On Mon 01/01/2024 08:34, Bjorn Ketelaars wrote: > On Sun 31/12/2023 23:05, Dylan D'Silva wrote: > > Hello Bjorn, > > > > Any change of getting a update to ocserv? > > Latest is 1.2.3. > > > > Thanks > > Dylan > > (CC'ed to ports@ for some exposure) > > Diff below updates ocserv to 1.2.3. Overview on changes can be found on > https://gitlab.com/openconnect/ocserv/-/blob/0f5ba83f762bed11815d1dd37c37dcc6d1cd26d1/NEWS > > Synced patches (several did not apply cleanly), and changed > AUTOCONF_VERSION to 2.71 to get rid of a warning. No new failing tests > while running 'make test'. > > I stopped using ocserv some time ago so testing is limited to building > and running 'make test'. Before committing this it would be helpful if > actual users test this update, and report back. > > Comments?
Ping? Diff enclosed again for you convenience. diff --git Makefile Makefile index 3e6077b19b1..1041430bb21 100644 --- Makefile +++ Makefile @@ -1,8 +1,7 @@ COMMENT= server implementing the AnyConnect SSL VPN protocol -DISTNAME= ocserv-1.1.6 +DISTNAME= ocserv-1.2.3 EXTRACT_SUFX= .tar.xz -REVISION= 2 CATEGORIES= net @@ -46,7 +45,7 @@ CONFIGURE_ARGS= --disable-namespaces \ CONFIGURE_ENV= CPPFLAGS="-I${LOCALBASE}/include" \ LDFLAGS="-L${LOCALBASE}/lib" -AUTOCONF_VERSION= 2.69 +AUTOCONF_VERSION= 2.71 post-extract: find ${WRKSRC}/tests -type f -perm -+x -exec \ @@ -65,7 +64,7 @@ post-install: ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/ocserv cd ${WRKSRC}/doc; ${INSTALL_DATA} profile.xml sample.passwd \ ${PREFIX}/share/examples/ocserv/ - mv ${PREFIX}/bin/ocserv-fw ${PREFIX}/share/examples/ocserv/ + mv ${PREFIX}/libexec/ocserv-fw ${PREFIX}/share/examples/ocserv/ ${SUBST_CMD} -c -m ${SHAREMODE} -o ${SHAREOWN} -g ${SHAREGRP} \ ${WRKSRC}/doc/sample.config \ ${PREFIX}/share/examples/ocserv/sample.config diff --git distinfo distinfo index 16c7a6c526b..5af47ccb0fe 100644 --- distinfo +++ distinfo @@ -1,2 +1,2 @@ -SHA256 (ocserv-1.1.6.tar.xz) = amy+kiEuMigEJqUcY0rcPUgDV53QSc/bfgFHFMyCxpM= -SIZE (ocserv-1.1.6.tar.xz) = 839744 +SHA256 (ocserv-1.2.3.tar.xz) = Bs4Py1moszuNZdblUd4rXvd7fqZBuHyqZUpe6cSfG78= +SIZE (ocserv-1.2.3.tar.xz) = 757484 diff --git patches/patch-configure_ac patches/patch-configure_ac index 57995c43ca3..2ebaa85895b 100644 --- patches/patch-configure_ac +++ patches/patch-configure_ac @@ -1,7 +1,7 @@ Index: configure.ac --- configure.ac.orig +++ configure.ac -@@ -222,7 +222,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind +@@ -219,7 +219,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind fi have_readline=no diff --git patches/patch-doc_sample_config patches/patch-doc_sample_config index e509136066d..60a4aea8589 100644 --- patches/patch-doc_sample_config +++ patches/patch-doc_sample_config @@ -52,14 +52,14 @@ Index: doc/sample.config ### failures during the reloading time. --# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of +-# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of -# system calls allowed to a worker process, in order to reduce damage from a -# bug in the worker process. It is available on Linux systems at a performance cost. -# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8). -# Note however, that process isolation is