Here is a minor update of net/ocserv from 1.1.1 to the latest
1.1.2 release. Diff is against -current, builds and runs fine on
amd64. I am running this in production on 6.8.
Changelog:
* Version 1.1.2 (released 2020-12-06)
- Allow setup of new DTLS session concurrent with old session (#359).
- Fixed an infinite loop on sec-mod crash when server-drain-ms is set
(#356)
- Don't apply BanIP checks to clients on the same subnet (#360)
- Don't attempt TLS if the client closes the connection with zero data
sent (#357)
- Increased the maximum configuration line; this allows banner
messages longer than 200 characters (#364)
- Removed the listen-clear-file config option. This option was incompatible
with several clients, and thus is unusable for a generic server (#376)
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/ocserv/Makefile,v
retrieving revision 1.47
diff -u -p -u -r1.47 Makefile
--- Makefile 11 Feb 2021 21:28:19 -0000 1.47
+++ Makefile 24 Feb 2021 02:24:40 -0000
@@ -2,10 +2,8 @@
COMMENT= server implementing the AnyConnect SSL VPN protocol
-DISTNAME= ocserv-1.1.1
+DISTNAME= ocserv-1.1.2
EXTRACT_SUFX= .tar.xz
-
-REVISION= 2
CATEGORIES= net
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/ocserv/distinfo,v
retrieving revision 1.33
diff -u -p -u -r1.33 distinfo
--- distinfo 4 Oct 2020 14:36:12 -0000 1.33
+++ distinfo 24 Feb 2021 02:24:40 -0000
@@ -1,2 +1,2 @@
-SHA256 (ocserv-1.1.1.tar.xz) = nHqvRuU+KM+nvjKbGPOVHn6FEVP/aifpRklv1Ojldlo=
-SIZE (ocserv-1.1.1.tar.xz) = 818988
+SHA256 (ocserv-1.1.2.tar.xz) = iJzNvo5n07wryHE7f7tb1OeSKKvGBU6IhYy0rW0CRd0=
+SIZE (ocserv-1.1.2.tar.xz) = 824924
Index: patches/patch-doc_sample_config
===================================================================
RCS file: /cvs/ports/net/ocserv/patches/patch-doc_sample_config,v
retrieving revision 1.23
diff -u -p -u -r1.23 patch-doc_sample_config
--- patches/patch-doc_sample_config 4 Oct 2020 14:36:12 -0000 1.23
+++ patches/patch-doc_sample_config 24 Feb 2021 02:24:40 -0000
@@ -30,7 +30,7 @@ Index: doc/sample.config
# Accounting methods available:
# radius: can be combined with any authentication method, it provides
-@@ -110,8 +99,8 @@ udp-port = 443
+@@ -96,8 +85,8 @@ udp-port = 443
# The user the worker processes will be run as. This should be a dedicated
# unprivileged user (e.g., 'ocserv') and no other services should run as this
# user.
@@ -41,7 +41,7 @@ Index: doc/sample.config
# socket file used for IPC with occtl. You only need to set that,
# if you use more than a single servers.
-@@ -120,7 +109,7 @@ run-as-group = daemon
+@@ -106,7 +95,7 @@ run-as-group = daemon
# socket file used for server IPC (worker-main), will be appended with .PID
# It must be accessible within the chroot environment (if any), so it is best
# specified relatively to the chroot directory.
@@ -50,7 +50,7 @@ Index: doc/sample.config
# The default server directory. Does not require any devices present.
#chroot-dir = /var/lib/ocserv
-@@ -180,16 +169,6 @@ ca-cert = ../tests/certs/ca.pem
+@@ -166,16 +155,6 @@ ca-cert = ../tests/certs/ca.pem
### failures during the reloading time.
@@ -67,7 +67,7 @@ Index: doc/sample.config
# A banner to be displayed on clients after connection
#banner = "Welcome"
-@@ -350,9 +329,8 @@ min-reauth-time = 300
+@@ -340,9 +319,8 @@ min-reauth-time = 300
# Banning clients in ocserv works with a point system. IP addresses
# that get a score over that configured number are banned for
# min-reauth-time seconds. By default a wrong password attempt is 10 points,
@@ -79,7 +79,7 @@ Index: doc/sample.config
#
# Score banning cannot be reliably used when receiving proxied connections
# locally from an HTTP server (i.e., when listen-clear-file is used).
-@@ -366,7 +344,6 @@ ban-reset-time = 1200
+@@ -356,7 +334,6 @@ ban-reset-time = 1200
# In case you'd like to change the default points.
#ban-points-wrong-password = 10
#ban-points-connection = 1
@@ -87,7 +87,7 @@ Index: doc/sample.config
# Cookie timeout (in seconds)
# Once a client is authenticated he's provided a cookie with
-@@ -441,7 +418,7 @@ rekey-method = ssl
+@@ -431,7 +408,7 @@ rekey-method = ssl
use-occtl = true
# PID file. It can be overridden in the command line.
@@ -96,7 +96,7 @@ Index: doc/sample.config
# Set the protocol-defined priority (SO_PRIORITY) for packets to
# be sent. That is a number from 0 to 6 with 0 being the lowest
-@@ -558,6 +535,11 @@ no-route = 192.168.5.0/255.255.255.0
+@@ -548,6 +525,11 @@ no-route = 192.168.5.0/255.255.255.0
# any other routes. In case of defaultroute, the no-routes are restricted.
# All the routes applied by ocserv can be reverted using /etc/ocserv/ocserv-fw
# --removeall. This option can be set globally or in the per-user
configuration.
@@ -108,7 +108,7 @@ Index: doc/sample.config
#restrict-user-to-routes = true
# This option implies restrict-user-to-routes set to true. If set, the
-@@ -630,23 +612,6 @@ no-route = 192.168.5.0/255.255.255.0
+@@ -620,23 +602,6 @@ no-route = 192.168.5.0/255.255.255.0
# and '%{G}', if present will be replaced by the username and group name.
#proxy-url = http://example.com/
#proxy-url = http://example.com/%{U}/
Index: patches/patch-src_main-ban_c
===================================================================
RCS file: patches/patch-src_main-ban_c
diff -N patches/patch-src_main-ban_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_main-ban_c 24 Feb 2021 02:24:40 -0000
@@ -0,0 +1,23 @@
+$OpenBSD$
+
+Index: src/main-ban.c
+--- src/main-ban.c.orig
++++ src/main-ban.c
+@@ -403,8 +403,8 @@ static bool test_local_ipv6(struct sockaddr_in6 * remo
+ unsigned index = 0;
+
+ for (index = 0; index < 4; index ++) {
+- uint32_t l = local->sin6_addr.s6_addr32[index] &
network->sin6_addr.s6_addr32[index];
+- uint32_t r = remote->sin6_addr.s6_addr32[index] &
network->sin6_addr.s6_addr32[index];
++ uint32_t l = local->sin6_addr.__u6_addr.__u6_addr32[index] &
network->sin6_addr.__u6_addr.__u6_addr32[index];
++ uint32_t r = remote->sin6_addr.__u6_addr.__u6_addr32[index] &
network->sin6_addr.__u6_addr.__u6_addr32[index];
+ if (l != r)
+ return false;
+ }
+@@ -443,4 +443,4 @@ void if_address_cleanup(main_server_st * s)
+
+ s->if_addresses = NULL;
+ s->if_addresses_count = 0;
+-}
+\ No newline at end of file
++}
