Attachment 212682 Details for Bug 245036 – net/ocserv: Update to 1.0.0

[patch] net/ocserv: Update to 1.0.0

net_ocserv-1.0.0.patch (text/plain), 7.63 KB, created by Juraj Lutter on 2020-03-24 22:44:01 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Juraj Lutter

Created: 2020-03-24 22:44:01 UTC

Size: 7.63 KB

patch

obsolete

>diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile
>index b2875639ce3e..8a202bca6b9a 100644
>--- a/net/ocserv/Makefile
>+++ b/net/ocserv/Makefile
>@@ -2,8 +2,7 @@
> # $FreeBSD$
> 
> PORTNAME=	ocserv
>-PORTVERSION=	0.12.4
>-PORTREVISION=	2
>+PORTVERSION=	1.0.0
> CATEGORIES=	net net-vpn security
> MASTER_SITES=	ftp://ftp.infradead.org/pub/ocserv/
> 
>@@ -54,11 +53,12 @@ RADIUS_LIB_DEPENDS=	libradcli.so:net/radcli
> RADIUS_CONFIGURE_OFF=	--without-radius
> 
> post-patch:
>-	@${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${LOCALBASE}/bin/ocserv-fw|g' \
>+	@${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${PREFIX}/bin/ocserv-fw|g' \
> 		${WRKSRC}/src/main-user.c \
> 		${WRKSRC}/doc/sample.config
>-	@${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${LOCALBASE}/bin/ocserv\\-fw|g' \
>+	@${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${PREFIX}/bin/ocserv\\-fw|g' \
> 		${WRKSRC}/doc/ocserv.8
>+	@${REINPLACE_CMD} 's|%%PREFIX%%|${PREFIX}|g' ${WRKSRC}/src/config.c
> 
> post-install:
> 	@${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv
>diff --git a/net/ocserv/distinfo b/net/ocserv/distinfo
>index c14282c66ad5..c33db00e7d0d 100644
>--- a/net/ocserv/distinfo
>+++ b/net/ocserv/distinfo
>@@ -1,3 +1,3 @@
>-TIMESTAMP = 1562531995
>-SHA256 (ocserv-0.12.4.tar.xz) = 05c01effa8a7c2f022616fcb62bade4df51aa7f0035248671da12819d62cb185
>-SIZE (ocserv-0.12.4.tar.xz) = 763540
>+TIMESTAMP = 1585072635
>+SHA256 (ocserv-1.0.0.tar.xz) = 17440e78aadc800836824adb17088534740ebdce3e0cbd3a615fdbbd326b9e91
>+SIZE (ocserv-1.0.0.tar.xz) = 785020
>diff --git a/net/ocserv/files/ocserv.conf b/net/ocserv/files/ocserv.conf
>index cf0f1eebd140..490a6a81c9c4 100644
>--- a/net/ocserv/files/ocserv.conf
>+++ b/net/ocserv/files/ocserv.conf
>@@ -26,7 +26,7 @@
> # One entry must be listed per line, and 'ocpasswd' should be used
> # to generate password entries. The 'otp' suboption allows one to specify
> # an oath password file to be used for one time passwords; the format of
>-# the file is described in https://code.google.com/p/mod-authn-otp/wiki/UsersFile
>+# the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile
> #
> # radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
> #  The radius option requires specifying freeradius-client configuration
>@@ -77,6 +77,10 @@ auth = "plain[passwd=./sample.passwd]"
> # hostname.
> #listen-host = [IP|HOSTNAME]
> 
>+# Use udp-listen-host to limit udp to specific IPs or to the IPs of a provided
>+# hostname. if not set, listen-host will be used
>+#udp-listen-host = [IP|HOSTNAME]
>+
> # When the server has a dynamic DNS address (that may change),
> # should set that to true to ask the client to resolve again on
> # reconnects.
>@@ -172,6 +176,16 @@ ca-cert = ../tests/certs/ca.pem
> ### failures during the reloading time.
> 
> 
>+# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of
>+# system calls allowed to a worker process, in order to reduce damage from a
>+# bug in the worker process. It is available on Linux systems at a performance cost.
>+# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
>+# Note however, that process isolation is restricted to the specific libc versions
>+# the isolation was tested at. If you get random failures on worker processes, try
>+# disabling that option and report the failures you, along with system and debugging
>+# information at: https://gitlab.com/ocserv/ocserv/issues
>+isolate-workers = true
>+
> # A banner to be displayed on clients
> #banner = "Welcome"
> 
>@@ -391,7 +405,8 @@ rekey-method = ssl
> # client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client),
> # will contain a space separated list of routes or DNS servers. A version
> # of these variables with the 4 or 6 suffix will contain only the IPv4 or
>-# IPv6 values.
