>
post-patch:
@@ -65,13 +62,19 @@ post-patch:
${WRKSRC}/src/main-user.c
${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${PREFIX}/bin/ocserv\\-fw|g' \
${WRKSRC}/doc/ocserv.8
+ ${REINPLACE_CMD} -e 's|%%PREFIX%%|${PREFIX}|g' \
+ -e 's|%%ETCDIR%%|${ETCDIR}|g' \
+ -e 's|%%USERS%%|${USERS}|g' \
+ -e 's|%%GROUPS%%|${GROUPS}|g' \
+ ${WRKSRC}/doc/sample.config
.if "${PREFIX}" != "" && "${PREFIX}" != "/" && "${PREFIX}" != "/usr"
${REINPLACE_CMD} -E 's|^(#define DEFAULT_CFG_FILE ")(/etc/ocserv/ocserv.conf")|\1${PREFIX}\2|' ${WRKSRC}/src/config.c
+ ${REINPLACE_CMD} -E 's|^(#define DEFAULT_OCPASSWD ")(/etc/ocserv/ocpasswd")|\1${PREFIX}\2|' ${WRKSRC}/src/ocpasswd/ocpasswd.c
.endif
post-install:
${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv ${STAGEDIR}/var/run/ocserv
- ${INSTALL_DATA} ${FILESDIR}/ocserv.conf ${STAGEDIR}${PREFIX}/etc/ocserv/ocserv.conf.sample
+ ${INSTALL_DATA} ${WRKSRC}/doc/sample.config ${STAGEDIR}${PREFIX}/etc/ocserv/ocserv.conf.sample
${INSTALL_MAN} ${WRKSRC}/doc/*.8 ${STAGEDIR}${MANPREFIX}/man/man8
post-install-DOCS-on:
Modified: branches/2021Q1/net/ocserv/distinfo
==============================================================================
--- branches/2021Q1/net/ocserv/distinfo Fri Jan 29 21:28:31 2021 (r563250)
+++ branches/2021Q1/net/ocserv/distinfo Fri Jan 29 21:28:38 2021 (r563251)
@@ -1,3 +1,3 @@
-TIMESTAMP = 1602242932
-SHA256 (ocserv-1.1.1.tar.xz) = 9c7aaf46e53e28cfa7be329b18f3951e7e851153ff6a27e946496fd4e8e5765a
-SIZE (ocserv-1.1.1.tar.xz) = 818988
+TIMESTAMP = 1611791595
+SHA256 (ocserv-1.1.2.tar.xz) = 889ccdbe8e67d3bc2bc8713b7fbb5bd4e79228abc6054e88858cb4ad6d0245dd
+SIZE (ocserv-1.1.2.tar.xz) = 824924
Modified: branches/2021Q1/net/ocserv/files/patch-doc_sample.config
==============================================================================
--- branches/2021Q1/net/ocserv/files/patch-doc_sample.config Fri Jan 29 21:28:31 2021 (r563250)
+++ branches/2021Q1/net/ocserv/files/patch-doc_sample.config Fri Jan 29 21:28:38 2021 (r563251)
@@ -1,26 +1,97 @@
---- doc/sample.config.orig 2020-09-20 19:49:01 UTC
+--- doc/sample.config.orig 2020-12-03 22:31:10 UTC
+++ doc/sample.config
@@ -19,7 +19,7 @@
# This enabled PAM authentication of the user. The gid-min option is used
# by auto-select-group option, in order to select the minimum valid group ID.
#
-# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]
-+# plain[passwd=/usr/local/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]
++# plain[passwd=%%ETCDIR%%/ocpasswd,otp=%%ETCDIR%%/users.otp]
# The plain option requires specifying a password file which contains
# entries of the following format.
# "username:groupname1,groupname2:encoded-password"
-@@ -110,8 +110,8 @@ udp-port = 443
+@@ -28,7 +28,7 @@
+ # an oath password file to be used for one time passwords; the format of
+ # the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile
+ #
+-# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
++# radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
+ # The radius option requires specifying freeradius-client configuration
+ # file. If the groupconfig option is set, then config-per-user/group will be overridden,
+ # and all configuration will be read from radius. That also includes the
+@@ -47,10 +47,10 @@
+
+ #auth = "pam"
+ #auth = "pam[gid-min=1000]"
+-#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
+-auth = "plain[passwd=./sample.passwd]"
++#auth = "plain[passwd=%%ETCDIR%%/sample.passwd,otp=%%ETCDIR%%/sample.otp]"
++auth = "plain[passwd=%%ETCDIR%%/sample.passwd]"
+ #auth = "certificate"
+-#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
++#auth = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true]"
+
+ # Specify alternative authentication methods that are sufficient
+ # for authentication. That is, if set, any of the methods enabled
+@@ -71,7 +71,7 @@ auth = "plain[passwd=./sample.passwd]"
+ # PAM.
+ #
+ # Only one accounting method can be specified.
+-#acct = "radius[config=/etc/radiusclient/radiusclient.conf]"
++#acct = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf]"
+
+ # Use listen-host to limit to specific IPs or to the IPs of a provided
+ # hostname.
