From: Renaud Allard Subject: [security] net/ocserv 1.4.1 To: ports Date: Tue, 3 Mar 2026 08:49:54 +0100 Hello, Here is a security update for net/ocserv [SECURITY] Fixed authentication bypass (medium severity) when using certificate authentication with cert-user-oid set to SAN(rfc822name): a client presenting a valid CA-signed certificate without the expected RFC822 SAN field could authenticate using password credentials alone, bypassing the intended certificate-to-username binding. Requires the attacker to possess both a valid CA-signed certificate and valid user credentials (#694) The bundled inih was updated to r62. The bundled protobuf-c was updated to 1.5.2. Fixed a bug where session timeout could be bypassed by reconnecting (e.g., closing/opening laptop lid) (#599) occtl: show user command now includes a Session started at: field, indicating when the VPN session was established occtl: Fix column misalignment in ban command outputs occtl: Fix show ip bans may produce invalid JSON (#683) Handle dotted client hostnames (e.g., .local) by stripping the domain suffix Renamed min-reauth-time configuration option to ban-time to better reflect its purpose (#676). This option defines the duration (in seconds) for which an IP address is banned after exceeding the maximum allowed max-ban-score. Default is 300 seconds (5 minutes). Fixed ocserv-worker process title Fixed ignored udp-port in vhost (#612) Tested on amd64 Best Regards ? patches/patch-src_valid-hostname_c Index: Makefile =================================================================== RCS file: /cvs/ports/net/ocserv/Makefile,v diff -u -p -r1.63 Makefile --- Makefile 23 Jan 2026 08:27:41 -0000 1.63 +++ Makefile 3 Mar 2026 07:47:47 -0000 @@ -1,6 +1,6 @@ COMMENT= server implementing the AnyConnect SSL VPN protocol -VERSION = 1.4.0 +VERSION = 1.4.1 DISTNAME= ocserv-${VERSION} EXTRACT_SUFX= .tar.gz Index: distinfo =================================================================== RCS file: /cvs/ports/net/ocserv/distinfo,v diff -u -p -r1.38 distinfo --- distinfo 23 Jan 2026 08:27:41 -0000 1.38 +++ distinfo 3 Mar 2026 07:47:47 -0000 @@ -1,2 +1,2 @@ -SHA256 (ocserv-1.4.0.tar.gz) = aNMiF/MK9GC1M1i5naYrF0eQ2Lf/8uU+Fk3s7OkHeMI= -SIZE (ocserv-1.4.0.tar.gz) = 613326 +SHA256 (ocserv-1.4.1.tar.gz) = FLFliq3LxCVXOw43oqYcDe8CKXO++kSzprTtsoS/ROo= +SIZE (ocserv-1.4.1.tar.gz) = 617990 Index: patches/patch-doc_sample_config =================================================================== RCS file: /cvs/ports/net/ocserv/patches/patch-doc_sample_config,v diff -u -p -r1.28 patch-doc_sample_config --- patches/patch-doc_sample_config 22 Nov 2024 15:33:04 -0000 1.28 +++ patches/patch-doc_sample_config 3 Mar 2026 07:47:47 -0000 @@ -65,10 +65,10 @@ Index: doc/sample.config # A banner to be displayed on clients after connection #banner = "Welcome" -@@ -347,10 +326,9 @@ min-reauth-time = 300 +@@ -343,10 +322,9 @@ auth-timeout = 240 # Banning clients in ocserv works with a point system. IP addresses # that get a score over that configured number are banned for - # min-reauth-time seconds. By default a wrong password attempt is 10 points, + # ban-time seconds. By default a wrong password attempt is 10 points, -# a KKDCP POST is 1 point, and a connection is 1 point. Note that -# due to different processes being involved the count of points -# will not be real-time precise. Local subnet IPs are exempt to allow Index: patches/patch-src_main-ban_c =================================================================== RCS file: /cvs/ports/net/ocserv/patches/patch-src_main-ban_c,v diff -u -p -r1.4 patch-src_main-ban_c --- patches/patch-src_main-ban_c 23 Jan 2026 08:27:41 -0000 1.4 +++ patches/patch-src_main-ban_c 3 Mar 2026 07:47:47 -0000 @@ -3,7 +3,7 @@ Index: src/main-ban.c +++ src/main-ban.c @@ -447,10 +447,10 @@ static bool test_local_ipv6(struct sockaddr_in6 *remot unsigned int index = 0; - + for (index = 0; index < 4; index++) { - uint32_t l = local->sin6_addr.s6_addr32[index] & - network->sin6_addr.s6_addr32[index]; @@ -13,6 +13,6 @@ Index: src/main-ban.c + network->sin6_addr.__u6_addr.__u6_addr32[index]; + uint32_t r = remote->sin6_addr.__u6_addr.__u6_addr32[index] & + network->sin6_addr.__u6_addr.__u6_addr32[index]; - + if (l != r) return false; Index: patches/patch-src_occtl_occtl_c =================================================================== RCS file: /cvs/ports/net/ocserv/patches/patch-src_occtl_occtl_c,v diff -u -p -r1.8 patch-src_occtl_occtl_c --- patches/patch-src_occtl_occtl_c 23 Jan 2026 08:27:41 -0000 1.8 +++ patches/patch-src_occtl_occtl_c 3 Mar 2026 07:47:47 -0000 @@ -1,7 +1,7 @@ Index: src/occtl/occtl.c --- src/occtl/occtl.c.orig +++ src/occtl/occtl.c -@@ -262,7 +262,7 @@ static int handle_reset_cmd(CONN_TYPE *conn, const cha +@@ -260,7 +260,7 @@ static int handle_reset_cmd(CONN_TYPE *conn, const cha cmd_params_st *params) { rl_reset_terminal(NULL); Index: patches/patch-src_ocpasswd_ocpasswd_c =================================================================== RCS file: /cvs/ports/net/ocserv/patches/patch-src_ocpasswd_ocpasswd_c,v diff -u -p -r1.5 patch-src_ocpasswd_ocpasswd_c --- patches/patch-src_ocpasswd_ocpasswd_c 23 Jan 2026 08:27:41 -0000 1.5 +++ patches/patch-src_ocpasswd_ocpasswd_c 3 Mar 2026 07:47:47 -0000 @@ -13,9 +13,9 @@ Index: src/ocpasswd/ocpasswd.c #include #include /* for random */ @@ -38,18 +39,12 @@ - + #define DEFAULT_OCPASSWD "/etc/ocserv/ocpasswd" - + -static const char alphabet[] = - "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ./"; - @@ -33,10 +33,10 @@ Index: src/ocpasswd/ocpasswd.c unsigned int fpasswd_len = strlen(fpasswd); unsigned int tmp_passwd_len; unsigned int username_len = strlen(username); -@@ -63,36 +58,9 @@ static void crypt_int(const char *fpasswd, const char +@@ -63,36 +58,9 @@ static void crypt_int(const char *fpasswd, const char setlocale(LC_CTYPE, "C"); setlocale(LC_COLLATE, "C"); - + - ret = gnutls_rnd(GNUTLS_RND_NONCE, _salt, sizeof(_salt)); - if (ret < 0) { - fprintf(stderr, "Error generating nonce: %s\n", @@ -72,4 +72,4 @@ Index: src/ocpasswd/ocpasswd.c + fprintf(stderr, "Error in crypt_newhash().\n"); exit(EXIT_FAILURE); } - +