diff options
-rw-r--r-- | GIDs | 1 | ||||
-rw-r--r-- | UIDs | 1 | ||||
-rw-r--r-- | net/Makefile | 1 | ||||
-rw-r--r-- | net/ocserv/Makefile | 78 | ||||
-rw-r--r-- | net/ocserv/distinfo | 2 | ||||
-rw-r--r-- | net/ocserv/files/ocserv.conf | 290 | ||||
-rw-r--r-- | net/ocserv/files/ocserv.in | 26 | ||||
-rw-r--r-- | net/ocserv/files/patch-configure.ac | 36 | ||||
-rw-r--r-- | net/ocserv/files/patch-doc_Makefile.am | 42 | ||||
-rw-r--r-- | net/ocserv/files/patch-src_config.c | 31 | ||||
-rw-r--r-- | net/ocserv/files/patch-src_main-ctl-unix.c | 55 | ||||
-rw-r--r-- | net/ocserv/files/patch-src_main.c | 14 | ||||
-rw-r--r-- | net/ocserv/files/patch-src_ocserv-args.def | 56 | ||||
-rw-r--r-- | net/ocserv/pkg-descr | 20 | ||||
-rw-r--r-- | net/ocserv/pkg-plist | 8 |
15 files changed, 661 insertions, 0 deletions
@@ -238,6 +238,7 @@ dahdi:*:843:asterisk subsonic:*:844: fossy:*:901:www scanlogd:*:902: +_ocserv:*:903: influxd:*:907: riemann:*:908: proxy65:*:909: @@ -242,6 +242,7 @@ munin:*:842:842::0:0:Munin:/var/munin:/usr/sbin/nologin subsonic:*:844:844::0:0:Subsonic standalone-server:/nonexistent:/usr/sbin/nologin fossy:*:901:901::0:0:FOSSology user:/usr/local/share/fossology:/usr/local/bin/bash scanlogd:*:902:902::0:0:scanlogd user:/nonexistent:/usr/sbin/nologin +_ocserv:*:903:903::0:0:ocserv user:/nonexistent:/usr/sbin/nologin influxd:*:907:907::0:0:InfluxDB Daemon:/var/empty:/usr/sbin/nologin riemann:*:908:908::0:0:Riemann User:/var/empty:/usr/sbin/nologin proxy65:*:909:909::0:0:Proxy65 Daemon:/nonexistent:/usr/sbin/nologin diff --git a/net/Makefile b/net/Makefile index f11cb819cb6c..1144fd9c3ceb 100644 --- a/net/Makefile +++ b/net/Makefile @@ -449,6 +449,7 @@ SUBDIR += nxproxy SUBDIR += nyancat SUBDIR += nylon + SUBDIR += ocserv SUBDIR += ohphone SUBDIR += olsrd SUBDIR += omcmd diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile new file mode 100644 index 000000000000..6526e7d7dc4b --- /dev/null +++ b/net/ocserv/Makefile @@ -0,0 +1,78 @@ +# Created by: Carlos J Puga Medina <cpm@fbsd.es> +# $FreeBSD$ + +PORTNAME= ocserv +PORTVERSION= 0.10.7 +CATEGORIES= net security +MASTER_SITES= ftp://ftp.infradead.org/pub/ocserv/ + +MAINTAINER= cpm@fbsd.es +COMMENT= Server implementing the AnyConnect SSL VPN protocol + +LICENSE= GPLv2 + +BUILD_DEPENDS= autogen:${PORTSDIR}/devel/autogen \ + gsed:${PORTSDIR}/textproc/gsed \ + bash:${PORTSDIR}/shells/bash +LIB_DEPENDS= liblz4.so:${PORTSDIR}/archivers/liblz4 \ + libiconv.so:${PORTSDIR}/converters/libiconv \ + libtalloc.so:${PORTSDIR}/devel/talloc \ + libprotobuf-c.so:${PORTSDIR}/devel/protobuf-c \ + libgnutls.so:${PORTSDIR}/security/gnutls + +USES= autoreconf cpe gmake gperf libtool ncurses pathfix pkgconfig readline tar:xz +CPE_VENDOR= infradead +CFLAGS+= -I${LOCALBASE}/include +LDFLAGS+= -L${LOCALBASE}/lib -lintl +GNU_CONFIGURE= yes +USE_LDCONFIG= yes + +CONFIGURE_ARGS= --disable-nls \ + --enable-local-libopts \ + --without-http-parser \ + --without-pcl-lib \ + --without-radius + +USERS= _ocserv +GROUPS= _ocserv + +USE_RC_SUBR= ocserv + +OPTIONS_DEFINE= DOCS EXAMPLES GSSAPI + +PORTDOCS= AUTHORS ChangeLog INSTALL NEWS README TODO +PORTEXAMPLES= profile.xml sample.config sample.passwd + +.include <bsd.port.options.mk> + +.if ${PORT_OPTIONS:MGSSAPI} +USES+= gssapi:mit +LIB_DEPENDS+= libkrb5support.so:${PORTSDIR}/security/krb5 +.else +CONFIGURE_ARGS+= --without-gssapi +.endif + +post-patch: + ${RM} ${WRKSRC}/doc/occtl.8 + ${RM} ${WRKSRC}/doc/ocpasswd.8 + ${RM} ${WRKSRC}/doc/ocserv.8 + +post-install: + ${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/occtl + ${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/ocpasswd + ${STRIP_CMD} ${STAGEDIR}${PREFIX}/sbin/ocserv + ${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv/ + ${MKDIR} ${STAGEDIR}/var/run/ocserv/ + ${CP} ${FILESDIR}/ocserv.conf ${STAGEDIR}${PREFIX}/etc/ocserv/conf.sample + +.if ${PORT_OPTIONS:MDOCS} + ${MKDIR} ${STAGEDIR}${DOCSDIR} + cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR} +.endif + +.if ${PORT_OPTIONS:MEXAMPLES} + ${MKDIR} ${STAGEDIR}${EXAMPLESDIR} + cd ${WRKSRC}/doc && ${INSTALL_DATA} ${PORTEXAMPLES} ${STAGEDIR}${EXAMPLESDIR} +.endif + +.include <bsd.port.mk> diff --git a/net/ocserv/distinfo b/net/ocserv/distinfo new file mode 100644 index 000000000000..53c631bfd509 --- /dev/null +++ b/net/ocserv/distinfo @@ -0,0 +1,2 @@ +SHA256 (ocserv-0.10.7.tar.xz) = 222212baae53e7f74273245e1459d4132cda41ad255a21f1e42ab4cd240f431d +SIZE (ocserv-0.10.7.tar.xz) = 712232 diff --git a/net/ocserv/files/ocserv.conf b/net/ocserv/files/ocserv.conf new file mode 100644 index 000000000000..a649d5cb3ce7 --- /dev/null +++ b/net/ocserv/files/ocserv.conf @@ -0,0 +1,290 @@ +# User authentication method. Could be set multiple times and in that case +# all should succeed. +# Options: certificate, pam. +#auth = "certificate" +#auth = "pam" + +# The plain option requires specifying a password file which contains +# entries of the following format. +# "username:groupname:encoded-password" +# One entry must be listed per line, and 'ocpasswd' can be used +# to generate password entries. +auth = "plain[passwd=/usr/local/etc/ocserv/passwd]" + +# A banner to be displayed on clients +banner = "Welcome to OpenConnect VPN" + +# Use listen-host to limit to specific IPs or to the IPs of a provided +# hostname. +#listen-host = [IP|HOSTNAME] + +# Limit the number of clients. Unset or set to zero for unlimited. +#max-clients = 1024 +max-clients = 8 + +# Limit the number of client connections to one every X milliseconds +# (X is the provided value). Set to zero for no limit. +#rate-limit-ms = 100 + +# Limit the number of identical clients (i.e., users connecting +# multiple times). Unset or set to zero for unlimited. +max-same-clients = 2 + +# TCP and UDP port number +tcp-port = 4443 +udp-port = 4443 + +# Keepalive in seconds +keepalive = 32400 + +# Dead peer detection in seconds. +dpd = 120 + +# Dead peer detection for mobile clients. The needs to +# be much higher to prevent such clients being awaken too +# often by the DPD messages, and save battery. +# (clients that send the X-AnyConnect-Identifier-DeviceType) +#mobile-dpd = 1800 + +# MTU discovery (DPD must be enabled) +try-mtu-discovery = false + +# The key and the certificates of the server +# The key may be a file, or any URL supported by GnuTLS (e.g., +# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user +# or pkcs11:object=my-vpn-key;object-type=private) +# +# There may be multiple certificate and key pairs and each key +# should correspond to the preceding certificate. +server-cert = /usr/local/etc/ocserv/pub.pem +server-key = /usr/local/etc/ocserv/key.pem + +# Diffie-Hellman parameters. Only needed if you require support +# for the DHE ciphersuites (by default this server supports ECDHE). +# Can be generated using: +# certtool --generate-dh-params --outfile /path/to/dh.pem +#dh-params = /path/to/dh.pem + +# If you