diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile index f4b7cfe37f1..006ca4e9834 100644 --- a/net/ocserv/Makefile +++ b/net/ocserv/Makefile @@ -1,8 +1,10 @@ -# $OpenBSD: Makefile,v 1.20 2016/09/23 09:00:11 sthen Exp $ +# $OpenBSD: Makefile,v 1.21 2016/11/19 15:35:09 sthen Exp $ + +# XXX for 0.11.7 update, check both with+without autogen COMMENT= server implementing the AnyConnect SSL VPN protocol -DISTNAME= ocserv-0.11.5 +DISTNAME= ocserv-0.11.6 EXTRACT_SUFX= .tar.xz CATEGORIES= net diff --git a/net/ocserv/distinfo b/net/ocserv/distinfo index 4d469f528f7..b7913673aa8 100644 --- a/net/ocserv/distinfo +++ b/net/ocserv/distinfo @@ -1,2 +1,2 @@ -SHA256 (ocserv-0.11.5.tar.xz) = KoDjLlOARPundF/SoM+qJ6OYCX+41NaEwRQhGLaSGcs= -SIZE (ocserv-0.11.5.tar.xz) = 758252 +SHA256 (ocserv-0.11.6.tar.xz) = k3x61AGYOpGDzsWXav15zhr1snk9xxiF0qTs2wQ71Iw= +SIZE (ocserv-0.11.6.tar.xz) = 762492 diff --git a/net/ocserv/patches/patch-doc_sample_config b/net/ocserv/patches/patch-doc_sample_config index d3a5dd89579..65318228c81 100644 --- a/net/ocserv/patches/patch-doc_sample_config +++ b/net/ocserv/patches/patch-doc_sample_config @@ -1,9 +1,9 @@ -$OpenBSD: patch-doc_sample_config,v 1.14 2016/09/23 09:00:11 sthen Exp $ +$OpenBSD: patch-doc_sample_config,v 1.15 2016/11/19 15:35:09 sthen Exp $ no seccomp, gssapi ---- doc/sample.config.orig Fri Sep 23 09:58:11 2016 -+++ doc/sample.config Fri Sep 23 09:58:11 2016 +--- doc/sample.config.orig Tue Nov 15 06:44:28 2016 ++++ doc/sample.config Tue Nov 15 06:47:49 2016 @@ -1,7 +1,7 @@ # User authentication method. Could be set multiple times and in # that case all should succeed. To enable multiple methods use @@ -13,11 +13,10 @@ no seccomp, gssapi # # Note that authentication methods cannot be changed with reload. -@@ -26,15 +26,6 @@ - # file. If the groupconfig option is set, then config-per-user/group will be overriden, - # and all configuration will be read from radius. The 'override-interim-updates' if set to - # true will ignore Acct-Interim-Interval from the server and 'stats-report-time' will be considered. --# +@@ -29,14 +29,6 @@ + # + # See doc/README-radius.md for the supported radius configuration atributes. + # -# gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900] -# The gssapi option allows to use authentication methods supported by GSSAPI, -# such as Kerberos tickets with ocserv. It should be best used as an alternative @@ -29,7 +28,7 @@ no seccomp, gssapi #auth = "pam" #auth = "pam[gid-min=1000]" -@@ -47,8 +38,6 @@ auth = "plain[passwd=./sample.passwd]" +@@ -49,8 +41,6 @@ auth = "plain[passwd=./sample.passwd]" # for authentication. That is, if set, any of the methods enabled # will be sufficient to login. #enable-auth = "certificate" @@ -38,7 +37,7 @@ no seccomp, gssapi # Accounting methods available: # radius: can be combined with any authentication method, it provides -@@ -83,8 +72,8 @@ udp-port = 443 +@@ -85,8 +75,8 @@ udp-port = 443 # The user the worker processes will be run as. It should be # unique (no other services run as this user). @@ -49,7 +48,7 @@ no seccomp, gssapi # socket file used for IPC with occtl. You only need to set that, # if you use more than a single servers. -@@ -93,7 +82,7 @@ run-as-group = daemon +@@ -95,7 +85,7 @@ run-as-group = daemon # socket file used for server IPC (worker-main), will be appended with .PID # It must be accessible within the chroot environment (if any), so it is best # specified relatively to the chroot directory. @@ -58,7 +57,7 @@ no seccomp, gssapi # The default server directory. Does not require any devices present. #chroot-dir = /path/to/chroot -@@ -147,16 +136,6 @@ ca-cert = ../tests/certs/ca.pem +@@ -149,16 +139,6 @@ ca-cert = ../tests/certs/ca.pem ### failures during the reloading time. @@ -75,7 +74,7 @@ no seccomp, gssapi # A banner to be displayed on clients #banner = "Welcome" -@@ -290,9 +269,8 @@ min-reauth-time = 300 +@@ -292,9 +272,8 @@ min-reauth-time = 300 # Banning clients in ocserv works with a point system. IP addresses # that get a score over that configured number are banned for # min-reauth-time seconds. By default a wrong password attempt is 10 points, @@ -87,7 +86,7 @@ no seccomp, gssapi # # Score banning cannot be reliably used when receiving proxied connections # locally from an HTTP server (i.e., when listen-clear-file is used). -@@ -306,7 +284,6 @@ ban-reset-time = 300 +@@ -308,7 +287,6 @@ ban-reset-time = 300 # In case you'd like to change the default points. #ban-points-wrong-password = 10 #ban-points-connection = 1 @@ -95,7 +94,7 @@ no seccomp, gssapi # Cookie timeout (in seconds) # Once a client is authenticated he's provided a cookie with -@@ -373,7 +350,7 @@ rekey-method = ssl +@@ -375,7 +353,7 @@ rekey-method = ssl use-occtl = true # PID file. It can be overriden in the command line. @@ -104,7 +103,7 @@ no seccomp, gssapi # Set the protocol-defined priority (SO_PRIORITY) for packets to # be sent. That is a number from 0 to 6 with 0 being the lowest -@@ -488,6 +465,11 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -490,6 +468,11 @@ no-route = 192.168.5.0/255.255.255.0 # any other routes. In case of defaultroute, the no-routes are restricted. # All the routes applied by ocserv can be reverted using /etc/ocserv/ocserv-fw # --removeall. This option can be set globally or in the per-user configuration. @@ -116,3 +115,27 @@ no seccomp, gssapi #restrict-user-to-routes = true # This option implies restrict-user-to-routes set to true. If set, the +@@ -562,23 +545,6 @@ no-route = 192.168.5.0/255.255.255.0 + # and '%{G}', if present will be replaced by the username and group name. + #proxy-url = http://example.com/ + #proxy-url = http://example.com/%{U}/ +- +-# This option allows you to specify a URL location where a client can +-# post using MS-KKDCP, and the message will be forwarded to the provided +-# KDC server. That is a translation URL between HTTP and Kerberos. +-# In MIT kerberos you'll need to add in realms: +-# EXAMPLE.COM = { +-# kdc = https://ocserv.example.com/KdcProxy +-# http_anchors = FILE:/etc/ocserv-ca.pem +-# } +-# In some distributions the krb5-k5tls plugin of kinit is required. +-# +-# The following option is available in ocserv, when compiled with GSSAPI support. +- +-#kkdcp = "SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT" +-#kkdcp = "/KdcProxy KERBEROS.REALM udp@127.0.0.1:88" +-#kkdcp = "/KdcProxy KERBEROS.REALM tcp@127.0.0.1:88" +-#kkdcp = "/KdcProxy KERBEROS.REALM tcp@[::1]:88" + + # + # The following options are for (experimental) AnyConnect client diff --git a/net/ocserv/patches/patch-src_Makefile_in b/net/ocserv/patches/patch-src_Makefile_in new file mode 100644 index 00000000000..22684789419 --- /dev/null +++ b/net/ocserv/patches/patch-src_Makefile_in @@ -0,0 +1,23 @@ +$OpenBSD: patch-src_Makefile_in,v 1.1 2016/11/19 15:35:09 sthen Exp $ +--- src/Makefile.in.orig Mon Nov 14 19:20:01 2016 ++++ src/Makefile.in Fri Nov 18 05:05:52 2016 +@@ -1694,18 +1694,7 @@ uninstall-am: uninstall-binSCRIPTS uninstall-sbinPROGR + + + ocserv-args.c: $(srcdir)/ocserv-args.def $(builddir)/version.inc +- if test "$(AUTOGEN)" = ":";then \ +- rm -f $(builddir)/ocserv-args.c; \ +- rm -f $(builddir)/ocserv-args.h; \ +- cp $(srcdir)/autogen/ocserv-args.c $(builddir)/; \ +- cp $(srcdir)/autogen/ocserv-args.h $(builddir)/; \ +- else \ +- $(AUTOGEN) $<; \ +- if test -d $(srcdir)/autogen;then \ +- cp $(builddir)/ocserv-args.c $(srcdir)/autogen; \ +- cp $(builddir)/ocserv-args.h $(srcdir)/autogen; \ +- fi; \ +- fi ++ $(AUTOGEN) $< + ocserv-args.h: ocserv-args.c + + ipc.pb-c.c: ipc.proto diff --git a/net/ocserv/patches/patch-src_ocpasswd_Makefile_in b/net/ocserv/patches/patch-src_ocpasswd_Makefile_in new file mode 100644 index 00000000000..57c1ec4587e --- /dev/null +++ b/net/ocserv/patches/patch-src_ocpasswd_Makefile_in @@ -0,0 +1,23 @@ +$OpenBSD: patch-src_ocpasswd_Makefile_in,v 1.1 2016/11/19 15:35:09 sthen Exp $ +--- src/ocpasswd/Makefile.in.orig Mon Nov 14 19:21:09 2016 ++++ src/ocpasswd/Makefile.in Fri Nov 18 05:06:17 2016 +@@ -1277,18 +1277,7 @@ uninstall-am: uninstall-binPROGRAMS + + + args.c: $(srcdir)/args.def $(builddir)/../version.inc +- if test "$(AUTOGEN)" = ":";then \ +- rm -f $(builddir)/args.c; \ +- rm -f $(builddir)/args.h; \ +- cp $(srcdir)/../autogen/ocpasswd-args.c $(builddir)/args.c; \ +- cp $(srcdir)/../autogen/ocpasswd-args.h $(builddir)/args.h; \ +- else \ +- $(AUTOGEN) $<; \ +- if test -d $(srcdir)/autogen;then \ +- cp $(builddir)/args.c $(srcdir)/../autogen/ocpasswd-args.c; \ +- cp $(builddir)/args.h $(srcdir)/../autogen/ocpasswd-args.h; \ +- fi; \ +- fi ++ $(AUTOGEN) $< + args.h: args.c + + # Tell versions [3.59,3.63) of GNU make to not export all variables.