On Mon 01/01/2024 08:34, Bjorn Ketelaars wrote:
> On Sun 31/12/2023 23:05, Dylan D'Silva wrote:
> > Hello Bjorn,
> >
> > Any change of getting a update to ocserv?
> > Latest is 1.2.3.
> >
> > Thanks
> > Dylan
>
> (CC'ed to ports@ for some exposure)
>
> Diff below updates ocserv to 1.2.3. Overview on changes can be found on
> https://gitlab.com/openconnect/ocserv/-/blob/0f5ba83f762bed11815d1dd37c37dcc6d1cd26d1/NEWS
>
> Synced patches (several did not apply cleanly), and changed
> AUTOCONF_VERSION to 2.71 to get rid of a warning. No new failing tests
> while running 'make test'.
>
> I stopped using ocserv some time ago so testing is limited to building
> and running 'make test'. Before committing this it would be helpful if
> actual users test this update, and report back.
>
> Comments?
Ping?
Diff enclosed again for you convenience.
diff --git Makefile Makefile
index 3e6077b19b1..1041430bb21 100644
--- Makefile
+++ Makefile
@@ -1,8 +1,7 @@
COMMENT= server implementing the AnyConnect SSL VPN protocol
-DISTNAME= ocserv-1.1.6
+DISTNAME= ocserv-1.2.3
EXTRACT_SUFX= .tar.xz
-REVISION= 2
CATEGORIES= net
@@ -46,7 +45,7 @@ CONFIGURE_ARGS= --disable-namespaces \
CONFIGURE_ENV= CPPFLAGS="-I${LOCALBASE}/include" \
LDFLAGS="-L${LOCALBASE}/lib"
-AUTOCONF_VERSION= 2.69
+AUTOCONF_VERSION= 2.71
post-extract:
find ${WRKSRC}/tests -type f -perm -+x -exec \
@@ -65,7 +64,7 @@ post-install:
${INSTALL_DATA_DIR} ${PREFIX}/share/examples/ocserv
cd ${WRKSRC}/doc; ${INSTALL_DATA} profile.xml sample.passwd \
${PREFIX}/share/examples/ocserv/
- mv ${PREFIX}/bin/ocserv-fw ${PREFIX}/share/examples/ocserv/
+ mv ${PREFIX}/libexec/ocserv-fw ${PREFIX}/share/examples/ocserv/
${SUBST_CMD} -c -m ${SHAREMODE} -o ${SHAREOWN} -g ${SHAREGRP} \
${WRKSRC}/doc/sample.config \
${PREFIX}/share/examples/ocserv/sample.config
diff --git distinfo distinfo
index 16c7a6c526b..5af47ccb0fe 100644
--- distinfo
+++ distinfo
@@ -1,2 +1,2 @@
-SHA256 (ocserv-1.1.6.tar.xz) = amy+kiEuMigEJqUcY0rcPUgDV53QSc/bfgFHFMyCxpM=
-SIZE (ocserv-1.1.6.tar.xz) = 839744
+SHA256 (ocserv-1.2.3.tar.xz) = Bs4Py1moszuNZdblUd4rXvd7fqZBuHyqZUpe6cSfG78=
+SIZE (ocserv-1.2.3.tar.xz) = 757484
diff --git patches/patch-configure_ac patches/patch-configure_ac
index 57995c43ca3..2ebaa85895b 100644
--- patches/patch-configure_ac
+++ patches/patch-configure_ac
@@ -1,7 +1,7 @@
Index: configure.ac
--- configure.ac.orig
+++ configure.ac
-@@ -222,7 +222,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind
+@@ -219,7 +219,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind
fi
have_readline=no
diff --git patches/patch-doc_sample_config patches/patch-doc_sample_config
index e509136066d..60a4aea8589 100644
--- patches/patch-doc_sample_config
+++ patches/patch-doc_sample_config
@@ -52,14 +52,14 @@ Index: doc/sample.config
### failures during the reloading time.
--# Whether to enable seccomp/Linux namespaces worker isolation. That restricts
the number of
+-# Whether to enable seccomp/Linux namespaces worker isolation. That restricts
the number of
-# system calls allowed to a worker process, in order to reduce damage from a
-# bug in the worker process. It is available on Linux systems at a
performance cost.
