net/ocserv: Update to 1.2.0

- Update to 1.2.0
- Adjust dependencies
- Make DTLS work
- Regen patches

Co-authored-by:	Eugene Mitrofanov <emitrofanov@gmail.com>

8 files changed, 65 insertions, 28 deletions

diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile
index 6dc13dac271e..10d9f2d3d2b9 100644
--- a/net/ocserv/Makefile
+++ b/net/ocserv/Makefile
@@ -1,5 +1,5 @@
 PORTNAME=	ocserv
-DISTVERSION=	1.1.7
+DISTVERSION=	1.2.0
 CATEGORIES=	net net-vpn security
 MASTER_SITES=	https://www.infradead.org/ocserv/download/
 
@@ -23,8 +23,8 @@ LIB_DEPENDS=	libev.so:devel/libev \
 		libtalloc.so:devel/talloc \
 		libtasn1.so:security/libtasn1
 
-USES=		autoreconf cpe gperf libtool localbase ncurses pathfix \
-		pkgconfig readline tar:xz
+USES=		autoreconf cpe gettext-tools gperf libtool localbase ncurses \
+		pathfix pkgconfig readline tar:xz
 
 CPE_VENDOR=	infradead
 USE_RC_SUBR=	ocserv
diff --git a/net/ocserv/distinfo b/net/ocserv/distinfo
index 30465e6a2b45..c10dada0e39f 100644
--- a/net/ocserv/distinfo
+++ b/net/ocserv/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1683875970
-SHA256 (ocserv-1.1.7.tar.xz) = f30f7515e1e569ca2e68a96fa5e3dd10d49a18a40c981ad95b484d10835e3aa6
-SIZE (ocserv-1.1.7.tar.xz) = 844140
+TIMESTAMP = 1692132524
+SHA256 (ocserv-1.2.0.tar.xz) = 47a66e504a6b04bb04856176d78ee392ad1385d22d1670d4ed48b7b95e9dffc5
+SIZE (ocserv-1.2.0.tar.xz) = 746968
diff --git a/net/ocserv/files/patch-configure.ac b/net/ocserv/files/patch-configure.ac
index 27f60419b701..f06c82846f51 100644
--- a/net/ocserv/files/patch-configure.ac
+++ b/net/ocserv/files/patch-configure.ac
@@ -1,15 +1,15 @@
---- configure.ac.orig	2020-10-09 11:32:59 UTC
+--- configure.ac.orig	2023-07-11 12:47:23 UTC
 +++ configure.ac
-@@ -15,7 +15,7 @@ AM_PROG_AR
- AM_PROG_CC_C_O
+@@ -16,7 +16,7 @@ AM_PROG_CC_C_O
  AC_PROG_SED
+ 
  if test "$GCC" = "yes" && ! expr "$CC" : clang >/dev/null 2>&1;then
 -	CFLAGS="$CFLAGS -Wall -Wno-strict-aliasing -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers -Wno-implicit-fallthrough -Wno-stringop-truncation"
 +	CFLAGS="$CFLAGS -Wall -Wno-strict-aliasing -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers"
  fi
  
  AC_PATH_PROG(CTAGS, ctags, [:])
-@@ -222,7 +222,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind
+@@ -223,7 +223,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind
  fi
  
  have_readline=no
diff --git a/net/ocserv/files/patch-doc_sample.config b/net/ocserv/files/patch-doc_sample.config
index f866507ac5a0..b21233ad088d 100644
--- a/net/ocserv/files/patch-doc_sample.config
+++ b/net/ocserv/files/patch-doc_sample.config
@@ -1,4 +1,4 @@
---- doc/sample.config.orig	2022-12-02 18:59:51 UTC
+--- doc/sample.config.orig	2023-07-11 12:54:03 UTC
 +++ doc/sample.config
 @@ -19,7 +19,7 @@
  #  This enabled PAM authentication of the user. The gid-min option is used
@@ -91,9 +91,13 @@
  
  # The number of sub-processes to use for the security module (authentication)
  # processes. Typically this should not be set as the number of processes
-@@ -172,15 +169,9 @@ ca-cert = ../tests/certs/ca.pem
+@@ -171,17 +168,10 @@ ca-cert = ../tests/certs/ca.pem
+ ### operation. If the server key changes on reload, there may be connection
  ### failures during the reloading time.
  