restricted to the specific libc versions -# the isolation was tested at. If you get random failures on worker processes, try -# disabling that option and report the failures you, along with system and debugging --# information at: https://gitlab.com/ocserv/ocserv/issues +-# information at: https://gitlab.com/openconnect/ocserv/issues -isolate-workers = true - # A banner to be displayed on clients after connection @@ -94,11 +94,11 @@ Index: doc/sample.config -pid-file = /var/run/ocserv.pid +pid-file = ${LOCALSTATEDIR}/run/ocserv.pid - # Log Level. It can be overridden in the command line with the -d option. - # All messages at the configure level and lower will be displayed. -@@ -563,6 +540,11 @@ no-route = 192.168.5.0/255.255.255.0 + # Log Level. Ocserv sends the logging messages to standard error + # as well as the system log. The log level can be overridden in the +@@ -568,6 +545,11 @@ no-route = 192.168.5.0/255.255.255.0 # any other routes. In case of defaultroute, the no-routes are restricted. - # All the routes applied by ocserv can be reverted using /etc/ocserv/ocserv-fw + # All the routes applied by ocserv can be reverted using /usr/libexec/ocserv-fw # --removeall. This option can be set globally or in the per-user configuration. +# +# OpenBSD package notes: @@ -108,7 +108,7 @@ Index: doc/sample.config #restrict-user-to-routes = true # This option implies restrict-user-to-routes set to true. If set, the -@@ -635,23 +617,6 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -640,23 +622,6 @@ no-route = 192.168.5.0/255.255.255.0 # and '%{G}', if present will be replaced by the username and group name. #proxy-url = http://example.com/ #proxy-url = http://example.com/%{U}/ @@ -123,7 +123,7 @@ Index: doc/sample.config -# } -# In some distributions the krb5-k5tls plugin of kinit is required. -# --# The following option is available in ocserv, when compiled with GSSAPI support. +-# The following option is available in ocserv, when compiled with GSSAPI support. - -#kkdcp = "SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT" -#kkdcp = "/KdcProxy KERBEROS.REALM udp@127.0.0.1:88" diff --git patches/patch-src_main-ban_c patches/patch-src_main-ban_c index 1a26d4a0ef9..04fb867bbbb 100644 --- patches/patch-src_main-ban_c +++ patches/patch-src_main-ban_c @@ -1,21 +1,14 @@ Index: src/main-ban.c --- src/main-ban.c.orig +++ src/main-ban.c -@@ -408,8 +408,8 @@ static bool test_local_ipv6(struct sockaddr_in6 * remo +@@ -407,8 +407,8 @@ static bool test_local_ipv6(struct sockaddr_in6 * remo unsigned index = 0; - + for (index = 0; index < 4; index ++) { - uint32_t l = local->sin6_addr.s6_addr32[index] & network->sin6_addr.s6_addr32[index]; - uint32_t r = remote->sin6_addr.s6_addr32[index] & network->sin6_addr.s6_addr32[index]; + uint32_t l = local->sin6_addr.__u6_addr.__u6_addr32[index] & network->sin6_addr.__u6_addr.__u6_addr32[index]; + uint32_t r = remote->sin6_addr.__u6_addr.__u6_addr32[index] & network->sin6_addr.__u6_addr.