From owner-svn-ports-all@freebsd.org Mon May 14 18:23:25 2018 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4274ADFECB4; Mon, 14 May 2018 18:23:25 +0000 (UTC) (envelope-from cpm@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D89D7828AE; Mon, 14 May 2018 18:23:24 +0000 (UTC) (envelope-from cpm@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 9BBE31FCEC; Mon, 14 May 2018 18:23:24 +0000 (UTC) (envelope-from cpm@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w4EINOpL080877; Mon, 14 May 2018 18:23:24 GMT (envelope-from cpm@FreeBSD.org) Received: (from cpm@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w4EINN8P080869; Mon, 14 May 2018 18:23:23 GMT (envelope-from cpm@FreeBSD.org) Message-Id: <201805141823.w4EINN8P080869@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: cpm set sender to cpm@FreeBSD.org using -f From: "Carlos J. Puga Medina" Date: Mon, 14 May 2018 18:23:23 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r469943 - in head/net/ocserv: . files X-SVN-Group: ports-head X-SVN-Commit-Author: cpm X-SVN-Commit-Paths: in head/net/ocserv: . files X-SVN-Commit-Revision: 469943 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 May 2018 18:23:25 -0000 Author: cpm Date: Mon May 14 18:23:23 2018 New Revision: 469943 URL: https://svnweb.freebsd.org/changeset/ports/469943 Log: net/ocserv: update to 0.12.1 Changelog: https://gitlab.com/ocserv/ocserv/blob/master/NEWS Tested by: Jov Added: head/net/ocserv/files/patch-doc_sample.config (contents, props changed) head/net/ocserv/files/patch-src_occtl_occtl.c (contents, props changed) head/net/ocserv/files/patch-src_occtl_time.c (contents, props changed) Deleted: head/net/ocserv/files/patch-doc_Makefile.am head/net/ocserv/files/patch-libopts_m4_libopts.m4 head/net/ocserv/files/patch-src_main-ctl-unix.c head/net/ocserv/files/patch-src_ocserv-args.def Modified: head/net/ocserv/Makefile head/net/ocserv/distinfo head/net/ocserv/files/ocserv.conf head/net/ocserv/files/patch-configure.ac head/net/ocserv/files/patch-src_config.c Modified: head/net/ocserv/Makefile ============================================================================== --- head/net/ocserv/Makefile Mon May 14 18:18:12 2018 (r469942) +++ head/net/ocserv/Makefile Mon May 14 18:23:23 2018 (r469943) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= ocserv -PORTVERSION= 0.11.11 +PORTVERSION= 0.12.1 CATEGORIES= net security MASTER_SITES= ftp://ftp.infradead.org/pub/ocserv/ \ LOCAL/cpm @@ -13,8 +13,7 @@ COMMENT= Server implementing the AnyConnect SSL VPN pr LICENSE= GPLv2+ LICENSE_FILE= ${WRKSRC}/LICENSE -BUILD_DEPENDS= autogen:devel/autogen \ - bash:shells/bash \ +BUILD_DEPENDS= bash:shells/bash \ gsed:textproc/gsed LIB_DEPENDS= liblz4.so:archivers/liblz4 \ libiconv.so:converters/libiconv \ @@ -26,13 +25,12 @@ LIB_DEPENDS= liblz4.so:archivers/liblz4 \ libnettle.so:security/nettle \ liboath.so:security/oath-toolkit -USES= autoreconf cpe gmake gperf libtool localbase ncurses \ +USES= autoreconf cpe gperf libtool localbase ncurses \ pathfix pkgconfig readline tar:xz CPE_VENDOR= infradead GNU_CONFIGURE= yes -CONFIGURE_ARGS= --disable-nls \ - --enable-local-libopts \ +CONFIGURE_ARGS= --without-geoip \ --without-http-parser \ --without-pcl-lib @@ -56,12 +54,17 @@ RADIUS_LIB_DEPENDS= libradcli.so:net/radcli RADIUS_CONFIGURE_OFF= --without-radius post-patch: - @${RM} ${WRKSRC}/doc/*.8 + @${REINPLACE_CMD} 's|/usr/bin/ocserv-fw|${LOCALBASE}/bin/ocserv-fw|g' \ + ${WRKSRC}/src/main-user.c \ + ${WRKSRC}/doc/sample.config + @${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${LOCALBASE}/bin/ocserv\\-fw|g' \ + ${WRKSRC}/doc/ocserv.8 post-install: @${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv @${MKDIR} ${STAGEDIR}/var/run/ocserv ${INSTALL_DATA} ${FILESDIR}/ocserv.conf ${STAGEDIR}${PREFIX}/etc/ocserv/conf.sample + ${INSTALL_MAN} ${WRKSRC}/doc/*.8 ${STAGEDIR}${MANPREFIX}/man/man8 post-install-DOCS-on: @${MKDIR} ${STAGEDIR}${DOCSDIR} Modified: head/net/ocserv/distinfo ============================================================================== --- head/net/ocserv/distinfo Mon May 14 18:18:12 2018 (r469942) +++ head/net/ocserv/distinfo Mon May 14 18:23:23 2018 (r469943) @@ -1,3 +1,3 @@ -TIMESTAMP = 1520410933 -SHA256 (ocserv-0.11.11.tar.xz) = 4d7b663f10d840b6dfc216e13f287defc28195394fa9f80fad578186105fabf8 -SIZE (ocserv-0.11.11.tar.xz) = 785972 +TIMESTAMP = 1526166790 +SHA256 (ocserv-0.12.1.tar.xz) = 0b7d6f4cd54cf8bf6400a27d202819eec32341225ae48ca73d049f9d17e3a2bc +SIZE (ocserv-0.12.1.tar.xz) = 678784 Modified: head/net/ocserv/files/ocserv.conf ============================================================================== --- head/net/ocserv/files/ocserv.conf