net/ocserv: Update to 1.2.3

Release notes: https://gitlab.com/openconnect/ocserv/-/releases/1.2.3

9 files changed, 66 insertions, 64 deletions

diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile
index 808a77c12cdb..f1477ea25cb6 100644
--- a/net/ocserv/Makefile
+++ b/net/ocserv/Makefile
@@ -1,5 +1,5 @@
 PORTNAME=	ocserv
-DISTVERSION=	1.2.2
+DISTVERSION=	1.2.3
 CATEGORIES=	net net-vpn security
 MASTER_SITES=	https://www.infradead.org/ocserv/download/
 
@@ -56,15 +56,14 @@ RADIUS_CONFIGURE_OFF=	--without-radius
 .include <bsd.port.pre.mk>
 
 post-patch:
-	${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${PREFIX}/bin/ocserv-fw|g' \
-		${WRKSRC}/src/main-user.c
-	${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${PREFIX}/bin/ocserv\\-fw|g' \
+	${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${PREFIX}/libexec/ocserv\\-fw|g' \
 		${WRKSRC}/doc/ocserv.8
 	${REINPLACE_CMD} -e 's|%%PREFIX%%|${PREFIX}|g' \
 		-e 's|%%ETCDIR%%|${ETCDIR}|g' \
 		-e 's|%%USERS%%|${USERS}|g' \
 		-e 's|%%GROUPS%%|${GROUPS}|g' \
-		${WRKSRC}/doc/sample.config
+		${WRKSRC}/doc/sample.config \
+		${WRKSRC}/src/main-user.c
 .if "${PREFIX}" != "" && "${PREFIX}" != "/" && "${PREFIX}" != "/usr"
 	${REINPLACE_CMD} -E 's|^(#define DEFAULT_CFG_FILE ")(/etc/ocserv/ocserv.conf")|\1${PREFIX}\2|' ${WRKSRC}/src/config.c
 	${REINPLACE_CMD} -E 's|^(#define DEFAULT_OCPASSWD ")(/etc/ocserv/ocpasswd")|\1${PREFIX}\2|' ${WRKSRC}/src/ocpasswd/ocpasswd.c
diff --git a/net/ocserv/distinfo b/net/ocserv/distinfo
index eef8583eb834..5efa9abfa72d 100644
--- a/net/ocserv/distinfo
+++ b/net/ocserv/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1699481326
-SHA256 (ocserv-1.2.2.tar.xz) = 6e3c7a2ee9e9b4d3621de66e155fd99eb02c0134b9f42cfbc86d3979e485c719
-SIZE (ocserv-1.2.2.tar.xz) = 751548
+TIMESTAMP = 1703628457
+SHA256 (ocserv-1.2.3.tar.xz) = 06ce0fcb59a8b33b8d65d6e551de2b5ef77b7ea641b87caa654a5ee9c49f1bbf
+SIZE (ocserv-1.2.3.tar.xz) = 757484
diff --git a/net/ocserv/files/patch-configure.ac b/net/ocserv/files/patch-configure.ac
index f06c82846f51..68267a953766 100644
--- a/net/ocserv/files/patch-configure.ac
+++ b/net/ocserv/files/patch-configure.ac
@@ -1,4 +1,4 @@
---- configure.ac.orig	2023-07-11 12:47:23 UTC
+--- configure.ac.orig	2023-12-14 11:45:13 UTC
 +++ configure.ac
 @@ -16,7 +16,7 @@ AM_PROG_CC_C_O
  AC_PROG_SED
@@ -9,7 +9,7 @@
  fi
  
