update to ocserv-0.11.6 plus patch for autogen problem in the release

from Björn Ketelaars (I added a comment to recheck autogen because it changed again since that patch)
2016-11-19 15:35:09 +00:00 · 2016-11-19 15:35:09 +00:00 · 1530bc81b1
commit 1530bc81b1
parent 4158b46011
5 changed files with 91 additions and 20 deletions
--- a/net/ocserv/Makefile
+++ b/net/ocserv/Makefile
@ -1,8 +1,10 @@
-# $OpenBSD: Makefile,v 1.20 2016/09/23 09:00:11 sthen Exp $
+# $OpenBSD: Makefile,v 1.21 2016/11/19 15:35:09 sthen Exp $
+
+# XXX for 0.11.7 update, check both with+without autogen

 COMMENT=	server implementing the AnyConnect SSL VPN protocol

-DISTNAME=	ocserv-0.11.5
+DISTNAME=	ocserv-0.11.6
 EXTRACT_SUFX=	.tar.xz

 CATEGORIES=	net
--- a/net/ocserv/distinfo
+++ b/net/ocserv/distinfo
@ -1,2 +1,2 @@
-SHA256 (ocserv-0.11.5.tar.xz) = KoDjLlOARPundF/SoM+qJ6OYCX+41NaEwRQhGLaSGcs=
-SIZE (ocserv-0.11.5.tar.xz) = 758252
+SHA256 (ocserv-0.11.6.tar.xz) = k3x61AGYOpGDzsWXav15zhr1snk9xxiF0qTs2wQ71Iw=
+SIZE (ocserv-0.11.6.tar.xz) = 762492
--- a/net/ocserv/patches/patch-doc_sample_config
+++ b/net/ocserv/patches/patch-doc_sample_config
@ -1,9 +1,9 @@
-$OpenBSD: patch-doc_sample_config,v 1.14 2016/09/23 09:00:11 sthen Exp $
+$OpenBSD: patch-doc_sample_config,v 1.15 2016/11/19 15:35:09 sthen Exp $

 no seccomp, gssapi

--- doc/sample.config.orig	Fri Sep 23 09:58:11 2016
-+++ doc/sample.config	Fri Sep 23 09:58:11 2016
+--- doc/sample.config.orig	Tue Nov 15 06:44:28 2016
+++ doc/sample.config	Tue Nov 15 06:47:49 2016
@@ -1,7 +1,7 @@
 # User authentication method. Could be set multiple times and in 
 # that case all should succeed. To enable multiple methods use
@ -13,11 +13,10 @@ no seccomp, gssapi
 #
 # Note that authentication methods cannot be changed with reload.
 
-@@ -26,15 +26,6 @@
- # file. If the groupconfig option is set, then config-per-user/group will be overriden,
- # and all configuration will be read from radius. The 'override-interim-updates' if set to
- # true will ignore Acct-Interim-Interval from the server and 'stats-report-time' will be considered.
-#
+@@ -29,14 +29,6 @@
+ #
+ # See doc/README-radius.md for the supported radius configuration atributes.
+ #
 -# gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]
 -#  The gssapi option allows to use authentication methods supported by GSSAPI,
 -# such as Kerberos tickets with ocserv. It should be best used as an alternative
@ -29,7 +28,7 @@ no seccomp, gssapi
 
 #auth = "pam"
 #auth = "pam[gid-min=1000]"
-@@ -47,8 +38,6 @@ auth = "plain[passwd=./sample.passwd]"
+@@ -49,8 +41,6 @@ auth = "plain[passwd=./sample.passwd]"
 # for authentication. That is, if set, any of the methods enabled
 # will be sufficient to login.
 #enable-auth = "certificate"
@ -38,7 +37,7 @@ no seccomp, gssapi
 
 # Accounting methods available:
 # radius: can be combined with any authentication method, it provides
-@@ -83,8 +72,8 @@ udp-port = 443
+@@ -85,8 +75,8 @@ udp-port = 443
 
 # The user the worker processes will be run as. It should be
 # unique (no other services run as this user).
@ -49,7 +48,7 @@ no seccomp, gssapi
 
 # socket file used for IPC with occtl. You only need to set that,
 # if you use more than a single servers.
-@@ -93,7 +82,7 @@ run-as-group = daemon
+@@ -95,7 +85,7 @@ run-as-group = daemon
 # socket file used for server IPC (worker-main), will be appended with .PID
 # It must be accessible within the chroot environment (if any), so it is best
 # specified relatively to the chroot directory.
@ -58,7 +57,7 @@ no seccomp, gssapi
 
 # The default server directory. Does not require any devices present.
 #chroot-dir = /path/to/chroot
-@@ -147,16 +136,6 @@ ca-cert = ../tests/certs/ca.pem
+@@ -149,16 +139,6 @@ ca-cert = ../tests/certs/ca.pem
 ### failures during the reloading time.
 