Mon May 14 18:18:12 2018 (r469942) +++ head/net/ocserv/files/ocserv.conf Mon May 14 18:23:23 2018 (r469943) @@ -1,70 +1,240 @@ -# User authentication method. Could be set multiple times and in that case -# all should succeed. -# Options: certificate, pam. -#auth = "certificate" -#auth = "pam" +### The following directives do not change with server reload. -# The plain option requires specifying a password file which contains +# User authentication method. To require multiple methods to be +# used for the user to login, add multiple auth directives. The values +# in the 'auth' directive are AND composed (if multiple all must +# succeed). +# Available options: certificate, plain, pam, radius, gssapi. +# Note that authentication methods utilizing passwords cannot be +# combined (e.g., the plain, pam or radius methods). + +# certificate: +# This indicates that all connecting users must present a certificate. +# The username and user group will be then extracted from it (see +# cert-user-oid and cert-group-oid). The certificate to be accepted +# it must be signed by the CA certificate as specified in 'ca-cert' and +# it must not be listed in the CRL, as specified by the 'crl' option. +# +# pam[gid-min=1000]: +# This enabled PAM authentication of the user. The gid-min option is used +# by auto-select-group option, in order to select the minimum valid group ID. +# +# plain[passwd=/usr/local/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] +# The plain option requires specifying a password file which contains # entries of the following format. -# "username:groupname:encoded-password" -# One entry must be listed per line, and 'ocpasswd' can be used -# to generate password entries. -auth = "plain[passwd=/usr/local/etc/ocserv/passwd]" +# "username:groupname1,groupname2:encoded-password" +# One entry must be listed per line, and 'ocpasswd' should be used +# to generate password entries. The 'otp' suboption allows one to specify +# an oath password file to be used for one time passwords; the format of +# the file is described in https://code.google.com/p/mod-authn-otp/wiki/UsersFile +# +# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]: +# The radius option requires specifying freeradius-client configuration +# file. If the groupconfig option is set, then config-per-user/group will be overridden, +# and all configuration will be read from radius. That also includes the +# Acct-Interim-Interval, and Session-Timeout values. +# +# See doc/README-radius.md for the supported radius configuration atributes. +# +# gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900] +# The gssapi option allows one to use authentication methods supported by GSSAPI, +# such as Kerberos tickets with ocserv. It should be best used as an alternative +# to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with +# tickets and without tickets to login. The default value for require-local-user-map +# is true. The 'tgt-freshness-time' if set, it would require the TGT tickets presented +# to have been issued within the provided number of seconds. That option is used to +# restrict logins even if the KDC provides long time TGT tickets. -# A banner to be displayed on clients -banner = "Welcome to OpenConnect VPN" +#auth = "pam" +#auth = "pam[gid-min=1000]" +#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]" +auth = "plain[passwd=./sample.passwd]" +#auth = "certificate" +#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]" -# Use listen-host to limit to specific IPs or to the IPs of a provided +# Specify alternative authentication methods that are sufficient +# for authentication. That is, if set, any of the methods enabled +# will be sufficient to login, irrespective of the main 'auth' entries. +# When multiple options are present, they are OR composed (any of them +# succeeding allows login). +#enable-auth = "certificate" +#enable-auth = "gssapi" +#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]" + +# Accounting methods available: +# radius: can be combined with any authentication method, it provides +# radius accounting to available users (see also stats-report-time). +# +# pam: can be combined with any authentication method, it provides +# a validation of the connecting user's name using PAM. It is +# superfluous to use this method when authentication is already +# PAM. +# +# Only one accounting method can be specified. +#acct = "radius[config=/etc/radiusclient/radiusclient.conf]" + +# Use listen-host to limit to specific IPs or to the IPs of a provided # hostname. #listen-host = [IP|HOSTNAME] +# When