7 files changed, 22 insertions, 71 deletions

diff --git a/net/ocserv/files/ocserv.conf b/net/ocserv/files/ocserv.conf
index cf0f1eebd140..39c3a303bad1 100644
--- a/net/ocserv/files/ocserv.conf
+++ b/net/ocserv/files/ocserv.conf
@@ -26,7 +26,7 @@
 # One entry must be listed per line, and 'ocpasswd' should be used
 # to generate password entries. The 'otp' suboption allows one to specify
 # an oath password file to be used for one time passwords; the format of
-# the file is described in https://code.google.com/p/mod-authn-otp/wiki/UsersFile
+# the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile
 #
 # radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
 #  The radius option requires specifying freeradius-client configuration
@@ -77,6 +77,10 @@ auth = "plain[passwd=./sample.passwd]"
 # hostname.
 #listen-host = [IP|HOSTNAME]
 
+# Use udp-listen-host to limit udp to specific IPs or to the IPs of a provided
+# hostname. if not set, listen-host will be used
+#udp-listen-host = [IP|HOSTNAME]
+
 # When the server has a dynamic DNS address (that may change),
 # should set that to true to ask the client to resolve again on
 # reconnects.
@@ -171,6 +175,9 @@ ca-cert = ../tests/certs/ca.pem
 ### operation. If the server key changes on reload, there may be connection
 ### failures during the reloading time.
 
+# ocserv 1.0.1 on FreeBSD does not currently support process isolation,
+# because ocserv only supports Linux's seccomp system, but not capsicum(4).
+#isolate-workers = false
 
 # A banner to be displayed on clients
 #banner = "Welcome"
@@ -391,7 +398,8 @@ rekey-method = ssl
 # client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client),
 # will contain a space separated list of routes or DNS servers. A version
 # of these variables with the 4 or 6 suffix will contain only the IPv4 or
-# IPv6 values.
+# IPv6 values. The connect script must return zero as exit code, or the
+# client connection will be refused.
 
 # The disconnect script will receive the additional values: STATS_BYTES_IN,
 # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes 
@@ -566,7 +574,7 @@ no-route = 192.168.5.0/255.255.255.0
 #  keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns,
 #  restrict-user-to-routes, user-profile, cgroup, stats-report-time,
 #  mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports,
-#  and session-timeout.
+#  split-dns and session-timeout.
 #
 # Note that the 'iroute' option allows one to add routes on the server
 # based on a user or group. The syntax depends on the input accepted
diff --git a/net/ocserv/files/patch-configure.ac b/net/ocserv/files/patch-configure.ac
index 08394c7146c5..d7a63c6cb88f 100644
--- a/net/ocserv/files/patch-configure.ac
+++ b/net/ocserv/files/patch-configure.ac
@@ -1,4 +1,4 @@
---- configure.ac.orig	2018-04-22 08:43:20 UTC
+--- configure.ac.orig	2020-04-09 21:07:12 UTC
 +++ configure.ac
 @@ -15,7 +15,7 @@ AM_PROG_AR
  AM_PROG_CC_C_O
@@ -9,7 +9,7 @@
  fi
  AC_PATH_PROG(CTAGS, ctags, [:])
  AC_PATH_PROG(CSCOPE, cscope, [:])
-@@ -168,7 +168,7 @@ if test "$test_for_geoip" = yes;then
+@@ -199,7 +199,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind
  fi
  
  have_readline=no
diff --git a/net/ocserv/files/patch-doc_sample.config b/net/ocserv/files/patch-doc_sample.config
index c511b6163590..9793353efa4b 100644
--- a/net/ocserv/files/patch-doc_sample.config
+++ b/net/ocserv/files/patch-doc_sample.config
@@ -1,4 +1,4 @@
---- doc/sample.config.orig	2018-04-15 19:13:39 UTC
+--- doc/sample.config.orig	2020-04-09 20:56:20 UTC
 +++ doc/sample.config
 @@ -19,7 +19,7 @@
  #  This enabled PAM authentication of the user. The gid-min option is used
@@ -9,7 +9,7 @@
  #  The plain option requires specifying a password file which contains
  # entries of the following format.
  # "username:groupname1,groupname2:encoded-password"
-@@ -102,8 +102,8 @@ udp-port = 443
+@@ -106,8 +106,8 @@ udp-port = 443
  
  # The user the worker processes will be run as. It should be
  # unique (no other services run as this user).
@@ -20,7 +20,7 @@
  
  # socket file used for IPC with occtl. You only need to set that,
  # if you use more than a single servers.
-@@ -172,16 +172,6 @@ ca-cert = ../tests/certs/ca.pem
+@@ -176,15 +176,9 @@ ca-cert = ../tests/certs/ca.pem
  ### failures during the reloading time.
  
