Hello, Here is a security update for net/ocserv
[SECURITY] Fixed authentication bypass (medium severity) when using certificate authentication with cert-user-oid set to SAN(rfc822name): a client presenting a valid CA-signed certificate without the expected RFC822 SAN field could authenticate using password credentials alone, bypassing the intended certificate-to-username binding. Requires the attacker to possess both a valid CA-signed certificate and valid user credentials (#694)
The bundled inih was updated to r62.
The bundled protobuf-c was updated to 1.5.2.
Fixed a bug where session timeout could be bypassed by reconnecting
(e.g., closing/opening laptop lid) (#599)
occtl: show user command now includes a Session started at: field,
indicating when the VPN session was established
occtl: Fix column misalignment in ban command outputs
occtl: Fix show ip bans may produce invalid JSON (#683)
Handle dotted client hostnames (e.g., .local) by stripping the
domain suffix
Renamed min-reauth-time configuration option to ban-time to better
reflect its purpose (#676). This option defines the duration (in
seconds) for which an IP address is banned after exceeding the maximum
allowed max-ban-score. Default is 300 seconds (5 minutes).
Fixed ocserv-worker process title
Fixed ignored udp-port in vhost (#612)
Tested on amd64
Best Regards
? patches/patch-src_valid-hostname_c
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/ocserv/Makefile,v
diff -u -p -r1.63 Makefile
--- Makefile 23 Jan 2026 08:27:41 -0000 1.63
+++ Makefile 3 Mar 2026 07:47:47 -0000
@@ -1,6 +1,6 @@
COMMENT= server implementing the AnyConnect SSL VPN protocol
-VERSION = 1.4.0
+VERSION = 1.4.1
DISTNAME= ocserv-${VERSION}
EXTRACT_SUFX= .tar.gz
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/ocserv/distinfo,v
diff -u -p -r1.38 distinfo
--- distinfo 23 Jan 2026 08:27:41 -0000 1.38
+++ distinfo 3 Mar 2026 07:47:47 -0000
@@ -1,2 +1,2 @@
-SHA256 (ocserv-1.4.0.tar.gz) = aNMiF/MK9GC1M1i5naYrF0eQ2Lf/8uU+Fk3s7OkHeMI=
-SIZE (ocserv-1.4.0.tar.gz) = 613326
+SHA256 (ocserv-1.4.1.tar.gz) = FLFliq3LxCVXOw43oqYcDe8CKXO++kSzprTtsoS/ROo=
+SIZE (ocserv-1.4.1.tar.gz) = 617990
Index: patches/patch-doc_sample_config
===================================================================
RCS file: /cvs/ports/net/ocserv/patches/patch-doc_sample_config,v
diff -u -p -r1.28 patch-doc_sample_config
--- patches/patch-doc_sample_config 22 Nov 2024 15:33:04 -0000 1.28
+++ patches/patch-doc_sample_config 3 Mar 2026 07:47:47 -0000
@@ -65,10 +65,10 @@ Index: doc/sample.config
# A banner to be displayed on clients after connection
#banner = "Welcome"
-@@ -347,10 +326,9 @@ min-reauth-time = 300
+@@ -343,10 +322,9 @@ auth-timeout = 240
# Banning clients in ocserv works with a point system. IP addresses
# that get a score over that configured number are banned for
- # min-reauth-time seconds. By default a wrong password attempt is 10 points,
+ # ban-time seconds. By default a wrong password attempt is 10 points,
-# a KKDCP POST is 1 point, and a connection is 1 point. Note that
-# due to different processes being involved the count of points
-# will not be real-time precise. Local subnet IPs are exempt to allow
Index: patches/patch-src_main-ban_c
===================================================================
RCS file: /cvs/ports/net/ocserv/patches/patch-src_main-ban_c,v
diff -u -p -r1.4 patch-src_main-ban_c
--- patches/patch-src_main-ban_c 23 Jan 2026 08:27:41 -0000 1.4
+++ patches/patch-src_main-ban_c 3 Mar 2026 07:47:47 -0000
@@ -3,7 +3,7 @@ Index: src/main-ban.c
+++ src/main-ban.c
@@ -447,10 +447,10 @@ static bool test_local_ipv6(struct sockaddr_in6 *remot
unsigned int index = 0;
-
+
for (index = 0; index < 4; index++) {
- uint32_t l = local->sin6_addr.s6_addr32[index] &
- network->sin6_addr.s6_addr32[index];
@@ -13,6 +13,6 @@ Index: src/main-ban.c
+ network->sin6_addr.__u6_addr.__u6_addr32[index];
+ uint32_t r = remote->sin6_addr.__u6_addr.__u6_addr32[index] &
+ network->sin6_addr.__u6_addr.__u6_addr32[index];
-
+
if (l != r)
return false;
Index: patches/patch-src_occtl_occtl_c
===================================================================
RCS file: /cvs/ports/net/ocserv/patches/patch-src_occtl_occtl_c,v
diff -u -p -r1.8 patch-src_occtl_occtl_c
--- patches/patch-src_occtl_occtl_c 23 Jan 2026 08:27:41 -0000 1.8
+++ patches/patch-src_occtl_occtl_c 3 Mar 2026 07:47:47 -0000
@@ -1,7 +1,7 @@
Index: src/occtl/occtl.c
--- src/occtl/occtl.c.orig
+++ src/occtl/occtl.c
-@@ -262,7 +262,7 @@ static int handle_reset_cmd(CONN_TYPE *conn, const cha
+@@ -260,7 +260,7 @@ static int handle_reset_cmd(CONN_TYPE *conn, const cha
cmd_params_st *params)
{
rl_reset_terminal(NULL);
Index: patches/patch-src_ocpasswd_ocpasswd_c
===================================================================
RCS file: /cvs/ports/net/ocserv/patches/patch-src_ocpasswd_ocpasswd_c,v
diff -u -p -r1.5 patch-src_ocpasswd_ocpasswd_c
--- patches/patch-src_ocpasswd_ocpasswd_c 23 Jan 2026 08:27:41 -0000 1.5
+++ patches/patch-src_ocpasswd_ocpasswd_c 3 Mar 2026 07:47:47 -0000
@@ -13,9 +13,9 @@ Index: src/ocpasswd/ocpasswd.c
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h> /* for random */
@@ -38,18 +39,12 @@
-
+
#define DEFAULT_OCPASSWD "/etc/ocserv/ocpasswd"
-
+
-static const char alphabet[] =
- "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ./";
-
@@ -33,10 +33,10 @@ Index: src/ocpasswd/ocpasswd.c
unsigned int fpasswd_len = strlen(fpasswd);
unsigned int tmp_passwd_len;
unsigned int username_len = strlen(username);
-@@ -63,36 +58,9 @@ static void crypt_int(const char *fpasswd, const char
+@@ -63,36 +58,9 @@ static void crypt_int(const char *fpasswd, const char
setlocale(LC_CTYPE, "C");
setlocale(LC_COLLATE, "C");
-
+
- ret = gnutls_rnd(GNUTLS_RND_NONCE, _salt, sizeof(_salt));
- if (ret < 0) {
- fprintf(stderr, "Error generating nonce: %s\n",
@@ -72,4 +72,4 @@ Index: src/ocpasswd/ocpasswd.c
+ fprintf(stderr, "Error in crypt_newhash().\n");
exit(EXIT_FAILURE);
}
-
+
smime.p7s
Description: S/MIME Cryptographic Signature