the server has a dynamic DNS address (that may change), +# should set that to true to ask the client to resolve again on +# reconnects. +#listen-host-is-dyndns = true + +# TCP and UDP port number +tcp-port = 443 +udp-port = 443 + +# Accept connections using a socket file. It accepts HTTP +# connections (i.e., without SSL/TLS unlike its TCP counterpart), +# and uses it as the primary channel. That option is experimental +# and it has many known issues. +# * It can only be combined with certificate authentication, when receiving +# channel information through proxy protocol (see listen-proxy-proto) +# * It cannot derive any keys needed for the DTLS session (hence no support for dtls-psk) +# * It cannot enforce the framing of the SSL/TLS packets, and that +# breaks assumptions held by several openconnect clients. +# This option is not recommended for use, and may be removed +# in the future. +# +#listen-clear-file = /var/run/ocserv-conn.socket + +# The user the worker processes will be run as. It should be +# unique (no other services run as this user). +run-as-user = _ocserv +run-as-group = _ocserv + +# socket file used for IPC with occtl. You only need to set that, +# if you use more than a single servers. +#occtl-socket-file = /var/run/occtl.socket + +# socket file used for server IPC (worker-main), will be appended with .PID +# It must be accessible within the chroot environment (if any), so it is best +# specified relatively to the chroot directory. +socket-file = /var/run/ocserv-socket + +# The default server directory. Does not require any devices present. +#chroot-dir = /var/lib/ocserv + +# The key and the certificates of the server +# The key may be a file, or any URL supported by GnuTLS (e.g., +# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user +# or pkcs11:object=my-vpn-key;object-type=private) +# +# The server-cert file may contain a single certificate, or +# a sorted certificate chain. +# There may be multiple server-cert and server-key directives, +# but each key should correspond to the preceding certificate. +# The certificate files will be reloaded when changed allowing for in-place +# certificate renewal (they are checked and reloaded periodically; +# a SIGHUP signal to main server will force reload). + +#server-cert = /etc/ocserv/server-cert.pem +#server-key = /etc/ocserv/server-key.pem +server-cert = ../tests/certs/server-cert.pem +server-key = ../tests/certs/server-key.pem + +# Diffie-Hellman parameters. Only needed if for old (pre 3.6.0 +# versions of GnuTLS for supporting DHE ciphersuites. +# Can be generated using: +# certtool --generate-dh-params --outfile /etc/ocserv/dh.pem +#dh-params = /etc/ocserv/dh.pem + +# In case PKCS #11, TPM or encrypted keys are used the PINs should be available +# in files. The srk-pin-file is applicable to TPM keys only, and is the +# storage root key. +#pin-file = /etc/ocserv/pin.txt +#srk-pin-file = /etc/ocserv/srkpin.txt + +# The password or PIN needed to unlock the key in server-key file. +# Only needed if the file is encrypted or a PKCS #11 object. This +# is an alternative method to pin-file. +#key-pin = 1234 + +# The SRK PIN for TPM. +# This is an alternative method to srk-pin-file. +#srk-pin = 1234 + +# The Certificate Authority that will be used to verify +# client certificates (public keys) if certificate authentication +# is set. +#ca-cert = /etc/ocserv/ca.pem +ca-cert = ../tests/certs/ca.pem + + +### All configuration options below this line are reloaded on a SIGHUP. +### The options above, will remain unchanged. Note however, that the +### server-cert, server-key, dh-params and ca-cert options will be reloaded +### if the provided file changes, on server reload. That allows certificate +### rotation, but requires the server key to remain the same for seamless +### operation. If the server key changes on reload, there may be connection +### failures during the reloading time. + + +# A banner to be displayed on clients +#banner = "Welcome" + # Limit the number of clients. Unset or set to zero for unlimited. #max-clients = 1024 -max-clients = 8 +max-clients = 16 +# Limit the number of identical clients (i.e., users connecting +# multiple times). Unset or set to zero for unlimited. +max-same-clients = 2 + +# When the server receives connections from a proxy, like haproxy +# which supports the proxy protocol, set this to obtain the correct +# client addresses. The proxy protocol would then be expected in +# the TCP or UNIX socket (not the UDP one). Although both v1 +# and v2 versions of proxy protocol are supported, the v2 version +# is recommended as it is more efficient in