update to ocserv-0.10.9

2015-10-09 14:47:40 +00:00 · 2015-10-09 14:47:40 +00:00 · f60619de23
commit f60619de23
parent 157f9bf6cb
3 changed files with 34 additions and 27 deletions
--- a/net/ocserv/Makefile
+++ b/net/ocserv/Makefile
@ -1,8 +1,8 @@
-# $OpenBSD: Makefile,v 1.8 2015/09/04 21:05:55 sthen Exp $
+# $OpenBSD: Makefile,v 1.9 2015/10/09 14:47:40 sthen Exp $

 COMMENT=	server implementing the AnyConnect SSL VPN protocol

-DISTNAME=	ocserv-0.10.8
+DISTNAME=	ocserv-0.10.9
 EXTRACT_SUFX=	.tar.xz

 CATEGORIES=	net
@ -14,7 +14,7 @@ MAINTAINER=	Stuart Henderson <sthen@openbsd.org>
 # GPLv2+
 PERMIT_PACKAGE_CDROM=	Yes

-WANTLIB += c gnutls lz4 ncurses pam protobuf-c pthread readline talloc
+WANTLIB += c gnutls lz4 ncurses oath pam protobuf-c pthread readline talloc

 MASTER_SITES=	ftp://ftp.infradead.org/pub/ocserv/

@ -23,6 +23,7 @@ LIB_DEPENDS=	archivers/lz4 \
 		devel/protobuf-c \
 		devel/libtalloc \
 		security/gnutls \
+		security/oath-toolkit \
 		security/openpam

 CONFIGURE_STYLE= autoconf
--- a/net/ocserv/distinfo
+++ b/net/ocserv/distinfo
@ -1,2 +1,2 @@
-SHA256 (ocserv-0.10.8.tar.xz) = r5ifJ1hdNWciH/xAuruzg7zQymh55Su83uasOpBghFQ=
-SIZE (ocserv-0.10.8.tar.xz) = 714404
+SHA256 (ocserv-0.10.9.tar.xz) = ltDqIugRpw5GVh/+KcTmscwBTuJNNTwDZ8py7c7fUzw=
+SIZE (ocserv-0.10.9.tar.xz) = 718004
--- a/net/ocserv/patches/patch-doc_sample_config
+++ b/net/ocserv/patches/patch-doc_sample_config
@ -1,10 +1,10 @@
-$OpenBSD: patch-doc_sample_config,v 1.6 2015/09/04 21:05:55 sthen Exp $
+$OpenBSD: patch-doc_sample_config,v 1.7 2015/10/09 14:47:40 sthen Exp $

 no freeradius-client in ports yet (also disabled in autoconf)
 no seccomp, gssapi

--- doc/sample.config.orig	Mon Aug 31 20:19:45 2015
-+++ doc/sample.config	Fri Sep  4 22:01:20 2015
+--- doc/sample.config.orig	Sun Sep 27 07:32:39 2015
+++ doc/sample.config	Fri Oct  9 15:45:23 2015
@@ -1,7 +1,7 @@
 # User authentication method. Could be set multiple times and in 
 # that case all should succeed. To enable multiple methods use
@ -14,10 +14,11 @@ no seccomp, gssapi
 #
 # Note that authentication methods cannot be changed with reload.
 
-@@ -19,42 +19,17 @@
- # One entry must be listed per line, and 'ocpasswd' should be used
- # to generate password entries.
- #
+@@ -20,47 +20,26 @@
+ # to generate password entries. The 'otp' suboption allows to specify
+ # an oath password file to be used for one time passwords; the format of
+ # the file is described in https://code.google.com/p/mod-authn-otp/wiki/UsersFile
+-#
 -# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name,override-interim-updates=false]:
 -#  The radius option requires specifying freeradius-client configuration
 -# file. If the groupconfig option is set, then config-per-user will be overriden,
@ -35,6 +36,7 @@ no seccomp, gssapi
 
 #auth = "pam"
 #auth = "pam[gid-min=1000]"
+ #auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
 auth = "plain[passwd=./sample.passwd]"
 #auth = "certificate"
 -#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
@ -46,18 +48,22 @@ no seccomp, gssapi
 -#enable-auth = "gssapi"
 -#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]"
 