have a certificate from a CA that provides an OCSP +# service you may provide a fresh OCSP status response within +# the TLS handshake. That will prevent the client from connecting +# independently on the OCSP server. +# You can update this response periodically using: +# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response +# Make sure that you replace the following file in an atomic way. +#ocsp-response = /path/to/ocsp.der + +# In case PKCS #11 or TPM keys are used the PINs should be available +# in files. The srk-pin-file is applicable to TPM keys only, and is the +# storage root key. +#pin-file = /path/to/pin.txt +#srk-pin-file = /path/to/srkpin.txt + +# The Certificate Authority that will be used to verify +# client certificates (public keys) if certificate authentication +# is set. +#ca-cert = /usr/local/etc/ocserv/ca.pem + +# The object identifier that will be used to read the user ID in the client +# certificate. The object identifier should be part of the certificate's DN +# Useful OIDs are: +# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1 +#cert-user-oid = 0.9.2342.19200300.100.1.1 + +# The object identifier that will be used to read the user group in the +# client certificate. The object identifier should be part of the certificate's +# DN. Useful OIDs are: +# OU (organizational unit) = 2.5.4.11 +#cert-group-oid = 2.5.4.11 + +# The revocation list of the certificates issued by the 'ca-cert' above. +#crl = /usr/local/etc/ocserv/crl.pem + +# GnuTLS priority string +tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT" + +# To enforce perfect forward secrecy (PFS) on the main channel. +#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA" + +# The time (in seconds) that a client is allowed to stay connected prior +# to authentication +auth-timeout = 40 + +# The time (in seconds) that a client is allowed to stay idle (no traffic) +# before being disconnected. Unset to disable. +#idle-timeout = 1200 + +# The time (in seconds) that a mobile client is allowed to stay idle (no +# traffic) before being disconnected. Unset to disable. +#mobile-idle-timeout = 2400 + +# The time (in seconds) that a client is not allowed to reconnect after +# a failed authentication attempt. +#min-reauth-time = 2 + +# Cookie validity time (in seconds) +# Once a client is authenticated he's provided a cookie with +# which he can reconnect. This option sets the maximum lifetime +# of that cookie. +#cookie-validity = 86400 + +# ReKey time (in seconds) +# ocserv will ask the client to refresh keys periodically once +# this amount of seconds is elapsed. Set to zero to disable. +rekey-time = 172800 + +# ReKey method +# Valid options: ssl, new-tunnel +# ssl: Will perform an efficient rehandshake on the channel allowing +# a seamless connection during rekey. +# new-tunnel: Will instruct the client to discard and re-establish the channel. +# Use this option only if the connecting clients have issues with the ssl +# option. +rekey-method = ssl + +# Script to call when a client connects and obtains an IP +# Parameters are passed on the environment. +# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), +# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP +# in the P-t-P connection), IP_REMOTE (the VPN IP of the client), +# ID (a unique numeric ID); REASON may be "connect" or "disconnect". +#connect-script = /scripts/ocserv-script +#disconnect-script = /scripts/ocserv-script + +# UTMP +use-utmp = false + +# OCCTL +use-occtl = true + +# PID file. It can be overriden in the command line. +pid-file = /var/run/ocserv/pid + +# The default server directory. Does not require any devices present. +chroot-dir = /var/run/ocserv + +# socket file used for IPC, will be appended with .PID +# It must be accessible within the chroot environment (if any) +socket-file = socket + +# The user the worker processes will be run as. It should be +# unique (no other services run as this user). +run-as-user = _ocserv +run-as-group = _ocserv + +# Set the protocol-defined priority (SO_PRIORITY) for packets to +# be sent. That is a number from 0 to 6 with 0 being the lowest +# priority. Alternatively this can be used to set the IP Type- +# Of-Service, by setting it to a hexadecimal number (e.g., 0x20). +# This can be set per user/group or globally. +#net-priority = 3 + +# Set the VPN worker process into a specific cgroup. This is Linux +# specific and can be set per user/group or globally. +#cgroup = "cpuset,cpu:test" + +# +# Network settings +# + +# The name of the tun device +device = vpns + +# The default domain to be advertised +default-domain = example.com + +# The pool of addresses that leases will be given from. +ipv4-network = 192.168.1.0 +ipv4-netmask = 255.255.255.0 + +# The advertized DNS server. Use multiple lines for +# multiple servers. +# dns = fc00::4be0 +dns = 192.168.1.2 + +# The NBNS server (if any) +#nbns = 192.168.1.3 + +# The IPv6 subnet that leases will be given from. +#ipv6-network = fc00:: +#ipv6-prefix = 16 + +# The domains over which the provided DNS should be used. Use +# multiple lines for multiple domains. +#split-dns = example.com + +# Prior to leasing any IP from the pool ping it to verify that +# it is not in use by another (unrelated to this server) host. +ping-leases = false + +# Unset to assign the default MTU of the device +# mtu = + +# Unset to enable bandwidth restrictions (in bytes/sec). The +# setting here is global, but can also be set per user or per group. +#rx-data-per-sec = 40000 +#tx-data-per-sec = 40000 + +# The number of packets (of MTU size) that are available in +# the output buffer. The default is low to improve latency. +# Setting it higher will improve throughput. +#output-buffer = 10 + +# Routes to be forwarded to the client. If you need the +# client to forward routes to the server, you may use the +# config-per-user/group or even connect and disconnect scripts. +# +# To set the server as the default gateway for the client just +# comment out all routes from the server. +route = 192.168.1.0/255.255.255.0 +route = 192.168.5.0/255.255.255.0 +#route = fef4:db8:1000:1001::/64 + +# Configuration files that will be applied per user connection or +# per group. Each file name on these directories must match the username +# or the groupname. +# The options allowed in the configuration files are dns, nbns, +# ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route, +# net-priority and cgroup. +# +# Note that the 'iroute' option allows to add routes on the server +# based on a user or group. The syntax depends on the input accepted +# by the commands route-add-cmd and route-del-cmd (see below). + +#config-per-user = /usr/local/etc/ocserv/config-per-user/ +#config-per-group = /usr/local/etc/ocserv/config-per-group/ + +# The system command to use to setup a route. %R will be replaced with the +# route/mask and %D with the (tun) device. +# +# The