1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-11-18 00:10:04 +00:00

New port: net/ocserv: server implementing the AnyConnect SSL VPN protocol

OpenConnect server (ocserv) is an SSL VPN server. Its purpose is
to be a secure, small, fast and configurable VPN server. It implements
the OpenConnect SSL VPN protocol, and has also (currently experimental)
compatibility with clients using the AnyConnect SSL VPN protocol.
The OpenConnect protocol provides a dual TCP/UDP VPN channel, and
uses the standard IETF security protocols to secure it. Both IPv4
and IPv6 are supported.

Ocserv's main features are security through provilege separation
and sandboxing, accounting, and resilience due to a combined use
of TCP and UDP.  Authentication occurs in an isolated security
module process, and each user is assigned an unprivileged worker
process, and a networking (tun) device. That not only eases the
control of the resources of each user or group of users, but also
prevents data leak (e.g., heartbleed-style attacks), and privilege
escalation due to any bug on the VPN handling (worker) process. A
management interface allows for viewing and querying logged-in
users.

WWW: http://www.infradead.org/ocserv/

PR:		202253
Submitted by:	Carlos Jacobo Puga Medina <cpm@fbsd.es>
Reviewed by:	pi
This commit is contained in:
Kurt Jaeger 2015-08-16 21:48:15 +00:00
parent 1fffae5392
commit 81bf447722
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=394422
15 changed files with 661 additions and 0 deletions

1
GIDs
View File

@ -238,6 +238,7 @@ dahdi:*:843:asterisk
subsonic:*:844:
fossy:*:901:www
scanlogd:*:902:
_ocserv:*:903:
influxd:*:907:
riemann:*:908:
proxy65:*:909:

1
UIDs
View File

@ -242,6 +242,7 @@ munin:*:842:842::0:0:Munin:/var/munin:/usr/sbin/nologin
subsonic:*:844:844::0:0:Subsonic standalone-server:/nonexistent:/usr/sbin/nologin
fossy:*:901:901::0:0:FOSSology user:/usr/local/share/fossology:/usr/local/bin/bash
scanlogd:*:902:902::0:0:scanlogd user:/nonexistent:/usr/sbin/nologin
_ocserv:*:903:903::0:0:ocserv user:/nonexistent:/usr/sbin/nologin
influxd:*:907:907::0:0:InfluxDB Daemon:/var/empty:/usr/sbin/nologin
riemann:*:908:908::0:0:Riemann User:/var/empty:/usr/sbin/nologin
proxy65:*:909:909::0:0:Proxy65 Daemon:/nonexistent:/usr/sbin/nologin

View File

@ -449,6 +449,7 @@
SUBDIR += nxproxy
SUBDIR += nyancat
SUBDIR += nylon
SUBDIR += ocserv
SUBDIR += ohphone
SUBDIR += olsrd
SUBDIR += omcmd

