Diff below updates ocserv to 1.1.3. Changes: https://gitlab.com/openconnect/ocserv/-/blob/1.1.3/NEWS
Diff partly based on work from Marc West [0]. Changes to the port: - Drop patch that has been committed upstream Testing: - One new failing test because it uses socket_wrapper, which we don't have. Made a note in Makefile - Lightly run tested on amd64 Comments/OK? [0] https://marc.info/?l=openbsd-ports&m=161419622609410&w=2 diff --git Makefile Makefile index c8002552ee2..b122fd7b203 100644 --- Makefile +++ Makefile @@ -2,11 +2,9 @@ COMMENT= server implementing the AnyConnect SSL VPN protocol -DISTNAME= ocserv-1.1.1 +DISTNAME= ocserv-1.1.3 EXTRACT_SUFX= .tar.xz -REVISION= 4 - CATEGORIES= net HOMEPAGE= https://ocserv.gitlab.io/www/ @@ -77,8 +75,8 @@ post-install: for i in *.8.md; do ronn${MODRUBY_BINREV} -r $$i; done ${INSTALL_MAN} ${WRKSRC}/doc/*.8 ${PREFIX}/man/man8/ -# XXX server-cert-ed25519, and server-cert-rsa-pss are known to fail. These -# tests use socket_wrapper, which is not in ports. +# XXX server-cert-ed25519, server-cert-rsa-pss, owasp-headers are known to fail. +# These tests use socket_wrapper, which is not in ports. pre-test: ln -fs ${LOCALBASE}/bin/gtimeout ${WRKDIR}/bin/timeout ln -fs ${LOCALBASE}/bin/gsed ${WRKDIR}/bin/sed diff --git distinfo distinfo index 5cd4b4759c9..1cba0add06d 100644 --- distinfo +++ distinfo @@ -1,2 +1,2 @@ -SHA256 (ocserv-1.1.1.tar.xz) = nHqvRuU+KM+nvjKbGPOVHn6FEVP/aifpRklv1Ojldlo= -SIZE (ocserv-1.1.1.tar.xz) = 818988 +SHA256 (ocserv-1.1.3.tar.xz) = GrcMbm6ja2E+jhcfwDtggcQxKkXuUswpWcBownMkEH4= +SIZE (ocserv-1.1.3.tar.xz) = 833320 diff --git patches/patch-doc_sample_config patches/patch-doc_sample_config index 82e5f8eaf69..1a57959de29 100644 --- patches/patch-doc_sample_config +++ patches/patch-doc_sample_config @@ -30,7 +30,7 @@ Index: doc/sample.config # Accounting methods available: # radius: can be combined with any authentication method, it provides -@@ -110,8 +99,8 @@ udp-port = 443 +@@ -96,8 +85,8 @@ udp-port = 443 # The user the worker processes will be run as. This should be a dedicated # unprivileged user (e.g., 'ocserv') and no other services should run as this # user. @@ -41,7 +41,7 @@ Index: doc/sample.config # socket file used for IPC with occtl. You only need to set that, # if you use more than a single servers. -@@ -120,7 +109,7 @@ run-as-group = daemon +@@ -106,7 +95,7 @@ run-as-group = daemon # socket file used for server IPC (worker-main), will be appended with .PID # It must be accessible within the chroot environment (if any), so it is best # specified relatively to the chroot directory. @@ -50,7 +50,7 @@ Index: doc/sample.config # The default server directory. Does not require any devices present. #chroot-dir = /var/lib/ocserv -@@ -180,16 +169,6 @@ ca-cert = ../tests/certs/ca.pem +@@ -166,16 +155,6 @@ ca-cert = ../tests/certs/ca.pem ### failures during the reloading time. @@ -67,7 +67,7 @@ Index: doc/sample.config # A banner to be displayed on clients after connection #banner = "Welcome" -@@ -350,9 +329,8 @@ min-reauth-time = 300 +@@ -341,9 +320,8 @@ min-reauth-time = 300 # Banning clients in ocserv works with a point system. IP addresses # that get a score over that configured number are banned for # min-reauth-time seconds. By default a wrong password attempt is 10 points, @@ -79,7 +79,7 @@ Index: doc/sample.config # # Score banning cannot be reliably used when receiving proxied connections # locally from an HTTP server (i.e., when listen-clear-file is used). -@@ -366,7 +344,6 @@ ban-reset-time = 1200 +@@ -357,7 +335,6 @@ ban-reset-time = 1200 # In case you'd like to change the default points. #ban-points-wrong-password = 10 #ban-points-connection = 1 @@ -87,16 +87,16 @@ Index: doc/sample.config # Cookie timeout (in seconds) # Once a client is authenticated he's provided a cookie with -@@ -441,7 +418,7 @@ rekey-method = ssl +@@ -432,7 +409,7 @@ rekey-method = ssl use-occtl = true # PID file. It can be overridden in the command line. -pid-file = /var/run/ocserv.pid +pid-file = ${LOCALSTATEDIR}/run/ocserv.pid - # Set the protocol-defined priority (SO_PRIORITY) for packets to - # be sent. That is a number from 0 to 6 with 0 being the lowest -@@ -558,6 +535,11 @@ no-route = 192.168.5.0/255.255.255.0 + # Log Level. It can be overridden in the command line with the -d option. + # All messages at the configure level and lower will be displayed. +@@ -561,6 +538,11 @@ no-route = 192.168.5.0/255.255.255.0 # any other routes. In case of defaultroute, the no-routes are restricted. # All the routes applied by ocserv can be reverted using /etc/ocserv/ocserv-fw # --removeall. This option can be set globally or in the per-user configuration. @@ -108,7 +108,7 @@ Index: doc/sample.config #restrict-user-to-routes = true # This option implies restrict-user-to-routes set to true. If set, the -@@ -630,23 +612,6 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -633,23 +615,6 @@ no-route = 192.168.5.0/255.255.255.0 # and '%{G}', if present will be replaced by the username and group name. #proxy-url = http://example.com/ #proxy-url = http://example.com/%{U}/ diff --git patches/patch-src_main-ban_c patches/patch-src_main-ban_c new file mode 100644 index 00000000000..bc853bc9019 --- /dev/null +++ patches/patch-src_main-ban_c @@ -0,0 +1,23 @@ +$OpenBSD$ + +Index: src/main-ban.c +--- src/main-ban.c.orig ++++ src/main-ban.c +@@ -408,8 +408,8 @@ static bool test_local_ipv6(struct sockaddr_in6 * remo + unsigned index = 0; + + for (index = 0; index < 4; index ++) { +- uint32_t l = local->sin6_addr.s6_addr32[index] & network->sin6_addr.s6_addr32[index]; +- uint32_t r = remote->sin6_addr.s6_addr32[index] & network->sin6_addr.s6_addr32[index]; ++ uint32_t l = local->sin6_addr.__u6_addr.__u6_addr32[index] & network->sin6_addr.__u6_addr.__u6_addr32[index]; ++ uint32_t r = remote->sin6_addr.__u6_addr.__u6_addr32[index] & network->sin6_addr.__u6_addr.__u6_addr32[index]; + if (l != r) + return false; + } +@@ -448,4 +448,4 @@ void if_address_cleanup(main_server_st * s) + + s->if_addresses = NULL; + s->if_addresses_count = 0; +-} +\ No newline at end of file ++} diff --git patches/patch-src_tun_c patches/patch-src_tun_c deleted file mode 100644 index 1ebd67992da..00000000000 --- patches/patch-src_tun_c +++ /dev/null @@ -1,45 +0,0 @@ -$OpenBSD: patch-src_tun_c,v 1.3 2021/02/11 21:28:19 sthen Exp $ - -https://gitlab.com/openconnect/ocserv/-/issues/399 -https://gitlab.com/openconnect/ocserv/-/merge_requests/256 - -From a2775715ec124bb463c854fa8c650581ef8ff713 Mon Sep 17 00:00:00 2001 -From: Jake S <jake.stenn...@uniserveteam.com> -Date: Wed, 10 Feb 2021 22:17:46 +0000 -Subject: [PATCH] OpenBSD Devname changes - -Index: src/tun.c ---- src/tun.c.orig -+++ src/tun.c -@@ -555,15 +555,22 @@ static int os_open_tun(main_server_st * s, struct proc - if (fd < 0) - return fd; - -- /* get tun name */ -- ret = fstat(fd, &st); -- if (ret < 0) { -- e = errno; -- mslog(s, NULL, LOG_ERR, "tun fd %d: stat: %s\n", fd, strerror(e)); -- close(fd); -- return -1; -- } -- strlcpy(proc->tun_lease.name, devname(st.st_rdev, S_IFCHR), sizeof(proc->tun_lease.name)); -+#if defined(__OpenBSD__) -+ /* OpenBSD's devname does not return the correct name if unit_nr>=4. -+ * See https://gitlab.com/openconnect/ocserv/-/issues/399 -+ */ -+ snprintf(proc->tun_lease.name, sizeof(proc->tun_lease.name), "tun%d", unit_nr); -+#else -+ /* get tun name */ -+ ret = fstat(fd, &st); -+ if (ret < 0) { -+ e = errno; -+ mslog(s, NULL, LOG_ERR, "tun fd %d: stat: %s\n", fd, strerror(e)); -+ close(fd); -+ return -1; -+ } -+ strlcpy(proc->tun_lease.name, devname(st.st_rdev, S_IFCHR), sizeof(proc->tun_lease.name)); -+#endif - - if (fd >= 0) { - int i, e, ret;
