Attachment #212682 for bug #245036

View | Details | Raw Unified | Return to bug 245036
Collapse All | Expand All




# $FreeBSD$

PORTNAME=	ocserv
PORTVERSION=	1.0.0
PORTREVISION=	2
CATEGORIES=	net net-vpn security
MASTER_SITES=	ftp://ftp.infradead.org/pub/ocserv/


RADIUS_CONFIGURE_OFF=	--without-radius

post-patch:
	@${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${PREFIX}/bin/ocserv-fw|g' \
		${WRKSRC}/src/main-user.c \
		${WRKSRC}/doc/sample.config
	@${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${PREFIX}/bin/ocserv\\-fw|g' \
		${WRKSRC}/doc/ocserv.8
	@${REINPLACE_CMD} 's|%%PREFIX%%|${PREFIX}|g' ${WRKSRC}/src/config.c

post-install:
	@${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv

Lines 1-3 Link Here

(-)b/net/ocserv/distinfo (-3 / +3 lines)
1	TIMESTAMP = 1562531995	1	TIMESTAMP = 1585072635
2	SHA256 (ocserv-0.12.4.tar.xz) = 05c01effa8a7c2f022616fcb62bade4df51aa7f0035248671da12819d62cb185	2	SHA256 (ocserv-1.0.0.tar.xz) = 17440e78aadc800836824adb17088534740ebdce3e0cbd3a615fdbbd326b9e91
3	SIZE (ocserv-0.12.4.tar.xz) = 763540	3	SIZE (ocserv-1.0.0.tar.xz) = 785020

Lines 26-32 Link Here

(-)b/net/ocserv/files/ocserv.conf (-3 / +18 lines)
26	# One entry must be listed per line, and 'ocpasswd' should be used	26	# One entry must be listed per line, and 'ocpasswd' should be used
27	# to generate password entries. The 'otp' suboption allows one to specify	27	# to generate password entries. The 'otp' suboption allows one to specify
28	# an oath password file to be used for one time passwords; the format of	28	# an oath password file to be used for one time passwords; the format of
29	# the file is described in https://code.google.com/p/mod-authn-otp/wiki/UsersFile	29	# the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile
30	#	30	#
31	# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:	31	# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
32	# The radius option requires specifying freeradius-client configuration	32	# The radius option requires specifying freeradius-client configuration
Lines 77-82 auth = "plain[passwd=./sample.passwd]" Link Here
77	# hostname.	77	# hostname.
78	#listen-host = [IP\|HOSTNAME]	78	#listen-host = [IP\|HOSTNAME]
79		79
		80	# Use udp-listen-host to limit udp to specific IPs or to the IPs of a provided
		81	# hostname. if not set, listen-host will be used
		82	#udp-listen-host = [IP\|HOSTNAME]
		83
80	# When the server has a dynamic DNS address (that may change),	84	# When the server has a dynamic DNS address (that may change),
81	# should set that to true to ask the client to resolve again on	85	# should set that to true to ask the client to resolve again on
82	# reconnects.	86	# reconnects.
Lines 172-177 ca-cert = ../tests/certs/ca.pem Link Here
172	### failures during the reloading time.	176	### failures during the reloading time.
173		177
174		178
		179	# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of
		180	# system calls allowed to a worker process, in order to reduce damage from a
		181	# bug in the worker process. It is available on Linux systems at a performance cost.
		182	# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
		183	# Note however, that process isolation is restricted to the specific libc versions
		184	# the isolation was tested at. If you get random failures on worker processes, try
		185	# disabling that option and report the failures you, along with system and debugging
		186	# information at: https://gitlab.com/ocserv/ocserv/issues
		187	isolate-workers = true
		188
175	# A banner to be displayed on clients	189	# A banner to be displayed on clients
176	#banner = "Welcome"	190	#banner = "Welcome"
177		191
Lines 391-397 rekey-method = ssl Link Here
391	# client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client),	405	# client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client),
392	# will contain a space separated list of routes or DNS servers. A version	406	# will contain a space separated list of routes or DNS servers. A version
393	# of these variables with the 4 or 6 suffix will contain only the IPv4 or	407	# of these variables with the 4 or 6 suffix will contain only the IPv4 or
394	# IPv6 values.	408	# IPv6 values. The connect script must return zero as exit code, or the
		409	# client connection will be refused.
395		410
396	# The disconnect script will receive the additional values: STATS_BYTES_IN,	411	# The disconnect script will receive the additional values: STATS_BYTES_IN,
397	# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes	412	# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes
Lines 566-572 no-route = 192.168.5.0/255.255.255.0 Link Here
566	# keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns,	581	# keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns,
567	# restrict-user-to-routes, user-profile, cgroup, stats-report-time,	582	# restrict-user-to-routes, user-profile, cgroup, stats-report-time,
568	# mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports,	583	# mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports,
569	# and session-timeout.	584	# split-dns and session-timeout.
570	#	585	#
571	# Note that the 'iroute' option allows one to add routes on the server	586	# Note that the 'iroute' option allows one to add routes on the server
572	# based on a user or group. The syntax depends on the input accepted	587	# based on a user or group. The syntax depends on the input accepted