  AC_PATH_PROG(CTAGS, ctags, [:])
-@@ -223,7 +223,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind
+@@ -219,7 +219,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind
  fi
  
  have_readline=no
diff --git a/net/ocserv/files/patch-doc_sample.config b/net/ocserv/files/patch-doc_sample.config
index b21233ad088d..4cb7151e403a 100644
--- a/net/ocserv/files/patch-doc_sample.config
+++ b/net/ocserv/files/patch-doc_sample.config
@@ -1,4 +1,4 @@
---- doc/sample.config.orig	2023-07-11 12:54:03 UTC
+--- doc/sample.config.orig	2023-12-17 10:19:23 UTC
 +++ doc/sample.config
 @@ -19,7 +19,7 @@
  #  This enabled PAM authentication of the user. The gid-min option is used
@@ -18,14 +18,12 @@
  #  The radius option requires specifying freeradius-client configuration
  # file. If the groupconfig option is set, then config-per-user/group will be overridden,
  # and all configuration will be read from radius. That also includes the
-@@ -47,10 +47,10 @@
- 
+@@ -48,9 +48,9 @@
  #auth = "pam"
  #auth = "pam[gid-min=1000]"
--#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
+ #auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
 -auth = "plain[passwd=./sample.passwd]"
-+#auth = "plain[passwd=%%ETCDIR%%/sample.passwd,otp=%%ETCDIR%%/sample.otp]"
-+auth = "plain[passwd=%%ETCDIR%%/sample.passwd]"
++auth = "plain[passwd=%%ETCDIR%%/sample.passwd,otp=%%ETCDIR%%/sample.otp]"
  #auth = "certificate"
 -#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
 +#auth = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true]"
@@ -41,17 +39,6 @@
  
  # Use listen-host to limit to specific IPs or to the IPs of a provided
  # hostname.
-@@ -96,8 +96,8 @@ udp-port = 443
- # The user the worker processes will be run as. This should be a dedicated
- # unprivileged user (e.g., 'ocserv') and no other services should run as this
- # user.
--run-as-user = nobody
--run-as-group = daemon
-+run-as-user = %%USERS%%
-+run-as-group = %%GROUPS%%
- 
- # socket file used for IPC with occtl. You only need to set that,
- # if you use more than a single servers.
 @@ -124,22 +124,20 @@ socket-file = /var/run/ocserv-socket
  # certificate renewal (they are checked and reloaded periodically;
  # a SIGHUP signal to main server will force reload).
@@ -60,8 +47,8 @@
 -#server-key = /etc/ocserv/server-key.pem
 -server-cert = ../tests/certs/server-cert.pem
 -server-key = ../tests/certs/server-key.pem
-++server-cert = %%ETCDIR%%/server-cert.pem
-++server-key = %%ETCDIR%%/server-key.pem
++server-cert = %%ETCDIR%%/server-cert.pem
++server-key = %%ETCDIR%%/server-key.pem
  
  # Diffie-Hellman parameters. Only needed if for old (pre 3.6.0
  # versions of GnuTLS for supporting DHE ciphersuites.
@@ -91,13 +78,9 @@
  
  # The number of sub-processes to use for the security module (authentication)
  # processes. Typically this should not be set as the number of processes
-@@ -171,17 +168,10 @@ ca-cert = ../tests/certs/ca.pem
- ### operation. If the server key changes on reload, there may be connection
+@@ -172,16 +169,6 @@ ca-cert = ../tests/certs/ca.pem
  ### failures during the reloading time.
  
-+# ocserv 1.1.1 on FreeBSD does not currently support process isolation,
-+# because ocserv only supports Linux's seccomp system, but not capsicum(4).
-+#isolate-workers = false
  
 -# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of
 -# system calls allowed to a worker process, in order to reduce damage from a
@@ -112,7 +95,7 @@
  # A banner to be displayed on clients after connection
  #banner = "Welcome"
  
-@@ -262,7 +252,7 @@ try-mtu-discovery = false
+@@ -262,7 +249,7 @@ try-mtu-discovery = false
  # You can update this response periodically using:
  # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
  # Make sure that you replace the following file in an atomic way.
@@ -121,35 +104,53 @@
  
  # The object identifier that will be used to read the user ID in the client
  # certificate. The object identifier should be part of the certificate's DN
-@@ -281,7 +271,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1
+@@ -281,7 +268,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1
  # See the manual to generate an empty CRL initially. The CRL will be reloaded
  # periodically when ocserv detects a change in the file. To force a reload use
  # SIGHUP.
 -#crl = /etc/ocserv/crl.pem
-+#crl = %%ETCDIR%%/crl.pem
++crl = %%ETCDIR%%/crl.pem
  