78
net/ocserv/Makefile Normal file
View File

@ -0,0 +1,78 @@
# Created by: Carlos J Puga Medina <cpm@fbsd.es>
# $FreeBSD$
PORTNAME= ocserv
PORTVERSION= 0.10.7
CATEGORIES= net security
MASTER_SITES= ftp://ftp.infradead.org/pub/ocserv/
MAINTAINER= cpm@fbsd.es
COMMENT= Server implementing the AnyConnect SSL VPN protocol
LICENSE= GPLv2
BUILD_DEPENDS= autogen:${PORTSDIR}/devel/autogen \
gsed:${PORTSDIR}/textproc/gsed \
bash:${PORTSDIR}/shells/bash
LIB_DEPENDS= liblz4.so:${PORTSDIR}/archivers/liblz4 \
libiconv.so:${PORTSDIR}/converters/libiconv \
libtalloc.so:${PORTSDIR}/devel/talloc \
libprotobuf-c.so:${PORTSDIR}/devel/protobuf-c \
libgnutls.so:${PORTSDIR}/security/gnutls
USES= autoreconf cpe gmake gperf libtool ncurses pathfix pkgconfig readline tar:xz
CPE_VENDOR= infradead
CFLAGS+= -I${LOCALBASE}/include
LDFLAGS+= -L${LOCALBASE}/lib -lintl
GNU_CONFIGURE= yes
USE_LDCONFIG= yes
CONFIGURE_ARGS= --disable-nls \
--enable-local-libopts \
--without-http-parser \
--without-pcl-lib \
--without-radius
USERS= _ocserv
GROUPS= _ocserv
USE_RC_SUBR= ocserv
OPTIONS_DEFINE= DOCS EXAMPLES GSSAPI
PORTDOCS= AUTHORS ChangeLog INSTALL NEWS README TODO
PORTEXAMPLES= profile.xml sample.config sample.passwd
.include <bsd.port.options.mk>
.if ${PORT_OPTIONS:MGSSAPI}
USES+= gssapi:mit
LIB_DEPENDS+= libkrb5support.so:${PORTSDIR}/security/krb5
.else
CONFIGURE_ARGS+= --without-gssapi
.endif
post-patch:
${RM} ${WRKSRC}/doc/occtl.8
${RM} ${WRKSRC}/doc/ocpasswd.8
${RM} ${WRKSRC}/doc/ocserv.8
post-install:
${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/occtl
${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/ocpasswd
${STRIP_CMD} ${STAGEDIR}${PREFIX}/sbin/ocserv
${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv/
${MKDIR} ${STAGEDIR}/var/run/ocserv/
${CP} ${FILESDIR}/ocserv.conf ${STAGEDIR}${PREFIX}/etc/ocserv/conf.sample
.if ${PORT_OPTIONS:MDOCS}
${MKDIR} ${STAGEDIR}${DOCSDIR}
cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR}
.endif
.if ${PORT_OPTIONS:MEXAMPLES}
${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
cd ${WRKSRC}/doc && ${INSTALL_DATA} ${PORTEXAMPLES} ${STAGEDIR}${EXAMPLESDIR}
.endif
.include <bsd.port.mk>

2
net/ocserv/distinfo Normal file
View File

@ -0,0 +1,2 @@
SHA256 (ocserv-0.10.7.tar.xz) = 222212baae53e7f74273245e1459d4132cda41ad255a21f1e42ab4cd240f431d
SIZE (ocserv-0.10.7.tar.xz) = 712232