 
@ -75,7 +74,7 @@ no seccomp, gssapi
 # A banner to be displayed on clients
 #banner = "Welcome"
 
-@@ -290,9 +269,8 @@ min-reauth-time = 300
+@@ -292,9 +272,8 @@ min-reauth-time = 300
 # Banning clients in ocserv works with a point system. IP addresses
 # that get a score over that configured number are banned for
 # min-reauth-time seconds. By default a wrong password attempt is 10 points,
@ -87,7 +86,7 @@ no seccomp, gssapi
 #
 # Score banning cannot be reliably used when receiving proxied connections
 # locally from an HTTP server (i.e., when listen-clear-file is used).
-@@ -306,7 +284,6 @@ ban-reset-time = 300
+@@ -308,7 +287,6 @@ ban-reset-time = 300
 # In case you'd like to change the default points.
 #ban-points-wrong-password = 10
 #ban-points-connection = 1
@ -95,7 +94,7 @@ no seccomp, gssapi
 
 # Cookie timeout (in seconds)
 # Once a client is authenticated he's provided a cookie with
-@@ -373,7 +350,7 @@ rekey-method = ssl
+@@ -375,7 +353,7 @@ rekey-method = ssl
 use-occtl = true
 
 # PID file. It can be overriden in the command line.
@ -104,7 +103,7 @@ no seccomp, gssapi
 
 # Set the protocol-defined priority (SO_PRIORITY) for packets to
 # be sent. That is a number from 0 to 6 with 0 being the lowest
-@@ -488,6 +465,11 @@ no-route = 192.168.5.0/255.255.255.0
+@@ -490,6 +468,11 @@ no-route = 192.168.5.0/255.255.255.0
 # any other routes. In case of defaultroute, the no-routes are restricted.
 # All the routes applied by ocserv can be reverted using /etc/ocserv/ocserv-fw
 # --removeall. This option can be set globally or in the per-user configuration.
@ -116,3 +115,27 @@ no seccomp, gssapi
 #restrict-user-to-routes = true
 
 # This option implies restrict-user-to-routes set to true. If set, the
+@@ -562,23 +545,6 @@ no-route = 192.168.5.0/255.255.255.0
+ # and '%{G}', if present will be replaced by the username and group name.
+ #proxy-url = http://example.com/
+ #proxy-url = http://example.com/%{U}/
+-
+-# This option allows you to specify a URL location where a client can
+-# post using MS-KKDCP, and the message will be forwarded to the provided
+-# KDC server. That is a translation URL between HTTP and Kerberos.
+-# In MIT kerberos you'll need to add in realms:
+-#   EXAMPLE.COM = {
+-#     kdc = https://ocserv.example.com/KdcProxy
+-#     http_anchors = FILE:/etc/ocserv-ca.pem
+-#   }
+-# In some distributions the krb5-k5tls plugin of kinit is required.
+-#
+-# The following option is available in ocserv, when compiled with GSSAPI support. 
+-
+-#kkdcp = "SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT"
+-#kkdcp = "/KdcProxy KERBEROS.REALM udp@127.0.0.1:88"
+-#kkdcp = "/KdcProxy KERBEROS.REALM tcp@127.0.0.1:88"
+-#kkdcp = "/KdcProxy KERBEROS.REALM tcp@[::1]:88"
+ 
+ #
+ # The following options are for (experimental) AnyConnect client 
--- a/net/ocserv/patches/patch-src_Makefile_in
+++ b/net/ocserv/patches/patch-src_Makefile_in
@ -0,0 +1,23 @@
+$OpenBSD: patch-src_Makefile_in,v 1.1 2016/11/19 15:35:09 sthen Exp $
+--- src/Makefile.in.orig	Mon Nov 14 19:20:01 2016
+++ src/Makefile.in	Fri Nov 18 05:05:52 2016
+@@ -1694,18 +1694,7 @@ uninstall-am: uninstall-binSCRIPTS uninstall-sbinPROGR
+ 
+ 
+ ocserv-args.c: $(srcdir)/ocserv-args.def $(builddir)/version.inc
+-	if test "$(AUTOGEN)" = ":";then \
+-		rm -f $(builddir)/ocserv-args.c; \
+-		rm -f $(builddir)/ocserv-args.h; \
+-		cp $(srcdir)/autogen/ocserv-args.c $(builddir)/; \
+-		cp $(srcdir)/autogen/ocserv-args.h $(builddir)/; \
+-	else \
+-		$(AUTOGEN) $<; \
+-		if test -d $(srcdir)/autogen;then \
+-			cp $(builddir)/ocserv-args.c $(srcdir)/autogen; \
+-			cp $(builddir)/ocserv-args.h $(srcdir)/autogen; \
+-		fi; \
+-	fi
+	$(AUTOGEN) $<
+ ocserv-args.h: ocserv-args.c
+ 
+ ipc.pb-c.c: ipc.proto
--- a/net/ocserv/patches/patch-src_ocpasswd_Makefile_in
+++ b/net/ocserv/patches/patch-src_ocpasswd_Makefile_in
@ -0,0 +1,23 @@
+$OpenBSD: patch-src_ocpasswd_Makefile_in,v 1.1 2016/11/19 15:35:09 sthen Exp $
+--- src/ocpasswd/Makefile.in.orig	Mon Nov 14 19:21:09 2016
+++ src/ocpasswd/Makefile.in	Fri Nov 18 05:06:17 2016
+@@ -1277,18 +1277,7 @@ uninstall-am: uninstall-binPROGRAMS
+ 
+ 
+ args.c: $(srcdir)/args.def $(builddir)/../version.inc
+-	if test "$(AUTOGEN)" = ":";then \
+-		rm -f $(builddir)/args.c; \
+-		rm -f $(builddir)/args.h; \
+-		cp $(srcdir)/../autogen/ocpasswd-args.c $(builddir)/args.c; \
+-		cp $(srcdir)/../autogen/ocpasswd-args.h $(builddir)/args.h; \
+-	else \
+-		$(AUTOGEN) $<; \
+-		if test -d $(srcdir)/autogen;then \
+-			cp $(builddir)/args.c $(srcdir)/../autogen/ocpasswd-args.c; \
+-			cp $(builddir)/args.h $(srcdir)/../autogen/ocpasswd-args.h; \
+-		fi; \
+-	fi
+	$(AUTOGEN) $<
+ args.h: args.c
+ 
+ # Tell versions [3.59,3.63) of GNU make to not export all variables.