aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--GIDs1
-rw-r--r--UIDs1
-rw-r--r--net/Makefile1
-rw-r--r--net/ocserv/Makefile78
-rw-r--r--net/ocserv/distinfo2
-rw-r--r--net/ocserv/files/ocserv.conf290
-rw-r--r--net/ocserv/files/ocserv.in26
-rw-r--r--net/ocserv/files/patch-configure.ac36
-rw-r--r--net/ocserv/files/patch-doc_Makefile.am42
-rw-r--r--net/ocserv/files/patch-src_config.c31
-rw-r--r--net/ocserv/files/patch-src_main-ctl-unix.c55
-rw-r--r--net/ocserv/files/patch-src_main.c14
-rw-r--r--net/ocserv/files/patch-src_ocserv-args.def56
-rw-r--r--net/ocserv/pkg-descr20
-rw-r--r--net/ocserv/pkg-plist8
15 files changed, 661 insertions, 0 deletions
diff --git a/GIDs b/GIDs
index fbee7f8b4d3f..a035c7ad4d7f 100644
--- a/GIDs
+++ b/GIDs
@@ -238,6 +238,7 @@ dahdi:*:843:asterisk
subsonic:*:844:
fossy:*:901:www
scanlogd:*:902:
+_ocserv:*:903:
influxd:*:907:
riemann:*:908:
proxy65:*:909:
diff --git a/UIDs b/UIDs
index 96e26e74348c..c7c701e69105 100644
--- a/UIDs
+++ b/UIDs
@@ -242,6 +242,7 @@ munin:*:842:842::0:0:Munin:/var/munin:/usr/sbin/nologin
subsonic:*:844:844::0:0:Subsonic standalone-server:/nonexistent:/usr/sbin/nologin
fossy:*:901:901::0:0:FOSSology user:/usr/local/share/fossology:/usr/local/bin/bash
scanlogd:*:902:902::0:0:scanlogd user:/nonexistent:/usr/sbin/nologin
+_ocserv:*:903:903::0:0:ocserv user:/nonexistent:/usr/sbin/nologin
influxd:*:907:907::0:0:InfluxDB Daemon:/var/empty:/usr/sbin/nologin
riemann:*:908:908::0:0:Riemann User:/var/empty:/usr/sbin/nologin
proxy65:*:909:909::0:0:Proxy65 Daemon:/nonexistent:/usr/sbin/nologin
diff --git a/net/Makefile b/net/Makefile
index f11cb819cb6c..1144fd9c3ceb 100644
--- a/net/Makefile
+++ b/net/Makefile
@@ -449,6 +449,7 @@
SUBDIR += nxproxy
SUBDIR += nyancat
SUBDIR += nylon
+ SUBDIR += ocserv
SUBDIR += ohphone
SUBDIR += olsrd
SUBDIR += omcmd
diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile
new file mode 100644
index 000000000000..6526e7d7dc4b
--- /dev/null
+++ b/net/ocserv/Makefile
@@ -0,0 +1,78 @@
+# Created by: Carlos J Puga Medina <cpm@fbsd.es>
+# $FreeBSD$
+
+PORTNAME= ocserv
+PORTVERSION= 0.10.7
+CATEGORIES= net security
+MASTER_SITES= ftp://ftp.infradead.org/pub/ocserv/
+
+MAINTAINER= cpm@fbsd.es
+COMMENT= Server implementing the AnyConnect SSL VPN protocol
+
+LICENSE= GPLv2
+
+BUILD_DEPENDS= autogen:${PORTSDIR}/devel/autogen \
+ gsed:${PORTSDIR}/textproc/gsed \
+ bash:${PORTSDIR}/shells/bash
+LIB_DEPENDS= liblz4.so:${PORTSDIR}/archivers/liblz4 \
+ libiconv.so:${PORTSDIR}/converters/libiconv \
+ libtalloc.so:${PORTSDIR}/devel/talloc \
+ libprotobuf-c.so:${PORTSDIR}/devel/protobuf-c \
+ libgnutls.so:${PORTSDIR}/security/gnutls
+
+USES= autoreconf cpe gmake gperf libtool ncurses pathfix pkgconfig readline tar:xz
+CPE_VENDOR= infradead
+CFLAGS+= -I${LOCALBASE}/include
+LDFLAGS+= -L${LOCALBASE}/lib -lintl
+GNU_CONFIGURE= yes
+USE_LDCONFIG= yes
+
+CONFIGURE_ARGS= --disable-nls \
+ --enable-local-libopts \
+ --without-http-parser \