View File

@ -0,0 +1,290 @@
# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam.
#auth = "certificate"
#auth = "pam"
# The plain option requires specifying a password file which contains
# entries of the following format.
# "username:groupname:encoded-password"
# One entry must be listed per line, and 'ocpasswd' can be used
# to generate password entries.
auth = "plain[passwd=/usr/local/etc/ocserv/passwd]"
# A banner to be displayed on clients
banner = "Welcome to OpenConnect VPN"
# Use listen-host to limit to specific IPs or to the IPs of a provided
# hostname.
#listen-host = [IP|HOSTNAME]
# Limit the number of clients. Unset or set to zero for unlimited.
#max-clients = 1024
max-clients = 8
# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
# Limit the number of identical clients (i.e., users connecting
# multiple times). Unset or set to zero for unlimited.
max-same-clients = 2
# TCP and UDP port number
tcp-port = 4443
udp-port = 4443
# Keepalive in seconds
keepalive = 32400
# Dead peer detection in seconds.
dpd = 120
# Dead peer detection for mobile clients. The needs to
# be much higher to prevent such clients being awaken too
# often by the DPD messages, and save battery.
# (clients that send the X-AnyConnect-Identifier-DeviceType)
#mobile-dpd = 1800
# MTU discovery (DPD must be enabled)
try-mtu-discovery = false
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
# There may be multiple certificate and key pairs and each key
# should correspond to the preceding certificate.
server-cert = /usr/local/etc/ocserv/pub.pem
server-key = /usr/local/etc/ocserv/key.pem
# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
# Can be generated using:
# certtool --generate-dh-params --outfile /path/to/dh.pem
#dh-params = /path/to/dh.pem
# If you have a certificate from a CA that provides an OCSP
# service you may provide a fresh OCSP status response within
# the TLS handshake. That will prevent the client from connecting
# independently on the OCSP server.
# You can update this response periodically using:
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
# Make sure that you replace the following file in an atomic way.
#ocsp-response = /path/to/ocsp.der
# In case PKCS #11 or TPM keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only, and is the
# storage root key.
#pin-file = /path/to/pin.txt
#srk-pin-file = /path/to/srkpin.txt
# The Certificate Authority that will be used to verify
# client certificates (public keys) if certificate authentication
# is set.
#ca-cert = /usr/local/etc/ocserv/ca.pem
# The object identifier that will be used to read the user ID in the client
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are:
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
#cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the
# client certificate. The object identifier should be part of the certificate's
# DN. Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
#cert-group-oid = 2.5.4.11
# The revocation list of the certificates issued by the 'ca-cert' above.
#crl = /usr/local/etc/ocserv/crl.pem
# GnuTLS priority string
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
# To enforce perfect forward secrecy (PFS) on the main channel.
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
# The time (in seconds) that a client is allowed to stay connected prior
# to authentication
auth-timeout = 40
# The time (in seconds) that a client is allowed to stay idle (no traffic)
# before being disconnected. Unset to disable.
#idle-timeout = 1200
# The time (in seconds) that a mobile client is allowed to stay idle (no
# traffic) before being disconnected. Unset to disable.
#mobile-idle-timeout = 2400
# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
#min-reauth-time = 2
# Cookie validity time (in seconds)
# Once a client is authenticated he's provided a cookie with
# which he can reconnect. This option sets the maximum lifetime
# of that cookie.
#cookie-validity = 86400
# ReKey time (in seconds)
# ocserv will ask the client to refresh keys periodically once
# this amount of seconds is elapsed. Set to zero to disable.
rekey-time = 172800
# ReKey method
# Valid options: ssl, new-tunnel
# ssl: Will perform an efficient rehandshake on the channel allowing
# a seamless connection during rekey.
# new-tunnel: Will instruct the client to discard and re-establish the channel.
# Use this option only if the connecting clients have issues with the ssl
# option.
rekey-method = ssl
# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
#connect-script = /scripts/ocserv-script
#disconnect-script = /scripts/ocserv-script
# UTMP
use-utmp = false
# OCCTL
use-occtl = true
# PID file. It can be overriden in the command line.
pid-file = /var/run/ocserv/pid
# The default server directory. Does not require any devices present.
chroot-dir = /var/run/ocserv
# socket file used for IPC, will be appended with .PID
# It must be accessible within the chroot environment (if any)
socket-file = socket
# The user the worker processes will be run as. It should be
# unique (no other services run as this user).
run-as-user = _ocserv
run-as-group = _ocserv
# Set the protocol-defined priority (SO_PRIORITY) for packets to
# be sent. That is a number from 0 to 6 with 0 being the lowest
# priority. Alternatively this can be used to set the IP Type-
# Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
# This can be set per user/group or globally.
#net-priority = 3
# Set the VPN worker process into a specific cgroup. This is Linux
# specific and can be set per user/group or globally.
#cgroup = "cpuset,cpu:test"
#
# Network settings
#
# The name of the tun device
device = vpns
# The default domain to be advertised
default-domain = example.com
# The pool of addresses that leases will be given from.
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0
# The advertized DNS server. Use multiple lines for
# multiple servers.
# dns = fc00::4be0
dns = 192.168.1.2
# The NBNS server (if any)
#nbns = 192.168.1.3
# The IPv6 subnet that leases will be given from.
#ipv6-network = fc00::
#ipv6-prefix = 16
# The domains over which the provided DNS should be used. Use
# multiple lines for multiple domains.
#split-dns = example.com
# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
ping-leases = false
# Unset to assign the default MTU of the device
# mtu =
# Unset to enable bandwidth restrictions (in bytes/sec). The
# setting here is global, but can also be set per user or per group.
#rx-data-per-sec = 40000
#tx-data-per-sec = 40000
# The number of packets (of MTU size) that are available in
# the output buffer. The default is low to improve latency.
# Setting it higher will improve throughput.
#output-buffer = 10
# Routes to be forwarded to the client. If you need the
# client to forward routes to the server, you may use the
# config-per-user/group or even connect and disconnect scripts.
#
# To set the server as the default gateway for the client just
# comment out all routes from the server.
route = 192.168.1.0/255.255.255.0
route = 192.168.5.0/255.255.255.0
#route = fef4:db8:1000:1001::/64
# Configuration files that will be applied per user connection or
# per group. Each file name on these directories must match the username
# or the groupname.
# The options allowed in the configuration files are dns, nbns,
# ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route,
# net-priority and cgroup.
#
# Note that the 'iroute' option allows to add routes on the server
# based on a user or group. The syntax depends on the input accepted
# by the commands route-add-cmd and route-del-cmd (see below).
#config-per-user = /usr/local/etc/ocserv/config-per-user/
#config-per-group = /usr/local/etc/ocserv/config-per-group/
# The system command to use to setup a route. %R will be replaced with the
# route/mask and %D with the (tun) device.
#
# The following example is from linux systems. %R should be something
# like 192.168.2.0/24
#route-add-cmd = "ip route add %R dev %D"
#route-del-cmd = "ip route delete %R dev %D"
#
# The following options are for (experimental) AnyConnect client
# compatibility.
# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot.
# It is not used by the openconnect client.
#user-profile = profile.xml
# Binary files that may be downloaded by the CISCO client. Must
# be within any chroot environment.
#binary-files = /path/to/binaries
# Unless set to false it is required for clients to present their
# certificate even if they are authenticating via a previously granted
# cookie and complete their authentication in the same TCP connection.
# Legacy CISCO clients do not do that, and thus this option should be
# set for them.
cisco-client-compat = true
#Advanced options
# Option to allow sending arbitrary custom headers to the client after
# authentication and prior to VPN tunnel establishment.
#custom-header = "X-My-Header: hi there"