++# ocserv 1.1.1 on FreeBSD does not currently support process isolation,
++# because ocserv only supports Linux's seccomp system, but not capsicum(4).
++#isolate-workers = false
  
 -# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of
 -# system calls allowed to a worker process, in order to reduce damage from a
@@ -102,15 +106,13 @@
 -# Note however, that process isolation is restricted to the specific libc versions
 -# the isolation was tested at. If you get random failures on worker processes, try
 -# disabling that option and report the failures you, along with system and debugging
--# information at: https://gitlab.com/ocserv/ocserv/issues
+-# information at: https://gitlab.com/openconnect/ocserv/issues
 -isolate-workers = true
-+# ocserv 1.1.1 on FreeBSD does not currently support process isolation,
-+# because ocserv only supports Linux's seccomp system, but not capsicum(4).
-+#isolate-workers = false
- 
+-
  # A banner to be displayed on clients after connection
  #banner = "Welcome"
-@@ -262,7 +253,7 @@ try-mtu-discovery = false
+ 
+@@ -262,7 +252,7 @@ try-mtu-discovery = false
  # You can update this response periodically using:
  # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
  # Make sure that you replace the following file in an atomic way.
@@ -119,7 +121,7 @@
  
  # The object identifier that will be used to read the user ID in the client
  # certificate. The object identifier should be part of the certificate's DN
-@@ -281,7 +272,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1
+@@ -281,7 +271,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1
  # See the manual to generate an empty CRL initially. The CRL will be reloaded
  # periodically when ocserv detects a change in the file. To force a reload use
  # SIGHUP.
@@ -128,7 +130,7 @@
  
  # Uncomment this to enable compression negotiation (LZS, LZ4).
  #compression = true
-@@ -558,15 +549,15 @@ no-route = 192.168.5.0/255.255.255.0
+@@ -560,15 +550,15 @@ no-route = 192.168.5.0/255.255.255.0
  # Note the that following two firewalling options currently are available
  # in Linux systems with iptables software.
  
@@ -147,7 +149,7 @@
  # access specific ports in the network. This option can be set globally
  # or in the per-user configuration.
  #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
-@@ -614,13 +605,13 @@ no-route = 192.168.5.0/255.255.255.0
+@@ -616,13 +606,13 @@ no-route = 192.168.5.0/255.255.255.0
  # hostname to override any proposed by the user. Note also, that, any
  # routes, no-routes, DNS or NBNS servers present will overwrite the global ones.
  
@@ -165,7 +167,7 @@
  
  # The system command to use to setup a route. %{R} will be replaced with the
  # route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device.
-@@ -642,7 +633,7 @@ no-route = 192.168.5.0/255.255.255.0
+@@ -644,7 +634,7 @@ no-route = 192.168.5.0/255.255.255.0
  # In MIT kerberos you'll need to add in realms:
  #   EXAMPLE.COM = {
  #     kdc = https://ocserv.example.com/KdcProxy
@@ -174,7 +176,7 @@
  #   }
  # In some distributions the krb5-k5tls plugin of kinit is required.
  #
-@@ -722,13 +713,13 @@ client-bypass-protocol = false
+@@ -747,13 +737,13 @@ camouflage_realm = "Restricted Content"
  [vhost:www.example.com]
  auth = "certificate"
  