+ --without-pcl-lib \
+ --without-radius
+
+USERS= _ocserv
+GROUPS= _ocserv
+
+USE_RC_SUBR= ocserv
+
+OPTIONS_DEFINE= DOCS EXAMPLES GSSAPI
+
+PORTDOCS= AUTHORS ChangeLog INSTALL NEWS README TODO
+PORTEXAMPLES= profile.xml sample.config sample.passwd
+
+.include <bsd.port.options.mk>
+
+.if ${PORT_OPTIONS:MGSSAPI}
+USES+= gssapi:mit
+LIB_DEPENDS+= libkrb5support.so:${PORTSDIR}/security/krb5
+.else
+CONFIGURE_ARGS+= --without-gssapi
+.endif
+
+post-patch:
+ ${RM} ${WRKSRC}/doc/occtl.8
+ ${RM} ${WRKSRC}/doc/ocpasswd.8
+ ${RM} ${WRKSRC}/doc/ocserv.8
+
+post-install:
+ ${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/occtl
+ ${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/ocpasswd
+ ${STRIP_CMD} ${STAGEDIR}${PREFIX}/sbin/ocserv
+ ${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv/
+ ${MKDIR} ${STAGEDIR}/var/run/ocserv/
+ ${CP} ${FILESDIR}/ocserv.conf ${STAGEDIR}${PREFIX}/etc/ocserv/conf.sample
+
+.if ${PORT_OPTIONS:MDOCS}
+ ${MKDIR} ${STAGEDIR}${DOCSDIR}
+ cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR}
+.endif
+
+.if ${PORT_OPTIONS:MEXAMPLES}
+ ${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
+ cd ${WRKSRC}/doc && ${INSTALL_DATA} ${PORTEXAMPLES} ${STAGEDIR}${EXAMPLESDIR}
+.endif
+
+.include <bsd.port.mk>
diff --git a/net/ocserv/distinfo b/net/ocserv/distinfo
new file mode 100644
index 000000000000..53c631bfd509
--- /dev/null
+++ b/net/ocserv/distinfo
@@ -0,0 +1,2 @@
+SHA256 (ocserv-0.10.7.tar.xz) = 222212baae53e7f74273245e1459d4132cda41ad255a21f1e42ab4cd240f431d
+SIZE (ocserv-0.10.7.tar.xz) = 712232
diff --git a/net/ocserv/files/ocserv.conf b/net/ocserv/files/ocserv.conf
new file mode 100644
index 000000000000..a649d5cb3ce7
--- /dev/null
+++ b/net/ocserv/files/ocserv.conf
@@ -0,0 +1,290 @@
+# User authentication method. Could be set multiple times and in that case
+# all should succeed.
+# Options: certificate, pam.
+#auth = "certificate"
+#auth = "pam"
+
+# The plain option requires specifying a password file which contains
+# entries of the following format.
+# "username:groupname:encoded-password"
+# One entry must be listed per line, and 'ocpasswd' can be used
+# to generate password entries.
+auth = "plain[passwd=/usr/local/etc/ocserv/passwd]"
+
+# A banner to be displayed on clients
+banner = "Welcome to OpenConnect VPN"
+
+# Use listen-host to limit to specific IPs or to the IPs of a provided
+# hostname.
+#listen-host = [IP|HOSTNAME]
+
+# Limit the number of clients. Unset or set to zero for unlimited.
+#max-clients = 1024
+max-clients = 8
+
+# Limit the number of client connections to one every X milliseconds
+# (X is the provided value). Set to zero for no limit.
+#rate-limit-ms = 100
+
+# Limit the number of identical clients (i.e., users connecting
+# multiple times). Unset or set to zero for unlimited.
+max-same-clients = 2
+
+# TCP and UDP port number
+tcp-port = 4443
+udp-port = 4443
+
+# Keepalive in seconds
+keepalive = 32400
+
+# Dead peer detection in seconds.