  # Uncomment this to enable compression negotiation (LZS, LZ4).
  #compression = true
-@@ -560,15 +550,15 @@ no-route = 192.168.5.0/255.255.255.0
+@@ -415,14 +402,14 @@ rekey-method = ssl
+ # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes
+ # output from the tun device, and the duration of the session in seconds.
+ 
+-#connect-script = /usr/bin/myscript
+-#disconnect-script = /usr/bin/myscript
++#connect-script = %%PREFIX%%/bin/myscript
++#disconnect-script = %%PREFIX%%/bin/myscript
+ 
+ # This script is to be called when the client's advertised hostname becomes
+ # available. It will contain REASON with "host-update" value and the
+ # variable REMOTE_HOSTNAME in addition to the connect variables.
+ 
+-#host-update-script = /usr/bin/myhostnamescript
++#host-update-script = %%PREFIX%%/bin/myhostnamescript
+ 
+ # UTMP
+ # Register the connected clients to utmp. This will allow viewing
+@@ -563,15 +550,15 @@ no-route = 192.168.5.0/255.255.255.0
  # Note the that following two firewalling options currently are available
  # in Linux systems with iptables software.
  
--# If set, the script /usr/bin/ocserv-fw will be called to restrict
-+# If set, the script %%PREFIX%%/bin/ocserv-fw will be called to restrict
+-# If set, the script /usr/libexec/ocserv-fw will be called to restrict
++# If set, the script %%PREFIX%%/libexec/ocserv-fw will be called to restrict
  # the user to its allowed routes and prevent him from accessing
  # any other routes. In case of defaultroute, the no-routes are restricted.
--# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw
-+# All the routes applied by ocserv can be reverted using %%PREFIX%%/bin/ocserv-fw
+-# All the routes applied by ocserv can be reverted using /usr/libexec/ocserv-fw
++# All the routes applied by ocserv can be reverted using %%PREFIX%%/libexec/ocserv-fw
  # --removeall. This option can be set globally or in the per-user configuration.
  #restrict-user-to-routes = true
  
  # This option implies restrict-user-to-routes set to true. If set, the
--# script /usr/bin/ocserv-fw will be called to restrict the user to
-+# script %%PREFIX%%/bin/ocserv-fw will be called to restrict the user to
+-# script /usr/libexec/ocserv-fw will be called to restrict the user to
++# script %%PREFIX%%/libexec/ocserv-fw will be called to restrict the user to
  # access specific ports in the network. This option can be set globally
  # or in the per-user configuration.
  #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
-@@ -616,13 +606,13 @@ no-route = 192.168.5.0/255.255.255.0
+@@ -619,13 +606,13 @@ no-route = 192.168.5.0/255.255.255.0
  # hostname to override any proposed by the user. Note also, that, any
  # routes, no-routes, DNS or NBNS servers present will overwrite the global ones.
  
@@ -167,21 +168,12 @@
  
  # The system command to use to setup a route. %{R} will be replaced with the
  # route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device.
-@@ -644,7 +634,7 @@ no-route = 192.168.5.0/255.255.255.0
- # In MIT kerberos you'll need to add in realms:
- #   EXAMPLE.COM = {
- #     kdc = https://ocserv.example.com/KdcProxy
--#     http_anchors = FILE:/etc/ocserv-ca.pem
-+#     http_anchors = FILE:%%ETCDIR%%/ocserv-ca.pem
- #   }
- # In some distributions the krb5-k5tls plugin of kinit is required.
- #
-@@ -747,13 +737,13 @@ camouflage_realm = "Restricted Content"
+@@ -750,13 +737,13 @@ camouflage_realm = "Restricted Content"
  [vhost:www.example.com]
  auth = "certificate"
  
 -ca-cert = ../tests/certs/ca.pem
-+ca-cert = %%ETCDIR%%/ca.pem
++ca-cert = %%ETCDIR%%/www.example.com-ca.pem
  