+@@ -96,8 +96,8 @@ udp-port = 443
# The user the worker processes will be run as. This should be a dedicated
# unprivileged user (e.g., 'ocserv') and no other services should run as this
# user.
-run-as-user = nobody
-run-as-group = daemon
-+run-as-user = _ocserv
-+run-as-group = _ocserv
++run-as-user = %%USERS%%
++run-as-group = %%GROUPS%%
# socket file used for IPC with occtl. You only need to set that,
# if you use more than a single servers.
-@@ -180,15 +180,9 @@ ca-cert = ../tests/certs/ca.pem
+@@ -124,22 +124,20 @@ socket-file = /var/run/ocserv-socket
+ # certificate renewal (they are checked and reloaded periodically;
+ # a SIGHUP signal to main server will force reload).
+
+-#server-cert = /etc/ocserv/server-cert.pem
+-#server-key = /etc/ocserv/server-key.pem
+-server-cert = ../tests/certs/server-cert.pem
+-server-key = ../tests/certs/server-key.pem
++server-cert = %%ETCDIR%%/server-cert.pem
++server-key = %%ETCDIR%%/server-key.pem
+
+ # Diffie-Hellman parameters. Only needed if for old (pre 3.6.0
+ # versions of GnuTLS for supporting DHE ciphersuites.
+ # Can be generated using:
+-# certtool --generate-dh-params --outfile /etc/ocserv/dh.pem
+-#dh-params = /etc/ocserv/dh.pem
++# certtool --generate-dh-params --outfile %%ETCDIR%%/dh.pem
++#dh-params = %%ETCDIR%%/dh.pem
+
+ # In case PKCS #11, TPM or encrypted keys are used the PINs should be available
+ # in files. The srk-pin-file is applicable to TPM keys only, and is the
+ # storage root key.
+-#pin-file = /etc/ocserv/pin.txt
+-#srk-pin-file = /etc/ocserv/srkpin.txt
++#pin-file = %%ETCDIR%%/pin.txt
++#srk-pin-file = %%ETCDIR%%/srkpin.txt
+
+ # The password or PIN needed to unlock the key in server-key file.
+ # Only needed if the file is encrypted or a PKCS #11 object. This
+@@ -153,8 +151,7 @@ server-key = ../tests/certs/server-key.pem
+ # The Certificate Authority that will be used to verify
+ # client certificates (public keys) if certificate authentication
+ # is set.
+-#ca-cert = /etc/ocserv/ca.pem
+-ca-cert = ../tests/certs/ca.pem
++ca-cert = %%ETCDIR%%/ca.pem
+
+
+ ### All configuration options below this line are reloaded on a SIGHUP.
+@@ -166,15 +163,9 @@ ca-cert = ../tests/certs/ca.pem
### failures during the reloading time.
@@ -39,40 +110,84 @@
# A banner to be displayed on clients after connection
#banner = "Welcome"
-@@ -553,15 +547,15 @@ no-route = 192.168.5.0/255.255.255.0
+@@ -255,7 +246,7 @@ try-mtu-discovery = false
+ # You can update this response periodically using:
+ # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
+ # Make sure that you replace the following file in an atomic way.
+-#ocsp-response = /etc/ocserv/ocsp.der
++#ocsp-response = %%ETCDIR%%/ocsp.der
+
+ # The object identifier that will be used to read the user ID in the client
+ # certificate. The object identifier should be part of the certificate's DN
+@@ -274,7 +265,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1
+ # See the manual to generate an empty CRL initially. The CRL will be reloaded
+ # periodically when ocserv detects a change in the file. To force a reload use
+ # SIGHUP.
+-#crl = /etc/ocserv/crl.pem
++#crl = %%ETCDIR%%/crl.pem
+
+ # Uncomment this to enable compression negotiation (LZS, LZ4).
+ #compression = true
+@@ -543,15 +534,15 @@ no-route = 192.168.5.0/255.255.255.0
# Note the that following two firewalling options currently are available
# in Linux systems with iptables software.
-# If set, the script /usr/bin/ocserv-fw will be called to restrict
-+# If set, the script /usr/local/bin/ocserv-fw will be called to restrict
++# If set, the script %%PREFIX%%/bin/ocserv-fw will be called to restrict
# the user to its allowed routes and prevent him from accessing
# any other routes. In case of defaultroute, the no-routes are restricted.
-# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw
-+# All the routes applied by ocserv can be reverted using /usr/local/bin/ocserv-fw
++# All the routes applied by ocserv can be reverted using %%PREFIX%%/bin/ocserv-fw