View File

@ -0,0 +1,26 @@
#!/bin/sh
#
# $FreeBSD$
#
# PROVIDE: ocserv
# REQUIRE: DAEMON
# KEYWORD: shutdown
#
# Add the following to /etc/rc.conf to enable ocserv:
#
# ocserv_enable="YES"
#
. /etc/rc.subr
name="ocserv"
rcvar="ocserv_enable"
load_rc_config ${name}
: ${ocserv_enable:="NO"}
: ${ocserv_pidfile:=/var/run/${name}/pid}
command=/usr/local/sbin/${name}
run_rc_command "$1"

View File

@ -0,0 +1,36 @@
--- configure.ac.orig 2015-08-06 16:43:09 UTC
+++ configure.ac
@@ -16,11 +16,11 @@ AM_PROG_CC_C_O
if [ test "$GCC" = "yes" ];then
CFLAGS="$CFLAGS -Wall"
fi
-AC_PATH_PROG(CTAGS, ctags, /bin/true)
-AC_PATH_PROG(CSCOPE, cscope, /bin/true)
-AC_CHECK_PROG([AUTOGEN], [autogen], [autogen], [/bin/true])
+AC_PATH_PROG(CTAGS, ctags, /usr/bin/true)
+AC_PATH_PROG(CSCOPE, cscope, /usr/bin/true)
+AC_CHECK_PROG([AUTOGEN], [autogen], [autogen], [autogen])
-if test x"$AUTOGEN" = "x/bin/true"; then
+if test x"$AUTOGEN" = "x:"; then
AC_MSG_WARN([[
***
*** autogen not found. Will not link against libopts.
@@ -124,7 +124,7 @@ if test "$test_for_libnl" = yes;then
fi
have_readline=no
-AC_LIB_HAVE_LINKFLAGS(readline,, [
+AC_LIB_HAVE_LINKFLAGS(readline,ncurses, [
#include <stdio.h>
#include <readline/readline.h>], [rl_replace_line(0,0);])
if test x$ac_cv_libreadline = xyes; then
@@ -441,7 +441,7 @@ if test "$NEED_LIBOPTS_DIR" = "true";the
cp -f $i $nam
fi
done
- AC_SUBST([AUTOGEN], [/bin/true])
+ AC_SUBST([AUTOGEN], [autogen])
enable_local_libopts=yes
else
enable_local_libopts=no

