View | Details | Raw Unified | Return to bug 245036
Collapse All | Expand All

(-)b/net/ocserv/Makefile (-4 / +4 lines)
Lines 2-9 Link Here
2
# $FreeBSD$
2
# $FreeBSD$
3
3
4
PORTNAME=	ocserv
4
PORTNAME=	ocserv
5
PORTVERSION=	0.12.4
5
PORTVERSION=	1.0.0
6
PORTREVISION=	2
7
CATEGORIES=	net net-vpn security
6
CATEGORIES=	net net-vpn security
8
MASTER_SITES=	ftp://ftp.infradead.org/pub/ocserv/
7
MASTER_SITES=	ftp://ftp.infradead.org/pub/ocserv/
9
8
Lines 54-64 RADIUS_LIB_DEPENDS= libradcli.so:net/radcli Link Here
54
RADIUS_CONFIGURE_OFF=	--without-radius
53
RADIUS_CONFIGURE_OFF=	--without-radius
55
54
56
post-patch:
55
post-patch:
57
	@${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${LOCALBASE}/bin/ocserv-fw|g' \
56
	@${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${PREFIX}/bin/ocserv-fw|g' \
58
		${WRKSRC}/src/main-user.c \
57
		${WRKSRC}/src/main-user.c \
59
		${WRKSRC}/doc/sample.config
58
		${WRKSRC}/doc/sample.config
60
	@${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${LOCALBASE}/bin/ocserv\\-fw|g' \
59
	@${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${PREFIX}/bin/ocserv\\-fw|g' \
61
		${WRKSRC}/doc/ocserv.8
60
		${WRKSRC}/doc/ocserv.8
61
	@${REINPLACE_CMD} 's|%%PREFIX%%|${PREFIX}|g' ${WRKSRC}/src/config.c
62
62
63
post-install:
63
post-install:
64
	@${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv
64
	@${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv
(-)b/net/ocserv/distinfo (-3 / +3 lines)
Lines 1-3 Link Here
1
TIMESTAMP = 1562531995
1
TIMESTAMP = 1585072635
2
SHA256 (ocserv-0.12.4.tar.xz) = 05c01effa8a7c2f022616fcb62bade4df51aa7f0035248671da12819d62cb185
2
SHA256 (ocserv-1.0.0.tar.xz) = 17440e78aadc800836824adb17088534740ebdce3e0cbd3a615fdbbd326b9e91
3
SIZE (ocserv-0.12.4.tar.xz) = 763540
3
SIZE (ocserv-1.0.0.tar.xz) = 785020
(-)b/net/ocserv/files/ocserv.conf (-3 / +18 lines)
Lines 26-32 Link Here
26
# One entry must be listed per line, and 'ocpasswd' should be used
26
# One entry must be listed per line, and 'ocpasswd' should be used
27
# to generate password entries. The 'otp' suboption allows one to specify
27
# to generate password entries. The 'otp' suboption allows one to specify
28
# an oath password file to be used for one time passwords; the format of
28
# an oath password file to be used for one time passwords; the format of
29
# the file is described in https://code.google.com/p/mod-authn-otp/wiki/UsersFile
29
# the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile
30
#
30
#
31
# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
31
# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
32
#  The radius option requires specifying freeradius-client configuration
32
#  The radius option requires specifying freeradius-client configuration
Lines 77-82 auth = "plain[passwd=./sample.passwd]" Link Here
77
# hostname.
77
# hostname.
78
#listen-host = [IP|HOSTNAME]
78
#listen-host = [IP|HOSTNAME]
79
79
80
# Use udp-listen-host to limit udp to specific IPs or to the IPs of a provided
81
# hostname. if not set, listen-host will be used
82
#udp-listen-host = [IP|HOSTNAME]
83
80
# When the server has a dynamic DNS address (that may change),
84
# When the server has a dynamic DNS address (that may change),
81
# should set that to true to ask the client to resolve again on
85
# should set that to true to ask the client to resolve again on
82
# reconnects.
86
# reconnects.
Lines 172-177 ca-cert = ../tests/certs/ca.pem Link Here
172
### failures during the reloading time.
176
### failures during the reloading time.
173
177
174
178
179
# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of
180
# system calls allowed to a worker process, in order to reduce damage from a
181
# bug in the worker process. It is available on Linux systems at a performance cost.
182
# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
183
# Note however, that process isolation is restricted to the specific libc versions
184
# the isolation was tested at. If you get random failures on worker processes, try
185
# disabling that option and report the failures you, along with system and debugging
186
# information at: https://gitlab.com/ocserv/ocserv/issues
187
isolate-workers = true
188
175
# A banner to be displayed on clients
189
# A banner to be displayed on clients
176
#banner = "Welcome"
190
#banner = "Welcome"
177
191
Lines 391-397 rekey-method = ssl Link Here
391
# client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client),
405
# client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client),
392
# will contain a space separated list of routes or DNS servers. A version
406
# will contain a space separated list of routes or DNS servers. A version
393
# of these variables with the 4 or 6 suffix will contain only the IPv4 or
407
# of these variables with the 4 or 6 suffix will contain only the IPv4 or
394
# IPv6 values.
408
# IPv6 values. The connect script must return zero as exit code, or the
409
# client connection will be refused.
395
410
396
# The disconnect script will receive the additional values: STATS_BYTES_IN,
411
# The disconnect script will receive the additional values: STATS_BYTES_IN,
397
# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes 
412
# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes 
Lines 566-572 no-route = 192.168.5.0/255.255.255.0 Link Here
566
#  keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns,
581
#  keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns,
567
#  restrict-user-to-routes, user-profile, cgroup, stats-report-time,
582
#  restrict-user-to-routes, user-profile, cgroup, stats-report-time,
568
#  mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports,
583
#  mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports,
569
#  and session-timeout.
584
#  split-dns and session-timeout.
570
#
585
#
571
# Note that the 'iroute' option allows one to add routes on the server
586
# Note that the 'iroute' option allows one to add routes on the server
572
# based on a user or group. The syntax depends on the input accepted
587
# based on a user or group. The syntax depends on the input accepted
(-)b/net/ocserv/files/patch-src_config.c (-1 / +1 lines)
Lines 5-11 Link Here
5
 