+dpd = 120
+
+# Dead peer detection for mobile clients. The needs to
+# be much higher to prevent such clients being awaken too
+# often by the DPD messages, and save battery.
+# (clients that send the X-AnyConnect-Identifier-DeviceType)
+#mobile-dpd = 1800
+
+# MTU discovery (DPD must be enabled)
+try-mtu-discovery = false
+
+# The key and the certificates of the server
+# The key may be a file, or any URL supported by GnuTLS (e.g.,
+# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
+# or pkcs11:object=my-vpn-key;object-type=private)
+#
+# There may be multiple certificate and key pairs and each key
+# should correspond to the preceding certificate.
+server-cert = /usr/local/etc/ocserv/pub.pem
+server-key = /usr/local/etc/ocserv/key.pem
+
+# Diffie-Hellman parameters. Only needed if you require support
+# for the DHE ciphersuites (by default this server supports ECDHE).
+# Can be generated using:
+# certtool --generate-dh-params --outfile /path/to/dh.pem
+#dh-params = /path/to/dh.pem
+
+# If you have a certificate from a CA that provides an OCSP
+# service you may provide a fresh OCSP status response within
+# the TLS handshake. That will prevent the client from connecting
+# independently on the OCSP server.
+# You can update this response periodically using:
+# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
+# Make sure that you replace the following file in an atomic way.
+#ocsp-response = /path/to/ocsp.der
+
+# In case PKCS #11 or TPM keys are used the PINs should be available
+# in files. The srk-pin-file is applicable to TPM keys only, and is the
+# storage root key.
+#pin-file = /path/to/pin.txt
+#srk-pin-file = /path/to/srkpin.txt
+
+# The Certificate Authority that will be used to verify
+# client certificates (public keys) if certificate authentication
+# is set.
+#ca-cert = /usr/local/etc/ocserv/ca.pem
+
+# The object identifier that will be used to read the user ID in the client
+# certificate. The object identifier should be part of the certificate's DN
+# Useful OIDs are:
+# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
+#cert-user-oid = 0.9.2342.19200300.100.1.1
+
+# The object identifier that will be used to read the user group in the
+# client certificate. The object identifier should be part of the certificate's
+# DN. Useful OIDs are:
+# OU (organizational unit) = 2.5.4.11
+#cert-group-oid = 2.5.4.11
+
+# The revocation list of the certificates issued by the 'ca-cert' above.
+#crl = /usr/local/etc/ocserv/crl.pem
+
+# GnuTLS priority string
+tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
+
+# To enforce perfect forward secrecy (PFS) on the main channel.
+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
+
+# The time (in seconds) that a client is allowed to stay connected prior
+# to authentication
+auth-timeout = 40
+
+# The time (in seconds) that a client is allowed to stay idle (no traffic)
+# before being disconnected. Unset to disable.
+#idle-timeout = 1200
+
+# The time (in seconds) that a mobile client is allowed to stay idle (no
+# traffic) before being disconnected. Unset to disable.
+#mobile-idle-timeout = 2400
+
+# The time (in seconds) that a client is not allowed to reconnect after
+# a failed authentication attempt.
+#min-reauth-time = 2
+
+# Cookie validity time (in seconds)
+# Once a client is authenticated he's provided a cookie with
+# which he can reconnect. This option sets the maximum lifetime
+# of that cookie.
+#cookie-validity = 86400
+
+# ReKey time (in seconds)
+# ocserv will ask the client to refresh keys periodically once
+# this amount of seconds is elapsed. Set to zero to disable.
+rekey-time = 172800
+
+# ReKey method
+# Valid options: ssl, new-tunnel
+# ssl: Will perform an efficient rehandshake on the channel allowing
+# a seamless connection during rekey.
+# new-tunnel: Will instruct the client to discard and re-establish the channel.
+# Use this option only if the connecting clients have issues with the ssl
+# option.
+rekey-method = ssl
+
+# Script to call when a client connects and obtains an IP
+# Parameters are passed on the environment.
+# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
+# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
+# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
+# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
+#connect-script = /scripts/ocserv-script
+#disconnect-script = /scripts/ocserv-script
+
+# UTMP
+use-utmp = false
+
+# OCCTL
+use-occtl = true
+
+# PID file. It can be overriden in the command line.
+pid-file = /var/run/ocserv/pid
+
+# The default server directory. Does not require any devices present.
+chroot-dir = /var/run/ocserv
+
+# socket file used for IPC, will be appended with .PID
+# It must be accessible within the chroot environment (if any)
+socket-file = socket
+
+# The user the worker processes will be run as. It should be
+# unique (no other services run as this user).
+run-as-user = _ocserv
+run-as-group = _ocserv
+
+# Set the protocol-defined priority (SO_PRIORITY) for packets to
+# be sent. That is a number from 0 to 6 with 0 being the lowest
+# priority. Alternatively this can be used to set the IP Type-
+# Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
+# This can be set per user/group or globally.
+#net-priority = 3
+
+# Set the VPN worker process into a specific cgroup. This is Linux
+# specific and can be set per user/group or globally.
+#cgroup = "cpuset,cpu:test"
+
+#
+# Network settings
+#
+
+# The name of the tun device
+device = vpns
+
+# The default domain to be advertised
+default-domain = example.com
+
+# The pool of addresses that leases will be given from.
+ipv4-network = 192.168.1.0
+ipv4-netmask = 255.255.255.0
+
+# The advertized DNS server. Use multiple lines for
+# multiple servers.
+# dns = fc00::4be0
+dns = 192.168.1.2
+
+# The NBNS server (if any)
+#nbns = 192.168.1.3
+
+# The IPv6 subnet that leases will be given from.
+#ipv6-network = fc00::
+#ipv6-prefix = 16
+
+# The domains over which the provided DNS should be used. Use
+# multiple lines for multiple domains.
+#split-dns = example.com
+
+# Prior to leasing any IP from the pool ping it to verify that
+# it is not in use by another (unrelated to this server) host.
+ping-leases = false
+
+# Unset to assign the default MTU of the device
+# mtu =
+
+# Unset to enable bandwidth restrictions (in bytes/sec). The
+# setting here is global, but can also be set per user or per group.
+#rx-data-per-sec = 40000
+#tx-data-per-sec = 40000
+
+# The number of packets (of MTU size) that are available in
+# the output buffer. The default is low to improve latency.
+# Setting it higher will improve throughput.
+#output-buffer = 10
+
+# Routes to be forwarded to the client. If you need the
+# client to forward routes to the server, you may use the
+# config-per-user/group or even connect and disconnect scripts.
+#
+# To set the server as the default gateway for the client just
+# comment out all routes from the server.
+route = 192.168.1.0/255.255.255.0
+route = 192.168.5.0/255.255.255.0
+#route = fef4:db8:1000:1001::/64
+
+# Configuration files that will be applied per user connection or
+# per group. Each file name on these directories must match the username
+# or the groupname.
+# The options allowed in the configuration files are dns, nbns,
+# ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route,
+# net-priority and cgroup.
+#
+# Note that the 'iroute' option allows to add routes on the server
+# based on a user or group. The syntax depends on the input accepted
+# by the commands route-add-cmd and route-del-cmd (see below).
+
+#config-per-user = /usr/local/etc/ocserv/config-per-user/
+#config-per-group = /usr/local/etc/ocserv/config-per-group/
+
+# The system command to use to setup a route. %R will be replaced with the
+# route/mask and %D with the (tun) device.
+#
+# The following example is from linux systems. %R should be something
+# like 192.168.2.0/24
+
+#route-add-cmd = "ip route add %R dev %D"
+#route-del-cmd = "ip route delete %R dev %D"
+
+#
+# The following options are for (experimental) AnyConnect client
+# compatibility.
+
+# Client profile xml. A sample file exists in doc/profile.xml.
+# This file must be accessible from inside the worker's chroot.
+# It is not used by the openconnect client.
+#user-profile = profile.xml
+
+# Binary files that may be downloaded by the CISCO client. Must
+# be within any chroot environment.
+#binary-files = /path/to/binaries
+
+# Unless set to false it is required for clients to present their
+# certificate even if they are authenticating via a previously granted
+# cookie and complete their authentication in the same TCP connection.