# --removeall. This option can be set globally or in the per-user configuration.
#restrict-user-to-routes = true
# This option implies restrict-user-to-routes set to true. If set, the
-# script /usr/bin/ocserv-fw will be called to restrict the user to
-+# script /usr/local/bin/ocserv-fw will be called to restrict the user to
++# script %%PREFIX%%/bin/ocserv-fw will be called to restrict the user to
# access specific ports in the network. This option can be set globally
# or in the per-user configuration.
#restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
-@@ -609,13 +603,13 @@ no-route = 192.168.5.0/255.255.255.0
+@@ -599,13 +590,13 @@ no-route = 192.168.5.0/255.255.255.0
# hostname to override any proposed by the user. Note also, that, any
# routes, no-routes, DNS or NBNS servers present will overwrite the global ones.
-#config-per-user = /etc/ocserv/config-per-user/
-#config-per-group = /etc/ocserv/config-per-group/
-+#config-per-user = /usr/local/etc/ocserv/config-per-user/
-+#config-per-group = /usr/local/etc/ocserv/config-per-group/
++#config-per-user = %%ETCDIR%%/config-per-user/
++#config-per-group = %%ETCDIR%%/config-per-group/
# When config-per-xxx is specified and there is no group or user that
# matches, then utilize the following configuration.
-#default-user-config = /etc/ocserv/defaults/user.conf
-#default-group-config = /etc/ocserv/defaults/group.conf
-+#default-user-config = /usr/local/etc/ocserv/defaults/user.conf
-+#default-group-config = /usr/local/etc/ocserv/defaults/group.conf
++#default-user-config = %%ETCDIR%%/defaults/user.conf
++#default-group-config = %%ETCDIR%%/defaults/group.conf
# The system command to use to setup a route. %{R} will be replaced with the
# route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device.
+@@ -627,7 +618,7 @@ no-route = 192.168.5.0/255.255.255.0
+ # In MIT kerberos you'll need to add in realms:
+ # EXAMPLE.COM = {
+ # kdc = https://ocserv.example.com/KdcProxy
+-# http_anchors = FILE:/etc/ocserv-ca.pem
++# http_anchors = FILE:%%ETCDIR%%/ocserv-ca.pem
+ # }
+ # In some distributions the krb5-k5tls plugin of kinit is required.
+ #
+@@ -701,13 +692,13 @@ dtls-legacy = true
+ [vhost:www.example.com]
+ auth = "certificate"
+
+-ca-cert = ../tests/certs/ca.pem
++ca-cert = %%ETCDIR%%/ca.pem
+
+ # The certificate set here must include a 'dns_name' corresponding to
+ # the virtual host name.
+
+-server-cert = ../tests/certs/server-cert-secp521r1.pem
+-server-key = ../tests/certs/server-key-secp521r1.pem
++server-cert = %%ETCDIR%%/server-cert-secp521r1.pem
++server-key = %%ETCDIR%%/server-key-secp521r1.pem
+
+ ipv4-network = 192.168.2.0
+ ipv4-netmask = 255.255.255.0
Copied: branches/2021Q1/net/ocserv/files/patch-src_main-ban.c (from r563249, head/net/ocserv/files/patch-src_main-ban.c)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/2021Q1/net/ocserv/files/patch-src_main-ban.c Fri Jan 29 21:28:38 2021 (r563251, copy of r563249, head/net/ocserv/files/patch-src_main-ban.c)
@@ -0,0 +1,20 @@
+--- src/main-ban.c.orig 2021-01-26 17:01:03 UTC
++++ src/main-ban.c
+@@ -403,8 +403,8 @@ static bool test_local_ipv6(struct sockaddr_in6 * remo
+ unsigned index = 0;
+
+ for (index = 0; index < 4; index ++) {
+- uint32_t l = local->sin6_addr.s6_addr32[index] & network->sin6_addr.s6_addr32[index];
+- uint32_t r = remote->sin6_addr.s6_addr32[index] & network->sin6_addr.s6_addr32[index];
++ uint32_t l = local->sin6_addr.__u6_addr.__u6_addr32[index] & network->sin6_addr.__u6_addr.__u6_addr32[index];
++ uint32_t r = remote->sin6_addr.__u6_addr.__u6_addr32[index] & network->sin6_addr.__u6_addr.__u6_addr32[index];
+ if (l != r)
+ return false;
+ }
+@@ -443,4 +443,4 @@ void if_address_cleanup(main_server_st * s)
+
+ s->if_addresses = NULL;
+ s->if_addresses_count = 0;
+-}
+\ No newline at end of file
++}
Modified: branches/2021Q1/net/ocserv/files/patch-src_occtl_occtl.c
==============================================================================
--- branches/2021Q1/net/ocserv/files/patch-src_occtl_occtl.c Fri Jan 29 21:28:31 2021 (r563250)
+++ branches/2021Q1/net/ocserv/files/patch-src_occtl_occtl.c Fri Jan 29 21:28:38 2021 (r563251)
@@ -1,6 +1,6 @@
---- src/occtl/occtl.c.orig 2018-01-14 16:25:24 UTC
+--- src/occtl/occtl.c.orig 2020-08-06 18:51:31 UTC
+++ src/occtl/occtl.c
-@@ -249,7 +249,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha
+@@ -264,7 +264,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha
static int handle_reset_cmd(CONN_TYPE * conn, const char *arg, cmd_params_st *params)
{
rl_reset_terminal(NULL);
More information about the svn-ports-branches
mailing list