-# The performance cost is roughly 2% overhead at transfer time (tested on a
Linux 3.17.8).
-# Note however, that process isolation is restricted to the specific libc
versions
-# the isolation was tested at. If you get random failures on worker
processes, try
-# disabling that option and report the failures you, along with system and
debugging
--# information at: https://gitlab.com/ocserv/ocserv/issues
+-# information at: https://gitlab.com/openconnect/ocserv/issues
-isolate-workers = true
-
# A banner to be displayed on clients after connection
@@ -94,11 +94,11 @@ Index: doc/sample.config
-pid-file = /var/run/ocserv.pid
+pid-file = ${LOCALSTATEDIR}/run/ocserv.pid
- # Log Level. It can be overridden in the command line with the -d option.
- # All messages at the configure level and lower will be displayed.
-@@ -563,6 +540,11 @@ no-route = 192.168.5.0/255.255.255.0
+ # Log Level. Ocserv sends the logging messages to standard error
+ # as well as the system log. The log level can be overridden in the
+@@ -568,6 +545,11 @@ no-route = 192.168.5.0/255.255.255.0
# any other routes. In case of defaultroute, the no-routes are restricted.
- # All the routes applied by ocserv can be reverted using /etc/ocserv/ocserv-fw
+ # All the routes applied by ocserv can be reverted using
/usr/libexec/ocserv-fw
# --removeall. This option can be set globally or in the per-user
configuration.
+#
+# OpenBSD package notes:
@@ -108,7 +108,7 @@ Index: doc/sample.config
#restrict-user-to-routes = true
# This option implies restrict-user-to-routes set to true. If set, the
-@@ -635,23 +617,6 @@ no-route = 192.168.5.0/255.255.255.0
+@@ -640,23 +622,6 @@ no-route = 192.168.5.0/255.255.255.0
# and '%{G}', if present will be replaced by the username and group name.
#proxy-url = http://example.com/
#proxy-url = http://example.com/%{U}/
@@ -123,7 +123,7 @@ Index: doc/sample.config
-# }
-# In some distributions the krb5-k5tls plugin of kinit is required.
-#
--# The following option is available in ocserv, when compiled with GSSAPI
support.
+-# The following option is available in ocserv, when compiled with GSSAPI
support.
-
-#kkdcp = "SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT"
-#kkdcp = "/KdcProxy KERBEROS.REALM udp@127.0.0.1:88"
diff --git patches/patch-src_main-ban_c patches/patch-src_main-ban_c
index 1a26d4a0ef9..04fb867bbbb 100644
--- patches/patch-src_main-ban_c
+++ patches/patch-src_main-ban_c
@@ -1,21 +1,14 @@
Index: src/main-ban.c
--- src/main-ban.c.orig
+++ src/main-ban.c
-@@ -408,8 +408,8 @@ static bool test_local_ipv6(struct sockaddr_in6 * remo
+@@ -407,8 +407,8 @@ static bool test_local_ipv6(struct sockaddr_in6 * remo
unsigned index = 0;
-
+
for (index = 0; index < 4; index ++) {
- uint32_t l = local->sin6_addr.s6_addr32[index] &
network->sin6_addr.s6_addr32[index];
- uint32_t r = remote->sin6_addr.s6_addr32[index] &
network->sin6_addr.s6_addr32[index];
+ uint32_t l = local->sin6_addr.__u6_addr.__u6_addr32[index] &
network->sin6_addr.__u6_addr.__u6_addr32[index];
+ uint32_t r = remote->sin6_addr.__u6_addr.__u6_addr32[index] &
network->sin6_addr.__u6_addr.__u6_addr32[index];
- if (l != r)
+ if (l != r)
return false;
}
-@@ -448,4 +448,4 @@ void if_address_cleanup(main_server_st * s)
-
- s->if_addresses = NULL;
- s->if_addresses_count = 0;