5
 
6
 #define OLD_DEFAULT_CFG_FILE "/etc/ocserv.conf"
6
 #define OLD_DEFAULT_CFG_FILE "/etc/ocserv.conf"
7
-#define DEFAULT_CFG_FILE "/etc/ocserv/ocserv.conf"
7
-#define DEFAULT_CFG_FILE "/etc/ocserv/ocserv.conf"
8
+#define DEFAULT_CFG_FILE "/usr/local/etc/ocserv/conf"
8
+#define DEFAULT_CFG_FILE "%%PREFIX%%/etc/ocserv/conf"
9
 
9
 
10
 static void print_version(void);
10
 static void print_version(void);
11
 
11
 
(-)b/net/ocserv/files/patch-src_main-ban.c (+19 lines)
Added Link Here
1
Commit c1428689: ban log: only log once when adding, not when
2
increasing score when already banned
3
4
https://gitlab.com/openconnect/ocserv/-/commit/c142868909490e65acea22add83ff4e6237fb63a
5
6
--- src/main-ban.c.orig	2020-03-24 20:04:58 UTC
7
+++ src/main-ban.c
8
@@ -155,9 +155,9 @@ int add_ip_to_ban_list(main_server_st *s
9
 	 * periodically polls the server */
10
 	if (e->score < GETCONFIG(s)->max_ban_score) {
11
 		e->expires = expiration;
12
-		print_msg = 0;
13
-	} else
14
 		print_msg = 1;
15
+	} else
16
+		print_msg = 0;
17
 
18
 	/* prevent overflow */
19
 	e->score = (e->score + score) > e->score ? (e->score + score) : (e->score);
(-)a/net/ocserv/files/patch-src_tun.c (-25 lines)
Removed Link Here
1
--- src/tun.c.orig	2018-04-14 07:52:35 UTC
2
+++ src/tun.c
3
@@ -895,3 +895,22 @@ ssize_t tun_read(int sockfd, void *buf, size_t len)
4
 	return read(sockfd, buf, len);
5
 }
6
 #endif
7
+
8
+#ifndef __FreeBSD__
9
+int tun_claim(int sockfd)
10
+{
11
+
12
+	return (0);
13
+}
14
+#else
15
+/*
16
+ * FreeBSD has a mechanism by which a tunnel has a single controlling process,
17
+ * and only that one process may close it.  When the controlling process closes
18
+ * the tunnel, the state is torn down.
19
+ */
20
+int tun_claim(int sockfd)
21
+{
22
+
23
+	return (ioctl(sockfd, TUNSIFPID, 0));
24
+}
25
+#endif	/* !__FreeBSD__ */
(-)a/net/ocserv/files/patch-src_tun.h (-9 lines)
Removed Link Here
1
--- src/tun.h.orig	2018-01-13 18:43:41 UTC
2
+++ src/tun.h
3
@@ -35,5 +35,6 @@ struct tun_lease_st {
4
 
5
 ssize_t tun_write(int sockfd, const void *buf, size_t len);
6
 ssize_t tun_read(int sockfd, void *buf, size_t len);
7
+int tun_claim(int sockfd);
8
 
9
 #endif
(-)a/net/ocserv/files/patch-src_worker-auth.c (-14 lines)
Removed Link Here
1
--- src/worker-auth.c.orig	2019-01-19 18:47:47 UTC
2
+++ src/worker-auth.c
3
@@ -605,7 +605,10 @@ static int recv_cookie_auth_reply(worker_st * ws)
4
 	case AUTH__REP__OK:
5
 		if (socketfd != -1) {
6
 			ws->tun_fd = socketfd;
7
-
8
+			if (tun_claim(ws->tun_fd) != 0) {
9
+				ret = ERR_AUTH_FAIL;
10
+				goto cleanup;
11
+			}
12
 			if (msg->vname == NULL || msg->config == NULL || msg->user_name == NULL || msg->sid.len != sizeof(ws->sid)) {
13
 				ret = ERR_AUTH_FAIL;
14
 				goto cleanup;

Return to bug 245036