following example is from linux systems. %R should be something +# like 192.168.2.0/24 + +#route-add-cmd = "ip route add %R dev %D" +#route-del-cmd = "ip route delete %R dev %D" + +# +# The following options are for (experimental) AnyConnect client +# compatibility. + +# Client profile xml. A sample file exists in doc/profile.xml. +# This file must be accessible from inside the worker's chroot. +# It is not used by the openconnect client. +#user-profile = profile.xml + +# Binary files that may be downloaded by the CISCO client. Must +# be within any chroot environment. +#binary-files = /path/to/binaries + +# Unless set to false it is required for clients to present their +# certificate even if they are authenticating via a previously granted +# cookie and complete their authentication in the same TCP connection. +# Legacy CISCO clients do not do that, and thus this option should be +# set for them. +cisco-client-compat = true + +#Advanced options + +# Option to allow sending arbitrary custom headers to the client after +# authentication and prior to VPN tunnel establishment. +#custom-header = "X-My-Header: hi there" diff --git a/net/ocserv/files/ocserv.in b/net/ocserv/files/ocserv.in new file mode 100644 index 000000000000..7775a1477ac4 --- /dev/null +++ b/net/ocserv/files/ocserv.in @@ -0,0 +1,26 @@ +#!/bin/sh +# +# $FreeBSD$ +# +# PROVIDE: ocserv +# REQUIRE: DAEMON +# KEYWORD: shutdown +# +# Add the following to /etc/rc.conf to enable ocserv: +# +# ocserv_enable="YES" +# + +. /etc/rc.subr + +name="ocserv" +rcvar="ocserv_enable" + +load_rc_config ${name} + +: ${ocserv_enable:="NO"} +: ${ocserv_pidfile:=/var/run/${name}/pid} + +command=/usr/local/sbin/${name} + +run_rc_command "$1" diff --git a/net/ocserv/files/patch-configure.ac b/net/ocserv/files/patch-configure.ac new file mode 100644 index 000000000000..22a9a5f447bc --- /dev/null +++ b/net/ocserv/files/patch-configure.ac @@ -0,0 +1,36 @@ +--- configure.ac.orig 2015-08-06 16:43:09 UTC ++++ configure.ac +@@ -16,11 +16,11 @@ AM_PROG_CC_C_O + if [ test "$GCC" = "yes" ];then + CFLAGS="$CFLAGS -Wall" + fi +-AC_PATH_PROG(CTAGS, ctags, /bin/true) +-AC_PATH_PROG(CSCOPE, cscope, /bin/true) +-AC_CHECK_PROG([AUTOGEN], [autogen], [autogen], [/bin/true]) ++AC_PATH_PROG(CTAGS, ctags, /usr/bin/true) ++AC_PATH_PROG(CSCOPE, cscope, /usr/bin/true) ++AC_CHECK_PROG([AUTOGEN], [autogen], [autogen], [autogen]) + +-if test x"$AUTOGEN" = "x/bin/true"; then ++if test x"$AUTOGEN" = "x:"; then + AC_MSG_WARN([[ + *** + *** autogen not found. Will not link against libopts. +@@ -124,7 +124,7 @@ if test "$test_for_libnl" = yes;then + fi + + have_readline=no +-AC_LIB_HAVE_LINKFLAGS(readline,, [ ++AC_LIB_HAVE_LINKFLAGS(readline,ncurses, [ + #include <stdio.h> + #include <readline/readline.h>], [rl_replace_line(0,0);]) + if test x$ac_cv_libreadline = xyes; then +@@ -441,7 +441,7 @@ if test "$NEED_LIBOPTS_DIR" = "true";the + cp -f $i $nam + fi + done +- AC_SUBST([AUTOGEN], [/bin/true]) ++ AC_SUBST([AUTOGEN], [autogen]) + enable_local_libopts=yes + else + enable_local_libopts=no diff --git a/net/ocserv/files/patch-doc_Makefile.am b/net/ocserv/files/patch-doc_Makefile.am new file mode 100644 index 000000000000..9790304c9f20 --- /dev/null +++ b/net/ocserv/files/patch-doc_Makefile.am @@ -0,0 +1,42 @@ +--- doc/Makefile.am.orig 2015-05-26 16:33:38 UTC ++++ doc/Makefile.am +@@ -5,18 +5,27 @@ EXTRA_DIST = design.dia sample.config sc + + dist_man_MANS = ocserv.8 ocpasswd.8 