--}
-\ No newline at end of file
-+}
diff --git patches/patch-src_occtl_occtl_c patches/patch-src_occtl_occtl_c
index 9f3ef714c77..42aef789566 100644
--- patches/patch-src_occtl_occtl_c
+++ patches/patch-src_occtl_occtl_c
@@ -1,7 +1,7 @@
Index: src/occtl/occtl.c
--- src/occtl/occtl.c.orig
+++ src/occtl/occtl.c
-@@ -264,7 +264,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha
+@@ -260,7 +260,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha
static int handle_reset_cmd(CONN_TYPE * conn, const char *arg, cmd_params_st
*params)
{
rl_reset_terminal(NULL);
diff --git patches/patch-src_occtl_time_c patches/patch-src_occtl_time_c
index 43ff537f893..afd8eb16800 100644
--- patches/patch-src_occtl_time_c
+++ patches/patch-src_occtl_time_c
@@ -1,19 +1,20 @@
time_t is 64 bits on all OpenBSD (and NetBSD) arch; cast time values
to a specific-width type to avoid problems on 32-bit arch
---- src/occtl/time.c.orig Sun Mar 6 09:44:05 2016
-+++ src/occtl/time.c Sat Mar 19 14:25:48 2016
+Index: src/occtl/time.c
+--- src/occtl/time.c.orig
++++ src/occtl/time.c
@@ -36,7 +36,7 @@ void print_time_ival7(char output[MAX_TMPSTR_SIZE], ti
{
time_t t = t1 - t2;
-- if ((long)t < (long)0) {
-+ if ((long long)t < (long long)0) {
+- if ((long)t < 0) {
++ if ((long long)t < 0) {
/* system clock changed? */
snprintf(output, MAX_TMPSTR_SIZE, " ? ");
return;
@@ -44,17 +44,17 @@ void print_time_ival7(char output[MAX_TMPSTR_SIZE], ti
-
+
if (t >= 48 * 60 * 60)
/* 2 days or more */
- snprintf(output, MAX_TMPSTR_SIZE, _("%2ludays"), (long)t / (24
* 60 * 60));
diff --git patches/patch-src_ocpasswd_ocpasswd_c
patches/patch-src_ocpasswd_ocpasswd_c
index f0a0398ce8f..7f44b7711c7 100644
--- patches/patch-src_ocpasswd_ocpasswd_c
+++ patches/patch-src_ocpasswd_ocpasswd_c
@@ -4,18 +4,15 @@ support SHA2 ($5$ hashes) and has removed support for MD5
($1$).
Index: src/ocpasswd/ocpasswd.c
--- src/ocpasswd/ocpasswd.c.orig
+++ src/ocpasswd/ocpasswd.c
-@@ -26,6 +26,10 @@
- #ifndef _XOPEN_SOURCE
- # define _XOPEN_SOURCE
- #endif
-+#ifndef __BSD_VISIBLE
-+# define __BSD_VISIBLE
-+#endif
+@@ -23,6 +23,7 @@
+ #include <string.h>
+ #include <stdlib.h>
+ #include <stdint.h>
+#include <pwd.h>
#include <unistd.h>
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h> /* for random */
-@@ -52,9 +56,8 @@ static void
+@@ -46,9 +47,8 @@ static void
crypt_int(const char *fpasswd, const char *username, const char *groupname,
const char *passwd)
{
@@ -27,15 +24,15 @@ Index: src/ocpasswd/ocpasswd.c
char *tmp_passwd;
unsigned i;
unsigned fpasswd_len = strlen(fpasswd);
-@@ -67,36 +70,8 @@ crypt_int(const char *fpasswd, const char *username, c
- ssize_t len, l;
- int ret;
+@@ -64,36 +64,8 @@ crypt_int(const char *fpasswd, const char *username, c
+ setlocale(LC_CTYPE, "C");
+ setlocale(LC_COLLATE, "C");
- ret = gnutls_rnd(GNUTLS_RND_NONCE, _salt, sizeof(_salt));
- if (ret < 0) {
- fprintf(stderr, "Error generating nonce: %s\n",
- gnutls_strerror(ret));
-- exit(1);
+- exit(EXIT_FAILURE);
- }
-
-#ifdef TRY_SHA2_CRYPT
@@ -63,6 +60,6 @@ Index: src/ocpasswd/ocpasswd.c
- fprintf(stderr, "Error in crypt().\n");
+ if (crypt_newhash(passwd, "blowfish,a", cr_passwd, sizeof(cr_passwd))
!= 0) {
+ fprintf(stderr, "Error in crypt_newhash().\n");
- exit(1);
+ exit(EXIT_FAILURE);
}