View File

@ -0,0 +1,42 @@
--- doc/Makefile.am.orig 2015-05-26 16:33:38 UTC
+++ doc/Makefile.am
@@ -5,18 +5,27 @@ EXTRA_DIST = design.dia sample.config sc
dist_man_MANS = ocserv.8 ocpasswd.8 occtl.8
-ocserv.8: ../src/ocserv-args.def
- -sed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' $< > "$<".tmp && \
- @AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl "$<".tmp && \
- rm -f "$<".tmp
+ocserv.8:
+ -gsed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' \
+ ../src/ocserv-args.def > ../src/ocserv-args.def.tmp && \
+ @AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl \
+ ../src/ocserv-args.def.tmp && \
+ rm -f ../src/ocserv-args.def.tmp
+ sed -I -e 's/^\.NOP //' $@
-occtl.8: ../src/occtl-args.def
- -sed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' $< > "$<".tmp && \
- @AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl "$<".tmp && \
- rm -f "$<".tmp
+occtl.8:
+ -gsed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' \
+ ../src/occtl-args.def > ../src/occtl-args.def.tmp && \
+ @AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl \
+ ../src/occtl-args.def.tmp && \
+ rm -f ../src/occtl-args.def.tmp
+ sed -I -e 's/^\.NOP //' $@
-ocpasswd.8: ../src/ocpasswd-args.def
- -sed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' $< > "$<".tmp && \
- @AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl "$<".tmp && \
- rm -f "$<".tmp
+ocpasswd.8:
+ -gsed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' \
+ ../src/ocpasswd-args.def > ../src/ocpasswd-args.def.tmp && \
+ @AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl \
+ ../src/ocpasswd-args.def.tmp && \
+ rm -f ../src/ocpasswd-args.def.tmp
+ sed -I -e 's/^\.NOP //' $@

View File

@ -0,0 +1,31 @@
--- src/config.c.orig 2015-07-18 10:35:29 UTC
+++ src/config.c
@@ -52,8 +52,7 @@
#include <tlslib.h>
#include "common-config.h"
-#define OLD_DEFAULT_CFG_FILE "/etc/ocserv.conf"
-#define DEFAULT_CFG_FILE "/etc/ocserv/ocserv.conf"
+#define DEFAULT_CFG_FILE "/usr/local/etc/ocserv/conf"
static char pid_file[_POSIX_PATH_MAX] = "";
static const char* cfg_file = DEFAULT_CFG_FILE;
@@ -414,7 +413,7 @@ static void figure_auth_funcs(struct per
}
talloc_free(auth[j]);
}
- fprintf(stderr, "Setting '%s' as primary authentication method\n", config->auth[0].name);
+ /* fprintf(stderr, "Setting '%s' as primary authentication method\n", config->auth[0].name); */
} else {
unsigned x = config->auth_methods;
/* Append authentication methods (alternative options) */
@@ -583,9 +582,6 @@ size_t urlfw_size = 0;
#endif
pov = configFileLoad(file);
- if (pov == NULL && file != NULL && strcmp(file, DEFAULT_CFG_FILE) == 0)
- pov = configFileLoad(OLD_DEFAULT_CFG_FILE);
-
if (pov == NULL) {
fprintf(stderr, "Error loading config file %s\n", file);
exit(1);