>+# IPv6 values. The connect script must return zero as exit code, or the
>+# client connection will be refused.
> 
> # The disconnect script will receive the additional values: STATS_BYTES_IN,
> # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes 
>@@ -566,7 +581,7 @@ no-route = 192.168.5.0/255.255.255.0
> #  keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns,
> #  restrict-user-to-routes, user-profile, cgroup, stats-report-time,
> #  mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports,
>-#  and session-timeout.
>+#  split-dns and session-timeout.
> #
> # Note that the 'iroute' option allows one to add routes on the server
> # based on a user or group. The syntax depends on the input accepted
>diff --git a/net/ocserv/files/patch-src_config.c b/net/ocserv/files/patch-src_config.c
>index 46cdb1798c5b..437e31de7504 100644
>--- a/net/ocserv/files/patch-src_config.c
>+++ b/net/ocserv/files/patch-src_config.c
>@@ -5,7 +5,7 @@
>  
>  #define OLD_DEFAULT_CFG_FILE "/etc/ocserv.conf"
> -#define DEFAULT_CFG_FILE "/etc/ocserv/ocserv.conf"
>-+#define DEFAULT_CFG_FILE "/usr/local/etc/ocserv/conf"
>++#define DEFAULT_CFG_FILE "%%PREFIX%%/etc/ocserv/conf"
>  
>  static void print_version(void);
>  
>diff --git a/net/ocserv/files/patch-src_main-ban.c b/net/ocserv/files/patch-src_main-ban.c
>new file mode 100644
>index 000000000000..1018d8b381a5
>--- /dev/null
>+++ b/net/ocserv/files/patch-src_main-ban.c
>@@ -0,0 +1,19 @@
>+Commit c1428689: ban log: only log once when adding, not when
>+increasing score when already banned
>+
>+https://gitlab.com/openconnect/ocserv/-/commit/c142868909490e65acea22add83ff4e6237fb63a
>+
>+--- src/main-ban.c.orig	2020-03-24 20:04:58 UTC
>++++ src/main-ban.c
>+@@ -155,9 +155,9 @@ int add_ip_to_ban_list(main_server_st *s
>+ 	 * periodically polls the server */
>+ 	if (e->score < GETCONFIG(s)->max_ban_score) {
>+ 		e->expires = expiration;
>+-		print_msg = 0;
>+-	} else
>+ 		print_msg = 1;
>++	} else
>++		print_msg = 0;
>+ 
>+ 	/* prevent overflow */
>+ 	e->score = (e->score + score) > e->score ? (e->score + score) : (e->score);
>diff --git a/net/ocserv/files/patch-src_tun.c b/net/ocserv/files/patch-src_tun.c
>deleted file mode 100644
>index 6fe5ed5e6246..000000000000
>--- a/net/ocserv/files/patch-src_tun.c
>+++ /dev/null
>@@ -1,25 +0,0 @@
>---- src/tun.c.orig	2018-04-14 07:52:35 UTC
>-+++ src/tun.c
>-@@ -895,3 +895,22 @@ ssize_t tun_read(int sockfd, void *buf, size_t len)
>- 	return read(sockfd, buf, len);
>- }
>- #endif
>-+
>-+#ifndef __FreeBSD__
>-+int tun_claim(int sockfd)
>-+{
>-+
>-+	return (0);
>-+}
>-+#else
>-+/*
>-+ * FreeBSD has a mechanism by which a tunnel has a single controlling process,
>-+ * and only that one process may close it.  When the controlling process closes
>-+ * the tunnel, the state is torn down.
>-+ */
>-+int tun_claim(int sockfd)
>-+{
>-+
>-+	return (ioctl(sockfd, TUNSIFPID, 0));
>-+}
>-+#endif	/* !__FreeBSD__ */
>diff --git a/net/ocserv/files/patch-src_tun.h b/net/ocserv/files/patch-src_tun.h
>deleted file mode 100644
>index 0311177f3f78..000000000000
>--- a/net/ocserv/files/patch-src_tun.h
>+++ /dev/null
>@@ -1,9 +0,0 @@
>---- src/tun.h.orig	2018-01-13 18:43:41 UTC
>-+++ src/tun.h
>-@@ -35,5 +35,6 @@ struct tun_lease_st {
>- 
>- ssize_t tun_write(int sockfd, const void *buf, size_t len);
>- ssize_t tun_read(int sockfd, void *buf, size_t len);
>-+int tun_claim(int sockfd);
>- 
>- #endif
>diff --git a/net/ocserv/files/patch-src_worker-auth.c b/net/ocserv/files/patch-src_worker-auth.c
>deleted file mode 100644
>index f7e01eeed392..000000000000
>--- a/net/ocserv/files/patch-src_worker-auth.c
>+++ /dev/null
>@@ -1,14 +0,0 @@
>---- src/worker-auth.c.orig	2019-01-19 18:47:47 UTC
>-+++ src/worker-auth.c
>-@@ -605,7 +605,10 @@ static int recv_cookie_auth_reply(worker_st * ws)
>- 	case AUTH__REP__OK:
>- 		if (socketfd != -1) {
>- 			ws->tun_fd = socketfd;
>--
>-+			if (tun_claim(ws->tun_fd) != 0) {
>-+				ret = ERR_AUTH_FAIL;
>-+				goto cleanup;
>-+			}
>- 			if (msg->vname == NULL || msg->config == NULL || msg->user_name == NULL || msg->sid.len != sizeof(ws->sid)) {
>- 				ret = ERR_AUTH_FAIL;
>- 				goto cleanup;

Actions: View | Diff

Attachments on bug 245036: 212682