-# Accounting methods available:
+ # Accounting methods available:
 -# radius: can be combined with any authentication method, it provides
 -#      radius accounting to available users (see also stats-report-time).
 -#
-# Only one accounting method can be specified.
-#acct = "pam"
+ # pam: can be combined with any authentication method, it provides
+ #      a validation of the connecting user's name using PAM. It is
+ #      superfluous to use this method when authentication is already
+ #      PAM.
+ #
+ # Only one accounting method can be specified.
 -#acct = "radius[config=/etc/radiusclient/radiusclient.conf]"
-
+#acct = "pam"
+ 
 # Use listen-host to limit to specific IPs or to the IPs of a provided 
 # hostname.
- #listen-host = [IP|HOSTNAME]
-@@ -76,8 +51,8 @@ udp-port = 443
+@@ -83,8 +62,8 @@ udp-port = 443
 
 # The user the worker processes will be run as. It should be
 # unique (no other services run as this user).
@ -68,7 +74,7 @@ no seccomp, gssapi
 
 # socket file used for IPC with occtl. You only need to set that,
 # if you use more than a single servers.
-@@ -86,7 +61,7 @@ run-as-group = daemon
+@@ -93,7 +72,7 @@ run-as-group = daemon
 # socket file used for server IPC (worker-main), will be appended with .PID
 # It must be accessible within the chroot environment (if any), so it is best
 # specified relatively to the chroot directory.
@ -77,7 +83,7 @@ no seccomp, gssapi
 
 # The default server directory. Does not require any devices present.
 #chroot-dir = /path/to/chroot
-@@ -101,8 +76,8 @@ socket-file = /var/run/ocserv-socket
+@@ -108,8 +87,8 @@ socket-file = /var/run/ocserv-socket
 #
 # There may be multiple server-cert and server-key directives,
 # but each key should correspond to the preceding certificate.
@ -88,7 +94,7 @@ no seccomp, gssapi
 
 # Diffie-Hellman parameters. Only needed if you require support
 # for the DHE ciphersuites (by default this server supports ECDHE).
-@@ -128,18 +103,12 @@ server-key = ../tests/server-key.pem
+@@ -135,18 +114,12 @@ server-key = ../tests/server-key.pem
 # The Certificate Authority that will be used to verify
 # client certificates (public keys) if certificate authentication
 # is set.
@ -108,7 +114,7 @@ no seccomp, gssapi
 # A banner to be displayed on clients
 #banner = "Welcome"
 
-@@ -168,8 +137,7 @@ max-same-clients = 2
+@@ -175,8 +148,7 @@ max-same-clients = 2
 
 # Stats report time. The number of seconds after which each
 # worker process will report its usage statistics (number of
@ -118,7 +124,7 @@ no seccomp, gssapi
 #stats-report-time = 360
 
 # Keepalive in seconds
-@@ -267,9 +235,8 @@ min-reauth-time = 300
+@@ -276,9 +248,8 @@ min-reauth-time = 300
 # Banning clients in ocserv works with a point system. IP addresses
 # that get a score over that configured number are banned for
 # min-reauth-time seconds. By default a wrong password attempt is 10 points,
@ -130,7 +136,7 @@ no seccomp, gssapi
 #
 # Score banning cannot be reliably used when receiving proxied connections
 # locally from an HTTP server (i.e., when listen-clear-file is used).
-@@ -283,7 +250,6 @@ ban-reset-time = 300
+@@ -292,7 +263,6 @@ ban-reset-time = 300
 # In case you'd like to change the default points.
 #ban-points-wrong-password = 10
 #ban-points-connection = 1
@ -138,7 +144,7 @@ no seccomp, gssapi
 
 # Cookie timeout (in seconds)
 # Once a client is authenticated he's provided a cookie with
-@@ -345,7 +311,7 @@ rekey-method = ssl
+@@ -354,7 +324,7 @@ rekey-method = ssl
 use-occtl = true
 
 # PID file. It can be overriden in the command line.
@ -147,7 +153,7 @@ no seccomp, gssapi
 
 # Set the protocol-defined priority (SO_PRIORITY) for packets to
 # be sent. That is a number from 0 to 6 with 0 being the lowest
-@@ -373,7 +339,7 @@ predictable-ips = true
+@@ -382,7 +352,7 @@ predictable-ips = true
 default-domain = example.com
 
 # The pool of addresses that leases will be given from. If the leases
@ -156,7 +162,7 @@ no seccomp, gssapi
 # these network values should contain a network with at least a single
 # address that will remain under the full control of ocserv (that is
 # to be able to assign the local part of the tun device address).
-@@ -486,20 +452,6 @@ no-route = 192.168.5.0/255.255.255.0
+@@ -498,20 +468,6 @@ no-route = 192.168.5.0/255.255.255.0
 # and '%{G}', if present will be replaced by the username and group name.
 #proxy-url = http://example.com/
 #proxy-url = http://example.com/%{U}/