+# Legacy CISCO clients do not do that, and thus this option should be
+# set for them.
+cisco-client-compat = true
+
+#Advanced options
+
+# Option to allow sending arbitrary custom headers to the client after
+# authentication and prior to VPN tunnel establishment.
+#custom-header = "X-My-Header: hi there"
diff --git a/net/ocserv/files/ocserv.in b/net/ocserv/files/ocserv.in
new file mode 100644
index 000000000000..7775a1477ac4
--- /dev/null
+++ b/net/ocserv/files/ocserv.in
@@ -0,0 +1,26 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+# PROVIDE: ocserv
+# REQUIRE: DAEMON
+# KEYWORD: shutdown
+#
+# Add the following to /etc/rc.conf to enable ocserv:
+#
+# ocserv_enable="YES"
+#
+
+. /etc/rc.subr
+
+name="ocserv"
+rcvar="ocserv_enable"
+
+load_rc_config ${name}
+
+: ${ocserv_enable:="NO"}
+: ${ocserv_pidfile:=/var/run/${name}/pid}
+
+command=/usr/local/sbin/${name}
+
+run_rc_command "$1"
diff --git a/net/ocserv/files/patch-configure.ac b/net/ocserv/files/patch-configure.ac
new file mode 100644
index 000000000000..22a9a5f447bc
--- /dev/null
+++ b/net/ocserv/files/patch-configure.ac
@@ -0,0 +1,36 @@
+--- configure.ac.orig 2015-08-06 16:43:09 UTC
++++ configure.ac
+@@ -16,11 +16,11 @@ AM_PROG_CC_C_O
+ if [ test "$GCC" = "yes" ];then
+ CFLAGS="$CFLAGS -Wall"
+ fi
+-AC_PATH_PROG(CTAGS, ctags, /bin/true)
+-AC_PATH_PROG(CSCOPE, cscope, /bin/true)
+-AC_CHECK_PROG([AUTOGEN], [autogen], [autogen], [/bin/true])
++AC_PATH_PROG(CTAGS, ctags, /usr/bin/true)
++AC_PATH_PROG(CSCOPE, cscope, /usr/bin/true)
++AC_CHECK_PROG([AUTOGEN], [autogen], [autogen], [autogen])
+
+-if test x"$AUTOGEN" = "x/bin/true"; then
++if test x"$AUTOGEN" = "x:"; then
+ AC_MSG_WARN([[
+ ***
+ *** autogen not found. Will not link against libopts.
+@@ -124,7 +124,7 @@ if test "$test_for_libnl" = yes;then
+ fi
+
+ have_readline=no
+-AC_LIB_HAVE_LINKFLAGS(readline,, [
++AC_LIB_HAVE_LINKFLAGS(readline,ncurses, [
+ #include <stdio.h>
+ #include <readline/readline.h>], [rl_replace_line(0,0);])
+ if test x$ac_cv_libreadline = xyes; then
+@@ -441,7 +441,7 @@ if test "$NEED_LIBOPTS_DIR" = "true";the
+ cp -f $i $nam
+ fi
+ done
+- AC_SUBST([AUTOGEN], [/bin/true])
++ AC_SUBST([AUTOGEN], [autogen])
+ enable_local_libopts=yes
+ else
+ enable_local_libopts=no
diff --git a/net/ocserv/files/patch-doc_Makefile.am b/net/ocserv/files/patch-doc_Makefile.am
new file mode 100644
index 000000000000..9790304c9f20
--- /dev/null
+++ b/net/ocserv/files/patch-doc_Makefile.am
@@ -0,0 +1,42 @@
+--- doc/Makefile.am.orig 2015-05-26 16:33:38 UTC
++++ doc/Makefile.am
+@@ -5,18 +5,27 @@ EXTRA_DIST = design.dia sample.config sc
+
+ dist_man_MANS = ocserv.8 ocpasswd.8 occtl.8
+
+-ocserv.8: ../src/ocserv-args.def
+- -sed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' $< > "$<".tmp && \
+- @AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl "$<".tmp && \
+- rm -f "$<".tmp
++ocserv.8:
++ -gsed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' \
++ ../src/ocserv-args.def > ../src/ocserv-args.def.tmp && \
++ @AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl \
++ ../src/ocserv-args.def.tmp && \