__u6_addr32[index]; - if (l != r) + if (l != r) return false; } -@@ -448,4 +448,4 @@ void if_address_cleanup(main_server_st * s) - - s->if_addresses = NULL; - s->if_addresses_count = 0; --} -\ No newline at end of file -+} diff --git patches/patch-src_occtl_occtl_c patches/patch-src_occtl_occtl_c index 9f3ef714c77..42aef789566 100644 --- patches/patch-src_occtl_occtl_c +++ patches/patch-src_occtl_occtl_c @@ -1,7 +1,7 @@ Index: src/occtl/occtl.c --- src/occtl/occtl.c.orig +++ src/occtl/occtl.c -@@ -264,7 +264,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha +@@ -260,7 +260,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha static int handle_reset_cmd(CONN_TYPE * conn, const char *arg, cmd_params_st *params) { rl_reset_terminal(NULL); diff --git patches/patch-src_occtl_time_c patches/patch-src_occtl_time_c index 43ff537f893..afd8eb16800 100644 --- patches/patch-src_occtl_time_c +++ patches/patch-src_occtl_time_c @@ -1,19 +1,20 @@ time_t is 64 bits on all OpenBSD (and NetBSD) arch; cast time values to a specific-width type to avoid problems on 32-bit arch ---- src/occtl/time.c.orig Sun Mar 6 09:44:05 2016 -+++ src/occtl/time.c Sat Mar 19 14:25:48 2016 +Index: src/occtl/time.c +--- src/occtl/time.c.orig ++++ src/occtl/time.c @@ -36,7 +36,7 @@ void print_time_ival7(char output[MAX_TMPSTR_SIZE], ti { time_t t = t1 - t2; -- if ((long)t < (long)0) { -+ if ((long long)t < (long long)0) { +- if ((long)t < 0) { ++ if ((long long)t < 0) { /* system clock changed? */ snprintf(output, MAX_TMPSTR_SIZE, " ? "); return; @@ -44,17 +44,17 @@ void print_time_ival7(char output[MAX_TMPSTR_SIZE], ti - + if (t >= 48 * 60 * 60) /* 2 days or more */ - snprintf(output, MAX_TMPSTR_SIZE, _("%2ludays"), (long)t / (24 * 60 * 60)); diff --git patches/patch-src_ocpasswd_ocpasswd_c patches/patch-src_ocpasswd_ocpasswd_c index f0a0398ce8f..7f44b7711c7 100644 --- patches/patch-src_ocpasswd_ocpasswd_c +++ patches/patch-src_ocpasswd_ocpasswd_c @@ -4,18 +4,15 @@ support SHA2 ($5$ hashes) and has removed support for MD5 ($1$). Index: src/ocpasswd/ocpasswd.c --- src/ocpasswd/ocpasswd.c.orig +++ src/ocpasswd/ocpasswd.c -@@ -26,6 +26,10 @@ - #ifndef _XOPEN_SOURCE - # define _XOPEN_SOURCE - #endif -+#ifndef __BSD_VISIBLE -+# define __BSD_VISIBLE -+#endif +@@ -23,6 +23,7 @@ + #include <string.h> + #include <stdlib.h> + #include <stdint.h> +#include <pwd.h> #include <unistd.h> #include <gnutls/gnutls.h> #include <gnutls/crypto.h> /* for random */ -@@ -52,9 +56,8 @@ static void +@@ -46,9 +47,8 @@ static void crypt_int(const char *fpasswd, const char *username, const char *groupname, const char *passwd) { @@ -27,15 +24,15 @@ Index: src/ocpasswd/ocpasswd.c char *tmp_passwd; unsigned i; unsigned fpasswd_len = strlen(fpasswd); -@@ -67,36 +70,8 @@ crypt_int(const char *fpasswd, const char *username, c - ssize_t len, l; - int ret; +@@ -64,36 +64,8 @@ crypt_int(const char *fpasswd, const char *username, c + setlocale(LC_CTYPE, "C"); + setlocale(LC_COLLATE, "C"); - ret = gnutls_rnd(GNUTLS_RND_NONCE, _salt, sizeof(_salt)); - if (ret < 0) { - fprintf(stderr, "Error generating nonce: %s\n", - gnutls_strerror(ret)); -- exit(1); +- exit(EXIT_FAILURE); - } - -#ifdef TRY_SHA2_CRYPT @@ -63,6 +60,6 @@ Index: src/ocpasswd/ocpasswd.c - fprintf(stderr, "Error in crypt().\n"); + if (crypt_newhash(passwd, "blowfish,a", cr_passwd, sizeof(cr_passwd)) != 0) { + fprintf(stderr, "Error in crypt_newhash().\n"); - exit(1); + exit(EXIT_FAILURE); }