View File

@ -0,0 +1,55 @@
--- src/main-ctl-unix.c.orig 2015-05-26 16:33:38 UTC
+++ src/main-ctl-unix.c
@@ -110,10 +110,15 @@ int ctl_handler_init(main_server_st * s)
struct sockaddr_un sa;
int sd, e;
- if (s->config->use_occtl == 0 || s->perm_config->occtl_socket_file == NULL)
+ mslog(s, NULL, LOG_INFO, "using control unix socket: %s", s->perm_config->occtl_socket_file);
+
+ if (s->config->use_occtl == 0 ||
+ s->perm_config->occtl_socket_file == NULL) {
+ mslog(s, NULL, LOG_INFO, "not using control unix socket");
return 0;
+ }
- mslog(s, NULL, LOG_DEBUG, "initializing control unix socket: %s", s->perm_config->occtl_socket_file);
+ mslog(s, NULL, LOG_INFO, "initializing control unix socket: %s", s->perm_config->occtl_socket_file);
memset(&sa, 0, sizeof(sa));
sa.sun_family = AF_UNIX;
strlcpy(sa.sun_path, s->perm_config->occtl_socket_file, sizeof(sa.sun_path));
@@ -122,7 +127,7 @@ int ctl_handler_init(main_server_st * s)
sd = socket(AF_UNIX, SOCK_STREAM, 0);
if (sd == -1) {
e = errno;
- mslog(s, NULL, LOG_ERR, "could not create socket '%s': %s",
+ mslog(s, NULL, LOG_INFO, "could not create socket '%s': %s",
s->perm_config->occtl_socket_file, strerror(e));
return -1;
}
@@ -131,7 +136,7 @@ int ctl_handler_init(main_server_st * s)
ret = bind(sd, (struct sockaddr *)&sa, SUN_LEN(&sa));
if (ret == -1) {
e = errno;
- mslog(s, NULL, LOG_ERR, "could not bind socket '%s': %s",
+ mslog(s, NULL, LOG_INFO, "could not bind socket '%s': %s",
s->perm_config->occtl_socket_file, strerror(e));
return -1;
}
@@ -139,14 +144,14 @@ int ctl_handler_init(main_server_st * s)
ret = chown(s->perm_config->occtl_socket_file, s->perm_config->uid, s->perm_config->gid);
if (ret == -1) {
e = errno;
- mslog(s, NULL, LOG_ERR, "could not chown socket '%s': %s",
+ mslog(s, NULL, LOG_INFO, "could not chown socket '%s': %s",
s->perm_config->occtl_socket_file, strerror(e));
}
ret = listen(sd, 1024);
if (ret == -1) {
e = errno;
- mslog(s, NULL, LOG_ERR, "could not listen to socket '%s': %s",
+ mslog(s, NULL, LOG_INFO, "could not listen to socket '%s': %s",
s->perm_config->occtl_socket_file, strerror(e));
return -1;
}

View File

@ -0,0 +1,14 @@
--- src/main.c.orig 2015-07-01 18:41:01 UTC
+++ src/main.c
@@ -131,8 +131,9 @@ int y;
perror("setsockopt(IP_PKTINFO) failed");
#elif defined(IP_RECVDSTADDR) /* *BSD */
y = 1;
- if (setsockopt(fd, IPPROTO_IP, IP_RECVDSTADDR,
- (const void *)&y, sizeof(y)) < 0)
+ if (family == AF_INET &&
+ setsockopt(fd, IPPROTO_IP, IP_RECVDSTADDR,
+ (const void *)&y, sizeof(y)) < 0)
perror("setsockopt(IP_RECVDSTADDR) failed");
#endif
#if defined(IPV6_RECVPKTINFO)