++ rm -f ../src/ocserv-args.def.tmp
++ sed -I -e 's/^\.NOP //' $@
+
+-occtl.8: ../src/occtl-args.def
+- -sed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' $< > "$<".tmp && \
+- @AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl "$<".tmp && \
+- rm -f "$<".tmp
++occtl.8:
++ -gsed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' \
++ ../src/occtl-args.def > ../src/occtl-args.def.tmp && \
++ @AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl \
++ ../src/occtl-args.def.tmp && \
++ rm -f ../src/occtl-args.def.tmp
++ sed -I -e 's/^\.NOP //' $@
+
+-ocpasswd.8: ../src/ocpasswd-args.def
+- -sed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' $< > "$<".tmp && \
+- @AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl "$<".tmp && \
+- rm -f "$<".tmp
++ocpasswd.8:
++ -gsed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' \
++ ../src/ocpasswd-args.def > ../src/ocpasswd-args.def.tmp && \
++ @AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl \
++ ../src/ocpasswd-args.def.tmp && \
++ rm -f ../src/ocpasswd-args.def.tmp
++ sed -I -e 's/^\.NOP //' $@
+
diff --git a/net/ocserv/files/patch-src_config.c b/net/ocserv/files/patch-src_config.c
new file mode 100644
index 000000000000..ab450e6c33ea
--- /dev/null
+++ b/net/ocserv/files/patch-src_config.c
@@ -0,0 +1,31 @@
+--- src/config.c.orig 2015-07-18 10:35:29 UTC
++++ src/config.c
+@@ -52,8 +52,7 @@
+ #include <tlslib.h>
+ #include "common-config.h"
+
+-#define OLD_DEFAULT_CFG_FILE "/etc/ocserv.conf"
+-#define DEFAULT_CFG_FILE "/etc/ocserv/ocserv.conf"
++#define DEFAULT_CFG_FILE "/usr/local/etc/ocserv/conf"
+
+ static char pid_file[_POSIX_PATH_MAX] = "";
+ static const char* cfg_file = DEFAULT_CFG_FILE;
+@@ -414,7 +413,7 @@ static void figure_auth_funcs(struct per
+ }
+ talloc_free(auth[j]);
+ }
+- fprintf(stderr, "Setting '%s' as primary authentication method\n", config->auth[0].name);
++ /* fprintf(stderr, "Setting '%s' as primary authentication method\n", config->auth[0].name); */
+ } else {
+ unsigned x = config->auth_methods;
+ /* Append authentication methods (alternative options) */
+@@ -583,9 +582,6 @@ size_t urlfw_size = 0;
+ #endif
+
+ pov = configFileLoad(file);
+- if (pov == NULL && file != NULL && strcmp(file, DEFAULT_CFG_FILE) == 0)
+- pov = configFileLoad(OLD_DEFAULT_CFG_FILE);
+-
+ if (pov == NULL) {
+ fprintf(stderr, "Error loading config file %s\n", file);
+ exit(1);
diff --git a/net/ocserv/files/patch-src_main-ctl-unix.c b/net/ocserv/files/patch-src_main-ctl-unix.c
new file mode 100644
index 000000000000..f1da865b5c40
--- /dev/null
+++ b/net/ocserv/files/patch-src_main-ctl-unix.c
@@ -0,0 +1,55 @@
+--- src/main-ctl-unix.c.orig 2015-05-26 16:33:38 UTC
++++ src/main-ctl-unix.c
+@@ -110,10 +110,15 @@ int ctl_handler_init(main_server_st * s)
+ struct sockaddr_un sa;
+ int sd, e;
+
+- if (s->config->use_occtl == 0 || s->perm_config->occtl_socket_file == NULL)
++ mslog(s, NULL, LOG_INFO, "using control unix socket: %s", s->perm_config->occtl_socket_file);
++
++ if (s->config->use_occtl == 0 ||
++ s->perm_config->occtl_socket_file == NULL) {