occtl.8 + +-ocserv.8: ../src/ocserv-args.def +- -sed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' $< > "$<".tmp && \ +- @AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl "$<".tmp && \ +- rm -f "$<".tmp ++ocserv.8: ++ -gsed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' \ ++ ../src/ocserv-args.def > ../src/ocserv-args.def.tmp && \ ++ @AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl \ ++ ../src/ocserv-args.def.tmp && \ ++ rm -f ../src/ocserv-args.def.tmp ++ sed -I -e 's/^\.NOP //' $@ + +-occtl.8: ../src/occtl-args.def +- -sed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' $< > "$<".tmp && \ +- @AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl "$<".tmp && \ +- rm -f "$<".tmp ++occtl.8: ++ -gsed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' \ ++ ../src/occtl-args.def > ../src/occtl-args.def.tmp && \ ++ @AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl \ ++ ../src/occtl-args.def.tmp && \ ++ rm -f ../src/occtl-args.def.tmp ++ sed -I -e 's/^\.NOP //' $@ + +-ocpasswd.8: ../src/ocpasswd-args.def +- -sed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' $< > "$<".tmp && \ +- @AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl "$<".tmp && \ +- rm -f "$<".tmp ++ocpasswd.8: ++ -gsed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' \ ++ ../src/ocpasswd-args.def > ../src/ocpasswd-args.def.tmp && \ ++ @AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl \ ++ ../src/ocpasswd-args.def.tmp && \ ++ rm -f ../src/ocpasswd-args.def.tmp ++ sed -I -e 's/^\.NOP //' $@ + diff --git a/net/ocserv/files/patch-src_config.c b/net/ocserv/files/patch-src_config.c new file mode 100644 index 000000000000..ab450e6c33ea --- /dev/null +++ b/net/ocserv/files/patch-src_config.c @@ -0,0 +1,31 @@ +--- src/config.c.orig 2015-07-18 10:35:29 UTC ++++ src/config.c +@@ -52,8 +52,7 @@ + #include <tlslib.h> + #include "common-config.h" + +-#define OLD_DEFAULT_CFG_FILE "/etc/ocserv.conf" +-#define DEFAULT_CFG_FILE "/etc/ocserv/ocserv.conf" ++#define DEFAULT_CFG_FILE "/usr/local/etc/ocserv/conf" + + static char pid_file[_POSIX_PATH_MAX] = ""; + static const char* cfg_file = DEFAULT_CFG_FILE; +@@ -414,7 +413,7 @@ static void figure_auth_funcs(struct per + } + talloc_free(auth[j]); + } +- fprintf(stderr, "Setting '%s' as primary authentication method\n", config->auth[0].name); ++ /* fprintf(stderr, "Setting '%s' as primary authentication method\n", config->auth[0].name); */ + } else { + unsigned x = config->auth_methods; + /* Append authentication methods (alternative options) */ +@@ -583,9 +582,6 @@ size_t urlfw_size = 0; + #endif + + pov = configFileLoad(file); +- if (pov == NULL && file != NULL && strcmp(file, DEFAULT_CFG_FILE) == 0) +- pov = configFileLoad(OLD_DEFAULT_CFG_FILE); +- + if (pov == NULL) { + fprintf(stderr, "Error loading config file %s\n", file); + exit(1); diff --git a/net/ocserv/files/patch-src_main-ctl-unix.c b/net/ocserv/files/patch-src_main-ctl-unix.c new file mode 100644 index 000000000000..f1da865b5c40 --- /dev/null +++ b/net/ocserv/files/patch-src_main-ctl-unix.c @@ -0,0 +1,55 @@ +--- src/main-ctl-unix.c.orig 2015-05-26 16:33:38 UTC ++++ src/main-ctl-unix.c +@@ -110,10 +110,15 @@ int ctl_handler_init(main_server_st * s) + struct sockaddr_un sa; + int sd, e; + +- if (s->config->use_occtl == 0 || s->perm_config->occtl_socket_file == NULL) ++ mslog(s, NULL, LOG_INFO, "using control unix socket: %s", s->perm_config->occtl_socket_file); ++ ++ if (s->config->use_occtl == 0 || ++ s->perm_config->occtl_socket_file == NULL) { ++ mslog(s, NULL, LOG_INFO, "not using control unix socket"); + return 0; ++ } + +- mslog(s, NULL, LOG_DEBUG, "initializing control unix socket: %s", s->perm_config->occtl_socket_file); ++ mslog(s, NULL, LOG_INFO, "initializing control unix socket: %s", s->perm_config->occtl_socket_file); + memset(&sa, 0, sizeof(sa)); + sa.sun_family = AF_UNIX; + strlcpy(sa.sun_path, s->perm_config->occtl_socket_file, sizeof(sa.sun_path)); +@@ -122,7 +127,7 @@ int ctl_handler_init(main_server_st * s) + sd = socket(AF_UNIX, SOCK_STREAM, 0); + if (sd == -1) { + e = errno; +- mslog(s, NULL, LOG_ERR, "could not create socket '%s': %s", ++ mslog(s, NULL, LOG_INFO, "could not create socket '%s': %s", + s->perm_config->occtl_socket_file, strerror(e)); + return -1; + } +@@ -131,7 +136,7 @@ int ctl_handler_init(main_server_st * s) + ret = bind(sd, (struct sockaddr *)&sa, SUN_LEN(&sa)); + if (ret == -1) { + e = errno; +- mslog(s, NULL, LOG_ERR, "could not bind socket '%s': %s", ++ mslog(s, NULL, LOG_INFO, "could not bind socket '%s': %s", + s->perm_config->occtl_socket_file, strerror(e)); + return -1; + } +@@ -139,14 +144,14 @@ int ctl_handler_init(main_server_st * s) + ret = chown(s->perm_config->occtl_socket_file, s->perm_config->uid, s->perm_config->gid); + if (ret == -1) { + e = errno; +- mslog(s, NULL, LOG_ERR, "could not chown socket '%s': %s", ++ mslog(s, NULL, LOG_INFO, "could not chown socket '%s': %s", + s->perm_config->occtl_socket_file, strerror(e)); + } + + ret = listen(sd, 1024); + if (ret == -1) { + e = errno; +- mslog(s, NULL, LOG_ERR, "could not listen to socket '%s': %s", ++ mslog(s, NULL, LOG_INFO, "could not listen to socket '%s': %s", + s->perm_config->occtl_socket_file, strerror(e)); + return -1; + } diff --git a/net/ocserv/files/patch-src_main.c b/net/ocserv/files/patch-src_main.c new file mode 100644 index 000000000000..289d9a0e0ab3 --- /dev/null +++ b/net/ocserv/files/patch-src_main.c @@ -0,0 +1,14 @@ +--- src/main.c.orig 2015-07-01 18:41:01 UTC ++++ src/main.c +@@ -131,8 +131,9 @@ int y; + perror("setsockopt(IP_PKTINFO) failed"); + #elif defined(IP_RECVDSTADDR) /* *BSD */ + y = 1; +- if (setsockopt(fd, IPPROTO_IP, IP_RECVDSTADDR, +- (const void *)&y, sizeof(y)) < 0) ++ if (family == AF_INET && ++ setsockopt(fd, IPPROTO_IP, IP_RECVDSTADDR, ++ (const void *)&y, sizeof(y)) < 0) + perror("setsockopt(IP_RECVDSTADDR) failed"); + #endif + #if defined(IPV6_RECVPKTINFO) diff --git a/net/ocserv/files/patch-src_ocserv-args.def b/net/ocserv/files/patch-src_ocserv-args.def new file mode 100644 index 000000000000..23810fb388f6 --- /dev/null +++ b/net/ocserv/files/patch-src_ocserv-args.def @@ -0,0 +1,56 @@ +--- src/ocserv-args.def.orig 2015-07-15 17:17:22 UTC ++++ src/ocserv-args.def +@@ -68,7 +68,7 @@ doc-section = { + ds-format = 'texi'; + ds-text = <<-_EOT_ + @subheading ocserv's configuration file format +-By default, if no other file is specified, ocserv looks for its configuration file at @file{/etc/ocserv/ocserv.conf}. ++By default, if no other file is specified, ocserv looks for its configuration file at @file{/usr/local/etc/ocserv/conf}. + An example configuration file follows. + + @example +@@ -87,7 +87,7 @@ An example configuration file follows. + # This enabled PAM authentication of the user. The gid-min option is used + # by auto-select-group option, in order to select the minimum valid group