diff --git a/net/ocserv/files/patch-src_ip-util.h b/net/ocserv/files/patch-src_ip-util.h
new file mode 100644
index 000000000000..ac62f740dc65
--- /dev/null
+++ b/net/ocserv/files/patch-src_ip-util.h
@@ -0,0 +1,10 @@
+--- src/ip-util.h.orig	2023-08-15 11:26:31.522070000 +0300
++++ src/ip-util.h	2023-08-15 11:28:31.360118000 +0300
+@@ -24,6 +24,7 @@
+ 
+ #include <sys/socket.h>
+ #include <netinet/in.h>
++#include <sys/types.h>
+ 
+ #define MAX_IP_STR 46
+ // Lower MTU bound is the value defined in RFC 791
diff --git a/net/ocserv/files/patch-src_main.c b/net/ocserv/files/patch-src_main.c
new file mode 100644
index 000000000000..f5c7037ce8e3
--- /dev/null
+++ b/net/ocserv/files/patch-src_main.c
@@ -0,0 +1,25 @@
+--- src/main.c.orig	2023-06-16 17:01:03 UTC
++++ src/main.c
+@@ -215,9 +215,9 @@ int _listen_ports(void *pool, struct perm_cfg_st* conf
+ #endif
+ 
+ 		y = 1;
+-		if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR,
++		if (setsockopt(s, SOL_SOCKET, SO_REUSEPORT,
+ 			       (const void *) &y, sizeof(y)) < 0) {
+-			perror("setsockopt(SO_REUSEADDR) failed");
++			perror("setsockopt(SO_REUSEPORT) failed");
+ 		}
+ 
+ 		if (ptr->ai_socktype == SOCK_DGRAM) {
+@@ -424,8 +424,8 @@ int y;
+ #endif
+ 
+ 	y = 1;
+-	if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (const void *) &y, sizeof(y)) < 0) {
+-		perror("setsockopt(SO_REUSEADDR) failed");
++	if (setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, (const void *) &y, sizeof(y)) < 0) {
++		perror("setsockopt(SO_REUSEPORT) failed");
+ 	}
+ 
+ 	if (GETCONFIG(s)->try_mtu) {
diff --git a/net/ocserv/files/patch-src_occtl_occtl.c b/net/ocserv/files/patch-src_occtl_occtl.c
index de75a421e6fe..b7c73f0d305b 100644
--- a/net/ocserv/files/patch-src_occtl_occtl.c
+++ b/net/ocserv/files/patch-src_occtl_occtl.c
@@ -1,6 +1,6 @@
---- src/occtl/occtl.c.orig	2020-08-06 18:51:31 UTC
+--- src/occtl/occtl.c.orig	2023-06-16 17:01:03 UTC
 +++ src/occtl/occtl.c
-@@ -264,7 +264,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha
+@@ -257,7 +257,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha
  static int handle_reset_cmd(CONN_TYPE * conn, const char *arg, cmd_params_st *params)
  {
  	rl_reset_terminal(NULL);
diff --git a/net/ocserv/files/patch-src_occtl_time.c b/net/ocserv/files/patch-src_occtl_time.c
index 85ef4c1819ec..0feb85fdffd0 100644
--- a/net/ocserv/files/patch-src_occtl_time.c
+++ b/net/ocserv/files/patch-src_occtl_time.c
@@ -1,16 +1,16 @@
---- src/occtl/time.c.orig	2017-09-09 08:34:02 UTC
+--- src/occtl/time.c.orig	2023-06-09 13:21:24 UTC
 +++ src/occtl/time.c
 @@ -36,7 +36,7 @@ void print_time_ival7(char output[MAX_TMPSTR_SIZE], ti
  {
  	time_t t = t1 - t2;
  
--	if ((long)t < (long)0) {
+-	if ((long)t < 0) {
 +	if ((long long)t < (long long)0) {
  		/* system clock changed? */
  		snprintf(output, MAX_TMPSTR_SIZE, "   ?   ");
  		return;
 @@ -44,17 +44,17 @@ void print_time_ival7(char output[MAX_TMPSTR_SIZE], ti
- 	
+ 
  	if (t >= 48 * 60 * 60)
  		/* 2 days or more */
 -		snprintf(output, MAX_TMPSTR_SIZE, _("%2ludays"), (long)t / (24 * 60 * 60));