++ mslog(s, NULL, LOG_INFO, "not using control unix socket");
+ return 0;
++ }
+
+- mslog(s, NULL, LOG_DEBUG, "initializing control unix socket: %s", s->perm_config->occtl_socket_file);
++ mslog(s, NULL, LOG_INFO, "initializing control unix socket: %s", s->perm_config->occtl_socket_file);
+ memset(&sa, 0, sizeof(sa));
+ sa.sun_family = AF_UNIX;
+ strlcpy(sa.sun_path, s->perm_config->occtl_socket_file, sizeof(sa.sun_path));
+@@ -122,7 +127,7 @@ int ctl_handler_init(main_server_st * s)
+ sd = socket(AF_UNIX, SOCK_STREAM, 0);
+ if (sd == -1) {
+ e = errno;
+- mslog(s, NULL, LOG_ERR, "could not create socket '%s': %s",
++ mslog(s, NULL, LOG_INFO, "could not create socket '%s': %s",
+ s->perm_config->occtl_socket_file, strerror(e));
+ return -1;
+ }
+@@ -131,7 +136,7 @@ int ctl_handler_init(main_server_st * s)
+ ret = bind(sd, (struct sockaddr *)&sa, SUN_LEN(&sa));
+ if (ret == -1) {
+ e = errno;
+- mslog(s, NULL, LOG_ERR, "could not bind socket '%s': %s",
++ mslog(s, NULL, LOG_INFO, "could not bind socket '%s': %s",
+ s->perm_config->occtl_socket_file, strerror(e));
+ return -1;
+ }
+@@ -139,14 +144,14 @@ int ctl_handler_init(main_server_st * s)
+ ret = chown(s->perm_config->occtl_socket_file, s->perm_config->uid, s->perm_config->gid);
+ if (ret == -1) {
+ e = errno;
+- mslog(s, NULL, LOG_ERR, "could not chown socket '%s': %s",
++ mslog(s, NULL, LOG_INFO, "could not chown socket '%s': %s",
+ s->perm_config->occtl_socket_file, strerror(e));
+ }
+
+ ret = listen(sd, 1024);
+ if (ret == -1) {
+ e = errno;
+- mslog(s, NULL, LOG_ERR, "could not listen to socket '%s': %s",
++ mslog(s, NULL, LOG_INFO, "could not listen to socket '%s': %s",
+ s->perm_config->occtl_socket_file, strerror(e));
+ return -1;
+ }
diff --git a/net/ocserv/files/patch-src_main.c b/net/ocserv/files/patch-src_main.c
new file mode 100644
index 000000000000..289d9a0e0ab3
--- /dev/null
+++ b/net/ocserv/files/patch-src_main.c
@@ -0,0 +1,14 @@
+--- src/main.c.orig 2015-07-01 18:41:01 UTC
++++ src/main.c
+@@ -131,8 +131,9 @@ int y;
+ perror("setsockopt(IP_PKTINFO) failed");
+ #elif defined(IP_RECVDSTADDR) /* *BSD */
+ y = 1;
+- if (setsockopt(fd, IPPROTO_IP, IP_RECVDSTADDR,
+- (const void *)&y, sizeof(y)) < 0)
++ if (family == AF_INET &&
++ setsockopt(fd, IPPROTO_IP, IP_RECVDSTADDR,
++ (const void *)&y, sizeof(y)) < 0)
+ perror("setsockopt(IP_RECVDSTADDR) failed");
+ #endif
+ #if defined(IPV6_RECVPKTINFO)
diff --git a/net/ocserv/files/patch-src_ocserv-args.def b/net/ocserv/files/patch-src_ocserv-args.def
new file mode 100644
index 000000000000..23810fb388f6
--- /dev/null
+++ b/net/ocserv/files/patch-src_ocserv-args.def
@@ -0,0 +1,56 @@
+--- src/ocserv-args.def.orig 2015-07-15 17:17:22 UTC
++++ src/ocserv-args.def
+@@ -68,7 +68,7 @@ doc-section = {
+ ds-format = 'texi';
+ ds-text = <<-_EOT_
+ @subheading ocserv's configuration file format
+-By default, if no other file is specified, ocserv looks for its configuration file at @file{/etc/ocserv/ocserv.conf}.
++By default, if no other file is specified, ocserv looks for its configuration file at @file{/usr/local/etc/ocserv/conf}.