ID. + # +-# plain[passwd=/etc/ocserv/ocpasswd] ++# plain[passwd=/usr/local/etc/ocserv/ocpasswd] + # The plain option requires specifying a password file which contains + # entries of the following format. + # "username:groupname1,groupname2:encoded-password" +@@ -119,7 +119,7 @@ An example configuration file follows. + #auth = "certificate" + #auth = "pam" + #auth = "pam[gid-min=1000]" +-#auth = "plain[passwd=/etc/ocserv/ocpasswd]" ++#auth = "plain[passwd=/usr/local/etc/ocserv/passwd]" + #auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]" + + # Specify alternative authentication methods that are sufficient +@@ -431,7 +431,7 @@ rekey-method = ssl + use-occtl = true + + # PID file. It can be overriden in the command line. +-pid-file = /var/run/ocserv.pid ++pid-file = /var/run/ocserv/pid + + # Set the protocol-defined priority (SO_PRIORITY) for packets to + # be sent. That is a number from 0 to 6 with 0 being the lowest +@@ -555,13 +555,13 @@ no-route = 192.168.5.0/255.255.255.0 + # Also explicit addresses, are only allowed when they are odd. In that + # case the next even address will be used as the remote address (in PtP). + +-#config-per-user = /etc/ocserv/config-per-user/ +-#config-per-group = /etc/ocserv/config-per-group/ ++#config-per-user = /usr/local/etc/ocserv/config-per-user/ ++#config-per-group = /usr/local/etc/ocserv/config-per-group/ + + # When config-per-xxx is specified and there is no group or user that + # matches, then utilize the following configuration. +-#default-user-config = /etc/ocserv/defaults/user.conf +-#default-group-config = /etc/ocserv/defaults/group.conf ++#default-user-config = /usr/local/etc/ocserv/defaults/user.conf ++#default-group-config = /usr/local/etc/ocserv/defaults/group.conf + + # The system command to use to setup a route. %{R} will be replaced with the + # route/mask and %{D} with the (tun) device. diff --git a/net/ocserv/pkg-descr b/net/ocserv/pkg-descr new file mode 100644 index 000000000000..52919d5d5a15 --- /dev/null +++ b/net/ocserv/pkg-descr @@ -0,0 +1,20 @@ +OpenConnect server (ocserv) is an SSL VPN server. Its purpose is +to be a secure, small, fast and configurable VPN server. It implements +the OpenConnect SSL VPN protocol, and has also (currently experimental) +compatibility with clients using the AnyConnect SSL VPN protocol. +The OpenConnect protocol provides a dual TCP/UDP VPN channel, and +uses the standard IETF security protocols to secure it. Both IPv4 +and IPv6 are supported. + +Ocserv's main features are security through provilege separation +and sandboxing, accounting, and resilience due to a combined use +of TCP and UDP. Authentication occurs in an isolated security +module process, and each user is assigned an unprivileged worker +process, and a networking (tun) device. That not only eases the +control of the resources of each user or group of users, but also +prevents data leak (e.g., heartbleed-style attacks), and privilege +escalation due to any bug on the VPN handling (worker) process. A +management interface allows for viewing and querying logged-in +users. + +WWW: http://www.infradead.org/ocserv/ diff --git a/net/ocserv/pkg-plist b/net/ocserv/pkg-plist new file mode 100644 index 000000000000..6d66f42193d5 --- /dev/null +++ b/net/ocserv/pkg-plist @@ -0,0 +1,8 @@ +bin/occtl +bin/ocpasswd +man/man8/occtl.8.gz +man/man8/ocpasswd.8.gz +man/man8/ocserv.8.gz +@sample etc/ocserv/conf.sample +sbin/ocserv +@dir /var/run/ocserv |