View File

@ -0,0 +1,56 @@
--- src/ocserv-args.def.orig 2015-07-15 17:17:22 UTC
+++ src/ocserv-args.def
@@ -68,7 +68,7 @@ doc-section = {
ds-format = 'texi';
ds-text = <<-_EOT_
@subheading ocserv's configuration file format
-By default, if no other file is specified, ocserv looks for its configuration file at @file{/etc/ocserv/ocserv.conf}.
+By default, if no other file is specified, ocserv looks for its configuration file at @file{/usr/local/etc/ocserv/conf}.
An example configuration file follows.
@example
@@ -87,7 +87,7 @@ An example configuration file follows.
# This enabled PAM authentication of the user. The gid-min option is used
# by auto-select-group option, in order to select the minimum valid group ID.
#
-# plain[passwd=/etc/ocserv/ocpasswd]
+# plain[passwd=/usr/local/etc/ocserv/ocpasswd]
# The plain option requires specifying a password file which contains
# entries of the following format.
# "username:groupname1,groupname2:encoded-password"
@@ -119,7 +119,7 @@ An example configuration file follows.
#auth = "certificate"
#auth = "pam"
#auth = "pam[gid-min=1000]"
-#auth = "plain[passwd=/etc/ocserv/ocpasswd]"
+#auth = "plain[passwd=/usr/local/etc/ocserv/passwd]"
#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
# Specify alternative authentication methods that are sufficient
@@ -431,7 +431,7 @@ rekey-method = ssl
use-occtl = true
# PID file. It can be overriden in the command line.
-pid-file = /var/run/ocserv.pid
+pid-file = /var/run/ocserv/pid
# Set the protocol-defined priority (SO_PRIORITY) for packets to
# be sent. That is a number from 0 to 6 with 0 being the lowest
@@ -555,13 +555,13 @@ no-route = 192.168.5.0/255.255.255.0
# Also explicit addresses, are only allowed when they are odd. In that
# case the next even address will be used as the remote address (in PtP).
-#config-per-user = /etc/ocserv/config-per-user/
-#config-per-group = /etc/ocserv/config-per-group/
+#config-per-user = /usr/local/etc/ocserv/config-per-user/
+#config-per-group = /usr/local/etc/ocserv/config-per-group/
# When config-per-xxx is specified and there is no group or user that
# matches, then utilize the following configuration.
-#default-user-config = /etc/ocserv/defaults/user.conf
-#default-group-config = /etc/ocserv/defaults/group.conf
+#default-user-config = /usr/local/etc/ocserv/defaults/user.conf
+#default-group-config = /usr/local/etc/ocserv/defaults/group.conf
# The system command to use to setup a route. %{R} will be replaced with the
# route/mask and %{D} with the (tun) device.

20
net/ocserv/pkg-descr Normal file
View File

@ -0,0 +1,20 @@
OpenConnect server (ocserv) is an SSL VPN server. Its purpose is
to be a secure, small, fast and configurable VPN server. It implements
the OpenConnect SSL VPN protocol, and has also (currently experimental)
compatibility with clients using the AnyConnect SSL VPN protocol.
The OpenConnect protocol provides a dual TCP/UDP VPN channel, and
uses the standard IETF security protocols to secure it. Both IPv4
and IPv6 are supported.
Ocserv's main features are security through provilege separation
and sandboxing, accounting, and resilience due to a combined use
of TCP and UDP. Authentication occurs in an isolated security
module process, and each user is assigned an unprivileged worker
process, and a networking (tun) device. That not only eases the
control of the resources of each user or group of users, but also
prevents data leak (e.g., heartbleed-style attacks), and privilege
escalation due to any bug on the VPN handling (worker) process. A
management interface allows for viewing and querying logged-in
users.
WWW: http://www.infradead.org/ocserv/

8
net/ocserv/pkg-plist Normal file
View File

@ -0,0 +1,8 @@
bin/occtl
bin/ocpasswd
man/man8/occtl.8.gz
man/man8/ocpasswd.8.gz
man/man8/ocserv.8.gz
@sample etc/ocserv/conf.sample
sbin/ocserv
@dir /var/run/ocserv