+ An example configuration file follows.
+
+ @example
+@@ -87,7 +87,7 @@ An example configuration file follows.
+ # This enabled PAM authentication of the user. The gid-min option is used
+ # by auto-select-group option, in order to select the minimum valid group ID.
+ #
+-# plain[passwd=/etc/ocserv/ocpasswd]
++# plain[passwd=/usr/local/etc/ocserv/ocpasswd]
+ # The plain option requires specifying a password file which contains
+ # entries of the following format.
+ # "username:groupname1,groupname2:encoded-password"
+@@ -119,7 +119,7 @@ An example configuration file follows.
+ #auth = "certificate"
+ #auth = "pam"
+ #auth = "pam[gid-min=1000]"
+-#auth = "plain[passwd=/etc/ocserv/ocpasswd]"
++#auth = "plain[passwd=/usr/local/etc/ocserv/passwd]"
+ #auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
+
+ # Specify alternative authentication methods that are sufficient
+@@ -431,7 +431,7 @@ rekey-method = ssl
+ use-occtl = true
+
+ # PID file. It can be overriden in the command line.
+-pid-file = /var/run/ocserv.pid
++pid-file = /var/run/ocserv/pid
+
+ # Set the protocol-defined priority (SO_PRIORITY) for packets to
+ # be sent. That is a number from 0 to 6 with 0 being the lowest
+@@ -555,13 +555,13 @@ no-route = 192.168.5.0/255.255.255.0
+ # Also explicit addresses, are only allowed when they are odd. In that
+ # case the next even address will be used as the remote address (in PtP).
+
+-#config-per-user = /etc/ocserv/config-per-user/
+-#config-per-group = /etc/ocserv/config-per-group/
++#config-per-user = /usr/local/etc/ocserv/config-per-user/
++#config-per-group = /usr/local/etc/ocserv/config-per-group/
+
+ # When config-per-xxx is specified and there is no group or user that
+ # matches, then utilize the following configuration.
+-#default-user-config = /etc/ocserv/defaults/user.conf
+-#default-group-config = /etc/ocserv/defaults/group.conf
++#default-user-config = /usr/local/etc/ocserv/defaults/user.conf
++#default-group-config = /usr/local/etc/ocserv/defaults/group.conf
+
+ # The system command to use to setup a route. %{R} will be replaced with the
+ # route/mask and %{D} with the (tun) device.
diff --git a/net/ocserv/pkg-descr b/net/ocserv/pkg-descr
new file mode 100644
index 000000000000..52919d5d5a15
--- /dev/null
+++ b/net/ocserv/pkg-descr
@@ -0,0 +1,20 @@
+OpenConnect server (ocserv) is an SSL VPN server. Its purpose is
+to be a secure, small, fast and configurable VPN server. It implements
+the OpenConnect SSL VPN protocol, and has also (currently experimental)
+compatibility with clients using the AnyConnect SSL VPN protocol.
+The OpenConnect protocol provides a dual TCP/UDP VPN channel, and
+uses the standard IETF security protocols to secure it. Both IPv4
+and IPv6 are supported.
+
+Ocserv's main features are security through provilege separation
+and sandboxing, accounting, and resilience due to a combined use
+of TCP and UDP. Authentication occurs in an isolated security
+module process, and each user is assigned an unprivileged worker
+process, and a networking (tun) device. That not only eases the
+control of the resources of each user or group of users, but also
+prevents data leak (e.g., heartbleed-style attacks), and privilege
+escalation due to any bug on the VPN handling (worker) process. A
+management interface allows for viewing and querying logged-in
+users.
+
+WWW: http://www.infradead.org/ocserv/
diff --git a/net/ocserv/pkg-plist b/net/ocserv/pkg-plist
new file mode 100644
index 000000000000..6d66f42193d5
--- /dev/null
+++ b/net/ocserv/pkg-plist
@@ -0,0 +1,8 @@
+bin/occtl
+bin/ocpasswd
+man/man8/occtl.8.gz
+man/man8/ocpasswd.8.gz
+man/man8/ocserv.8.gz
+@sample etc/ocserv/conf.sample
+sbin/ocserv
+@dir /var/run/ocserv