  
@@ -33,11 +33,13 @@
 -# disabling that option and report the failures you, along with system and debugging
 -# information at: https://gitlab.com/ocserv/ocserv/issues
 -isolate-workers = true
--
++# ocserv 1.0.1 on FreeBSD does not currently support process isolation,
++# because ocserv only supports Linux's seccomp system, but not capsicum(4).
++#isolate-workers = false
+ 
  # A banner to be displayed on clients
  #banner = "Welcome"
- 
-@@ -530,15 +520,15 @@ no-route = 192.168.5.0/255.255.255.0
+@@ -535,15 +529,15 @@ no-route = 192.168.5.0/255.255.255.0
  # Note the that following two firewalling options currently are available
  # in Linux systems with iptables software. 
  
@@ -56,7 +58,7 @@
  # access specific ports in the network. This option can be set globally
  # or in the per-user configuration.
  #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
-@@ -586,13 +576,13 @@ no-route = 192.168.5.0/255.255.255.0
+@@ -591,13 +585,13 @@ no-route = 192.168.5.0/255.255.255.0
  # hostname to override any proposed by the user. Note also, that, any 
  # routes, no-routes, DNS or NBNS servers present will overwrite the global ones.
  
diff --git a/net/ocserv/files/patch-src_config.c b/net/ocserv/files/patch-src_config.c
deleted file mode 100644
index 46cdb1798c5b..000000000000
--- a/net/ocserv/files/patch-src_config.c
+++ /dev/null
@@ -1,11 +0,0 @@
---- src/config.c.orig	2018-04-15 19:13:39 UTC
-+++ src/config.c
-@@ -57,7 +57,7 @@
- #include <getopt.h>
- 
- #define OLD_DEFAULT_CFG_FILE "/etc/ocserv.conf"
--#define DEFAULT_CFG_FILE "/etc/ocserv/ocserv.conf"
-+#define DEFAULT_CFG_FILE "/usr/local/etc/ocserv/conf"
- 
- static void print_version(void);
- 
diff --git a/net/ocserv/files/patch-src_tun.c b/net/ocserv/files/patch-src_tun.c
deleted file mode 100644
index 6fe5ed5e6246..000000000000
--- a/net/ocserv/files/patch-src_tun.c
+++ /dev/null
@@ -1,25 +0,0 @@
---- src/tun.c.orig	2018-04-14 07:52:35 UTC
-+++ src/tun.c
-@@ -895,3 +895,22 @@ ssize_t tun_read(int sockfd, void *buf, size_t len)
- 	return read(sockfd, buf, len);
- }
- #endif
-+
-+#ifndef __FreeBSD__
-+int tun_claim(int sockfd)
-+{
-+
-+	return (0);
-+}
-+#else
-+/*
-+ * FreeBSD has a mechanism by which a tunnel has a single controlling process,
-+ * and only that one process may close it.  When the controlling process closes
-+ * the tunnel, the state is torn down.
-+ */
-+int tun_claim(int sockfd)
-+{
-+
-+	return (ioctl(sockfd, TUNSIFPID, 0));
-+}
-+#endif	/* !__FreeBSD__ */
diff --git a/net/ocserv/files/patch-src_tun.h b/net/ocserv/files/patch-src_tun.h
deleted file mode 100644
index 0311177f3f78..000000000000
--- a/net/ocserv/files/patch-src_tun.h
+++ /dev/null
@@ -1,9 +0,0 @@
---- src/tun.h.orig	2018-01-13 18:43:41 UTC
-+++ src/tun.h
-@@ -35,5 +35,6 @@ struct tun_lease_st {
- 
- ssize_t tun_write(int sockfd, const void *buf, size_t len);
- ssize_t tun_read(int sockfd, void *buf, size_t len);
-+int tun_claim(int sockfd);
- 
- #endif
diff --git a/net/ocserv/files/patch-src_worker-auth.c b/net/ocserv/files/patch-src_worker-auth.c
deleted file mode 100644
index f7e01eeed392..000000000000
--- a/net/ocserv/files/patch-src_worker-auth.c
+++ /dev/null
@@ -1,14 +0,0 @@
---- src/worker-auth.c.orig	2019-01-19 18:47:47 UTC
-+++ src/worker-auth.c
-@@ -605,7 +605,10 @@ static int recv_cookie_auth_reply(worker_st * ws)
- 	case AUTH__REP__OK:
- 		if (socketfd != -1) {
- 			ws->tun_fd = socketfd;
--
-+			if (tun_claim(ws->tun_fd) != 0) {
-+				ret = ERR_AUTH_FAIL;
-+				goto cleanup;
-+			}
- 			if (msg->vname == NULL || msg->config == NULL || msg->user_name == NULL || msg->sid.len != sizeof(ws->sid)) {
- 				ret = ERR_AUTH_FAIL;
- 				goto cleanup;