  # The certificate set here must include a 'dns_name' corresponding to
  # the virtual host name.
diff --git a/net/ocserv/files/patch-src_ip-util.h b/net/ocserv/files/patch-src_ip-util.h
index ac62f740dc65..dfd23017f08b 100644
--- a/net/ocserv/files/patch-src_ip-util.h
+++ b/net/ocserv/files/patch-src_ip-util.h
@@ -1,10 +1,10 @@
---- src/ip-util.h.orig	2023-08-15 11:26:31.522070000 +0300
-+++ src/ip-util.h	2023-08-15 11:28:31.360118000 +0300
+--- src/ip-util.h.orig	2023-12-16 05:18:58 UTC
++++ src/ip-util.h
 @@ -24,6 +24,7 @@
  
  #include <sys/socket.h>
  #include <netinet/in.h>
 +#include <sys/types.h>
  
- #define MAX_IP_STR 46
  // Lower MTU bound is the value defined in RFC 791
+ #define RFC_791_MTU (68)
diff --git a/net/ocserv/files/patch-src_main-ban.c b/net/ocserv/files/patch-src_main-ban.c
index 86483cf2e9f7..59e7229084ff 100644
--- a/net/ocserv/files/patch-src_main-ban.c
+++ b/net/ocserv/files/patch-src_main-ban.c
@@ -1,6 +1,6 @@
---- src/main-ban.c.orig	2023-01-29 14:09:45 UTC
+--- src/main-ban.c.orig	2023-12-17 10:19:23 UTC
 +++ src/main-ban.c
-@@ -408,8 +408,8 @@ static bool test_local_ipv6(struct sockaddr_in6 * remo
+@@ -407,8 +407,8 @@ static bool test_local_ipv6(struct sockaddr_in6 * remo
  	unsigned index = 0;
  
  	for (index = 0; index < 4; index ++) {
diff --git a/net/ocserv/files/patch-src_main-user.c b/net/ocserv/files/patch-src_main-user.c
new file mode 100644
index 000000000000..611524eee4c0
--- /dev/null
+++ b/net/ocserv/files/patch-src_main-user.c
@@ -0,0 +1,11 @@
+--- src/main-user.c.orig	2023-12-27 19:54:08 UTC
++++ src/main-user.c
+@@ -47,7 +47,7 @@
+ #include <script-list.h>
+ #include <ccan/list/list.h>
+ 
+-#define OCSERV_FW_SCRIPT "/usr/libexec/ocserv-fw"
++#define OCSERV_FW_SCRIPT "%%PREFIX%%/libexec/ocserv-fw"
+ 
+ #define APPEND_TO_STR(str, val) \
+ 	do { \
diff --git a/net/ocserv/files/patch-src_occtl_occtl.c b/net/ocserv/files/patch-src_occtl_occtl.c
index b7c73f0d305b..e40bd9f8d9d7 100644
--- a/net/ocserv/files/patch-src_occtl_occtl.c
+++ b/net/ocserv/files/patch-src_occtl_occtl.c
@@ -1,6 +1,6 @@
---- src/occtl/occtl.c.orig	2023-06-16 17:01:03 UTC
+--- src/occtl/occtl.c.orig	2023-12-17 10:19:23 UTC
 +++ src/occtl/occtl.c
-@@ -257,7 +257,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha
+@@ -260,7 +260,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha
  static int handle_reset_cmd(CONN_TYPE * conn, const char *arg, cmd_params_st *params)
  {
  	rl_reset_terminal(NULL);
diff --git a/net/ocserv/pkg-plist b/net/ocserv/pkg-plist
index 8d684679a078..2ffb05c47a27 100644
--- a/net/ocserv/pkg-plist
+++ b/net/ocserv/pkg-plist
@@ -1,6 +1,6 @@
 bin/occtl
 bin/ocpasswd
-bin/ocserv-fw
+libexec/ocserv-fw
 man/man8/occtl.8.gz
 man/man8/ocpasswd.8.gz
 man/man8/ocserv.8.gz