Lines 5-11 Link Here

(-)b/net/ocserv/files/patch-src_config.c (-1 / +1 lines)
5		5
6	#define OLD_DEFAULT_CFG_FILE "/etc/ocserv.conf"	6	#define OLD_DEFAULT_CFG_FILE "/etc/ocserv.conf"
7	-#define DEFAULT_CFG_FILE "/etc/ocserv/ocserv.conf"	7	-#define DEFAULT_CFG_FILE "/etc/ocserv/ocserv.conf"
8	+#define DEFAULT_CFG_FILE "/usr/local/etc/ocserv/conf"	8	+#define DEFAULT_CFG_FILE "%%PREFIX%%/etc/ocserv/conf"
9		9
10	static void print_version(void);	10	static void print_version(void);
11		11




Commit c1428689: ban log: only log once when adding, not when
increasing score when already banned

https://gitlab.com/openconnect/ocserv/-/commit/c142868909490e65acea22add83ff4e6237fb63a

--- src/main-ban.c.orig	2020-03-24 20:04:58 UTC
+++ src/main-ban.c
@@ -155,9 +155,9 @@ int add_ip_to_ban_list(main_server_st *s
 	 * periodically polls the server */
 	if (e->score < GETCONFIG(s)->max_ban_score) {
 		e->expires = expiration;
-		print_msg = 0;
-	} else
 		print_msg = 1;
+	} else
+		print_msg = 0;
 
 	/* prevent overflow */
 	e->score = (e->score + score) > e->score ? (e->score + score) : (e->score);




--- src/tun.c.orig	2018-04-14 07:52:35 UTC
+++ src/tun.c
@@ -895,3 +895,22 @@ ssize_t tun_read(int sockfd, void *buf, size_t len)
 	return read(sockfd, buf, len);
 }
 #endif
+
+#ifndef __FreeBSD__
+int tun_claim(int sockfd)
+{
+
+	return (0);
+}
+#else
+/*
+ * FreeBSD has a mechanism by which a tunnel has a single controlling process,
+ * and only that one process may close it.  When the controlling process closes
+ * the tunnel, the state is torn down.
+ */
+int tun_claim(int sockfd)
+{
+
+	return (ioctl(sockfd, TUNSIFPID, 0));
+}
+#endif	/* !__FreeBSD__ */

Removed Link Here

(-)a/net/ocserv/files/patch-src_tun.h (-9 lines)
1	--- src/tun.h.orig 2018-01-13 18:43:41 UTC
2	+++ src/tun.h
3	@@ -35,5 +35,6 @@ struct tun_lease_st {
4
5	ssize_t tun_write(int sockfd, const void *buf, size_t len);
6	ssize_t tun_read(int sockfd, void *buf, size_t len);
7	+int tun_claim(int sockfd);
8
9	#endif




--- src/worker-auth.c.orig	2019-01-19 18:47:47 UTC
+++ src/worker-auth.c
@@ -605,7 +605,10 @@ static int recv_cookie_auth_reply(worker_st * ws)
 	case AUTH__REP__OK:
 		if (socketfd != -1) {
 			ws->tun_fd = socketfd;
-
+			if (tun_claim(ws->tun_fd) != 0) {
+				ret = ERR_AUTH_FAIL;
+				goto cleanup;
+			}
 			if (msg->vname == NULL || msg->config == NULL || msg->user_name == NULL || msg->sid.len != sizeof(ws->sid)) {
 				ret = ERR_AUTH_FAIL;
 				goto cleanup;

