ocserv: bump to v1.4.1

[systemcrash]

• Version 1.4.1 (released 2026-02-28)

• [SECURITY] Fixed authentication bypass (medium severity) when using
  certificate authentication with cert-user-oid set to SAN(rfc822name):
  a client presenting a valid CA-signed certificate without the expected
  RFC822 SAN field could authenticate using password credentials alone,
  bypassing the intended certificate-to-username binding. Requires the
  attacker to possess both a valid CA-signed certificate and valid user
  credentials (694)
• The bundled inih was updated to r62.
• The bundled protobuf-c was updated to 1.5.2.
• Fixed a bug where session timeout could be bypassed by reconnecting
  (e.g., closing/opening laptop lid) (599)
• occtl: 'show user' command now includes a 'Session started at:' field,
  indicating when the VPN session was established
• occtl: Fix column misalignment in ban command outputs
• occtl: Fix 'show ip bans' may produce invalid JSON (683)
• Handle dotted client hostnames (e.g., .local) by stripping the domain suffix
• Renamed min-reauth-time configuration option to ban-time to better reflect
  its purpose (676). This option defines the duration (in seconds) for which
  an IP address is banned after exceeding the maximum allowed max-ban-score.
  Default is 300 seconds (5 minutes).
• Fixed ocserv-worker process title
• Fixed ignored udp-port in vhost (612)

• Version 1.4.0 (released 2026-01-04)

• The bundled llhtp was updated to 9.3.0.
• The bundled protobuf-c was updated to 1.5.1.
• Fixed issues with PAM authentication when combined with pam_sssd (618)
• Enhanced the seccomp filters to address issue in testing (627)
• Fixed "unexpected URL" errors for Cisco AnyConnect clients
• Fixed the 'ping-leases' option, which was broken since version 1.1.1
• Fixed maximum MTU tracking in server statistics
• Fixed 'iroute' option processing to handle multiple routes (625)
• Fixed session accounting for roaming users (674)
• occtl: fix invalid JSON output in occtl -j show iroutes (661)
• occtl: fix regression with trailing commas in occtl -j show sessions (669)
• occtl: fix missing column headers in 'show ip bans' output (677)
• occtl: 'show ip bans' no longer shows expired bans (675)
• Fixed DTLS not working with systemd socket activation (647)
• Fixed a bug in the ban timer logic that could prevent IP addresses
  from being banned or cause premature unbans (678)
• Session statistics are now reported at consistent intervals
  for RADIUS compatibility (630)
• Single form to enter username and password (551)

ping @nmav

[nmav]

LGTM, though it would make sense to move to 1.4.2 directly.

[systemcrash]

LGTM, though it would make sense to move to 1.4.2 directly.

Not an easy transition to meson in my dev env. Still a few kinks to work out.

[systemcrash]

I'm not sure what's up with neon here tho:

llhttp/llhttp.c: In function 'llhttp__internal__run':
llhttp/llhttp.c:2645:9: note: use '-flax-vector-conversions' to permit conversions between vectors with differing element types or numbers of subparts
 2645 |         );
      |         ^
llhttp/llhttp.c:2643:11: error: incompatible type for argument 1 of 'vandq_u16'
 2643 |           vcgeq_u8(input, vdupq_n_u8(' ')),
      |           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      |           |
      |           uint8x16_t
In file included from llhttp/llhttp.c:14:
/builder/staging_dir/toolchain-arm_cortex-a15+neon-vfpv4_gcc-14.3.0_musl_eabi/lib/gcc/arm-openwrt-linux-muslgnueabi/14.3.0/include/arm_neon.h:15231:23: note: expected 'uint16x8_t' but argument is of type 'uint8x16_t'
15231 | vandq_u16 (uint16x8_t __a, uint16x8_t __b)
      |            ~~~~~~~~~~~^~~
llhttp/llhttp.c:2644:11: error: incompatible type for argument 2 of 'vandq_u16'
 2644 |           vcleq_u8(input, vdupq_n_u8('~'))
      |           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      |           |
      |           uint8x16_t
/builder/staging_dir/toolchain-arm_cortex-a15+neon-vfpv4_gcc-14.3.0_musl_eabi/lib/gcc/arm-openwrt-linux-muslgnueabi/14.3.0/include/arm_neon.h:15231:39: note: expected 'uint16x8_t' but argument is of type 'uint8x16_t'
15231 | vandq_u16 (uint16x8_t __a, uint16x8_t __b)
      |                            ~~~~~~~~~~~^~~
llhttp/llhttp.c:2646:26: error: incompatible type for argument 1 of 'vorrq_u16'
 2646 |         mask = vorrq_u16(mask, single);
      |                          ^~~~
      |                          |
      |                          uint8x16_t
/builder/staging_dir/toolchain-arm_cortex-a15+neon-vfpv4_gcc-14.3.0_musl_eabi/lib/gcc/arm-openwrt-linux-muslgnueabi/14.3.0/include/arm_neon.h:15343:23: note: expected 'uint16x8_t' but argument is of type 'uint8x16_t'
15343 | vorrq_u16 (uint16x8_t __a, uint16x8_t __b)
      |            ~~~~~~~~~~~^~~
llhttp/llhttp.c:2646:32: error: incompatible type for argument 2 of 'vorrq_u16'
 2646 |         mask = vorrq_u16(mask, single);
      |                                ^~~~~~
      |                                |
      |                                uint8x16_t
/builder/staging_dir/toolchain-arm_cortex-a15+neon-vfpv4_gcc-14.3.0_musl_eabi/lib/gcc/arm-openwrt-linux-muslgnueabi/14.3.0/include/arm_neon.h:15343:39: note: expected 'uint16x8_t' but argument is of type 'uint8x16_t'
15343 | vorrq_u16 (uint16x8_t __a, uint16x8_t __b)
      |                            ~~~~~~~~~~~^~~
llhttp/llhttp.c:2648:11: error: incompatible type for argument 1 of 'vandq_u16'
 2648 |           vcgeq_u8(input, vdupq_n_u8(0x80)),
      |           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      |           |
      |           uint8x16_t
/builder/staging_dir/toolchain-arm_cortex-a15+neon-vfpv4_gcc-14.3.0_musl_eabi/lib/gcc/arm-openwrt-linux-muslgnueabi/14.3.0/include/arm_neon.h:15231:23: note: expected 'uint16x8_t' but argument is of type 'uint8x16_t'
15231 | vandq_u16 (uint16x8_t __a, uint16x8_t __b)
      |            ~~~~~~~~~~~^~~
llhttp/llhttp.c:2649:11: error: incompatible type for argument 2 of 'vandq_u16'
 2649 |           vcleq_u8(input, vdupq_n_u8(0xff))
      |           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      |           |
      |           uint8x16_t
/builder/staging_dir/toolchain-arm_cortex-a15+neon-vfpv4_gcc-14.3.0_musl_eabi/lib/gcc/arm-openwrt-linux-muslgnueabi/14.3.0/include/arm_neon.h:15231:39: note: expected 'uint16x8_t' but argument is of type 'uint8x16_t'
15231 | vandq_u16 (uint16x8_t __a, uint16x8_t __b)
      |                            ~~~~~~~~~~~^~~
llhttp/llhttp.c:2651:26: error: incompatible type for argument 1 of 'vorrq_u16'
 2651 |         mask = vorrq_u16(mask, single);
      |                          ^~~~
      |                          |
      |                          uint8x16_t
/builder/staging_dir/toolchain-arm_cortex-a15+neon-vfpv4_gcc-14.3.0_musl_eabi/lib/gcc/arm-openwrt-linux-muslgnueabi/14.3.0/include/arm_neon.h:15343:23: note: expected 'uint16x8_t' but argument is of type 'uint8x16_t'
15343 | vorrq_u16 (uint16x8_t __a, uint16x8_t __b)
      |            ~~~~~~~~~~~^~~
llhttp/llhttp.c:2651:32: error: incompatible type for argument 2 of 'vorrq_u16'
 2651 |         mask = vorrq_u16(mask, single);
      |                                ^~~~~~
      |                                |
      |                                uint8x16_t
/builder/staging_dir/toolchain-arm_cortex-a15+neon-vfpv4_gcc-14.3.0_musl_eabi/lib/gcc/arm-openwrt-linux-muslgnueabi/14.3.0/include/arm_neon.h:15343:39: note: expected 'uint16x8_t' but argument is of type 'uint8x16_t'
15343 | vorrq_u16 (uint16x8_t __a, uint16x8_t __b)
      |                            ~~~~~~~~~~~^~~
llhttp/llhttp.c:2652:30: error: incompatible type for argument 1 of 'vshrn_n_u16'
 2652 |         narrow = vshrn_n_u16(mask, 4);
      |                              ^~~~
      |                              |
      |                              uint8x16_t
/builder/staging_dir/toolchain-arm_cortex-a15+neon-vfpv4_gcc-14.3.0_musl_eabi/lib/gcc/arm-openwrt-linux-muslgnueabi/14.3.0/include/arm_neon.h:4699:25: note: expected 'uint16x8_t' but argument is of type 'uint8x16_t'
 4699 | vshrn_n_u16 (uint16x8_t __a, const int __b)
      |              ~~~~~~~~~~~^~~
make[6]: *** [Makefile:1410: llhttp/llhttp.o] Error 1
make[6]: Leaving directory '/builder/build_dir/target-arm_cortex-a15+neon-vfpv4_musl_eabi/ocserv-1.4.1/src'
make[5]: *** [Makefile:854: all] Error 2
make[5]: Leaving directory '/builder/build_dir/target-arm_cortex-a15+neon-vfpv4_musl_eabi/ocserv-1.4.1/src'
make[4]: *** [Makefile:517: all-recursive] Error 1
make[4]: Leaving directory '/builder/build_dir/target-arm_cortex-a15+neon-vfpv4_musl_eabi/ocserv-1.4.1'
make[3]: *** [Makefile:450: all] Error 2
make[3]: Leaving directory '/builder/build_dir/target-arm_cortex-a15+neon-vfpv4_musl_eabi/ocserv-1.4.1'
make[2]: *** [Makefile:118: /builder/build_dir/target-arm_cortex-a15+neon-vfpv4_musl_eabi/ocserv-1.4.1/.built] Error 2
make[2]: Leaving directory '/feed/net/ocserv'

Those 8x16 vs 16x8 things seem a problem of llhttp.