Return to bug 245036

Lines 2-9 Link Here

(-)b/net/ocserv/Makefile (-4 / +4 lines)
2	# $FreeBSD$	2	# $FreeBSD$
3		3
4	PORTNAME= ocserv	4	PORTNAME= ocserv
5	PORTVERSION= 0.12.4	5	PORTVERSION= 1.0.0
6	PORTREVISION= 2
7	CATEGORIES= net net-vpn security	6	CATEGORIES= net net-vpn security
8	MASTER_SITES= ftp://ftp.infradead.org/pub/ocserv/	7	MASTER_SITES= ftp://ftp.infradead.org/pub/ocserv/
9		8
Lines 54-64 RADIUS_LIB_DEPENDS= libradcli.so:net/radcli Link Here
54	RADIUS_CONFIGURE_OFF= --without-radius	53	RADIUS_CONFIGURE_OFF= --without-radius
55		54
56	post-patch:	55	post-patch:
57	@${REINPLACE_CMD} 's\|/usr/bin/ocserv-fw\|${LOCALBASE}/bin/ocserv-fw\|g' \	56	@${REINPLACE_CMD} 's\|/usr/bin/ocserv-fw\|${PREFIX}/bin/ocserv-fw\|g' \
58	${WRKSRC}/src/main-user.c \	57	${WRKSRC}/src/main-user.c \
59	${WRKSRC}/doc/sample.config	58	${WRKSRC}/doc/sample.config
60	@${REINPLACE_CMD} 's\|/usr/bin/ocserv\\-fw\|${LOCALBASE}/bin/ocserv\\-fw\|g' \	59	@${REINPLACE_CMD} 's\|/usr/bin/ocserv\\-fw\|${PREFIX}/bin/ocserv\\-fw\|g' \
61	${WRKSRC}/doc/ocserv.8	60	${WRKSRC}/doc/ocserv.8
		61	@${REINPLACE_CMD} 's\|%%PREFIX%%\|${PREFIX}\|g' ${WRKSRC}/src/config.c
62		62
63	post-install:	63	post-install:
64	@${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv	64	@${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv

Added Link Here

(-)b/net/ocserv/files/patch-src_main-ban.c (+19 lines)
1	Commit c1428689: ban log: only log once when adding, not when
2	increasing score when already banned
3
4	https://gitlab.com/openconnect/ocserv/-/commit/c142868909490e65acea22add83ff4e6237fb63a
5
6	--- src/main-ban.c.orig 2020-03-24 20:04:58 UTC
7	+++ src/main-ban.c
8	@@ -155,9 +155,9 @@ int add_ip_to_ban_list(main_server_st *s
9	* periodically polls the server */
10	if (e->score < GETCONFIG(s)->max_ban_score) {
11	e->expires = expiration;
12	- print_msg = 0;
13	- } else
14	print_msg = 1;
15	+ } else
16	+ print_msg = 0;
17
18	/* prevent overflow */
19	e->score = (e->score + score) > e->score ? (e->score + score) : (e->score);

Removed Link Here

(-)a/net/ocserv/files/patch-src_tun.c (-25 lines)
1	--- src/tun.c.orig 2018-04-14 07:52:35 UTC
2	+++ src/tun.c
3	@@ -895,3 +895,22 @@ ssize_t tun_read(int sockfd, void *buf, size_t len)
4	return read(sockfd, buf, len);
5	}
6	#endif
7	+
8	+#ifndef __FreeBSD__
9	+int tun_claim(int sockfd)
10	+{
11	+
12	+ return (0);
13	+}
14	+#else
15	+/*
16	+ * FreeBSD has a mechanism by which a tunnel has a single controlling process,
17	+ * and only that one process may close it. When the controlling process closes
18	+ * the tunnel, the state is torn down.
19	+ */
20	+int tun_claim(int sockfd)
21	+{
22	+
23	+ return (ioctl(sockfd, TUNSIFPID, 0));
24	+}
25	+#endif /* !__FreeBSD__ */

Removed Link Here

(-)a/net/ocserv/files/patch-src_worker-auth.c (-14 lines)
1	--- src/worker-auth.c.orig 2019-01-19 18:47:47 UTC
2	+++ src/worker-auth.c
3	@@ -605,7 +605,10 @@ static int recv_cookie_auth_reply(worker_st * ws)
4	case AUTH__REP__OK:
5	if (socketfd != -1) {
6	ws->tun_fd = socketfd;
7	-
8	+ if (tun_claim(ws->tun_fd) != 0) {
9	+ ret = ERR_AUTH_FAIL;
10	+ goto cleanup;
11	+ }
12	if (msg->vname == NULL \|\| msg->config == NULL \|\| msg->user_name == NULL \|\| msg->sid.len != sizeof(ws->sid)) {
13	ret = ERR_AUTH_FAIL;
14	goto cleanup;