parsing. +#listen-proxy-proto = true + # Limit the number of client connections to one every X milliseconds # (X is the provided value). Set to zero for no limit. #rate-limit-ms = 100 -# Limit the number of identical clients (i.e., users connecting -# multiple times). Unset or set to zero for unlimited. -max-same-clients = 2 +# Stats report time. The number of seconds after which each +# worker process will report its usage statistics (number of +# bytes transferred etc). This is useful when accounting like +# radius is in use. +#stats-report-time = 360 -# TCP and UDP port number -tcp-port = 4443 -udp-port = 4443 +# Stats reset time. The period of time statistics kept by main/sec-mod +# processes will be reset. These are the statistics shown by cmd +# 'occtl show stats'. For daily: 86400, weekly: 604800 +# This is unrelated to stats-report-time. +server-stats-reset-time = 604800 # Keepalive in seconds keepalive = 32400 # Dead peer detection in seconds. -dpd = 120 +# Note that when the client is behind a NAT this value +# needs to be short enough to prevent the NAT disassociating +# his UDP session from the port number. Otherwise the client +# could have his UDP connection stalled, for several minutes. +dpd = 90 -# Dead peer detection for mobile clients. The needs to -# be much higher to prevent such clients being awaken too +# Dead peer detection for mobile clients. That needs to +# be higher to prevent such clients being awaken too # often by the DPD messages, and save battery. -# (clients that send the X-AnyConnect-Identifier-DeviceType) -#mobile-dpd = 1800 +# The mobile clients are distinguished from the header +# 'X-AnyConnect-Identifier-Platform'. +mobile-dpd = 1800 +# If using DTLS, and no UDP traffic is received for this +# many seconds, attempt to send future traffic over the TCP +# connection instead, in an attempt to wake up the client +# in the case that there is a NAT and the UDP translation +# was deleted. If this is unset, do not attempt to use this +# recovery mechanism. +switch-to-tcp-timeout = 25 + # MTU discovery (DPD must be enabled) try-mtu-discovery = false -# The key and the certificates of the server -# The key may be a file, or any URL supported by GnuTLS (e.g., -# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user -# or pkcs11:object=my-vpn-key;object-type=private) -# -# There may be multiple certificate and key pairs and each key -# should correspond to the preceding certificate. -server-cert = /usr/local/etc/ocserv/pub.pem -server-key = /usr/local/etc/ocserv/key.pem - -# Diffie-Hellman parameters. Only needed if you require support -# for the DHE ciphersuites (by default this server supports ECDHE). -# Can be generated using: -# certtool --generate-dh-params --outfile /path/to/dh.pem -#dh-params = /path/to/dh.pem - # If you have a certificate from a CA that provides an OCSP # service you may provide a fresh OCSP status response within # the TLS handshake. That will prevent the client from connecting @@ -72,65 +242,132 @@ server-key = /usr/local/etc/ocserv/key.pem # You can update this response periodically using: # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response # Make sure that you replace the following file in an atomic way. -#ocsp-response = /path/to/ocsp.der +#ocsp-response = /etc/ocserv/ocsp.der -# In case PKCS #11 or TPM keys are used the PINs should be available -# in files. The srk-pin-file is applicable to TPM keys only, and is the -# storage root key. -#pin-file = /path/to/pin.txt -#srk-pin-file = /path/to/srkpin.txt - -# The Certificate Authority that will be used to verify -# client certificates (public keys) if certificate authentication -# is set. -#ca-cert = /usr/local/etc/ocserv/ca.pem - # The object identifier that will be used to read the user ID in the client # certificate. The object identifier should be part of the certificate's DN # Useful OIDs are: -# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1 -#cert-user-oid = 0.9.2342.19200300.100.1.1 +# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1, SAN(rfc822name) +cert-user-oid = 0.9.2342.19200300.100.1.1 # The object identifier that will be used to read the user group in the -# client certificate. The object identifier should be part of the certificate's -# DN. Useful OIDs are: +# client certificate. The object identifier should be part of the certificate's +# DN. If the user may belong to multiple groups, then use multiple such fields +# in the certificate's DN. Useful OIDs are: # OU (organizational unit) = 2.5.4.11 #cert-group-oid = 2.5.4.11 # The revocation list of the certificates issued by the 'ca-cert' above. -#crl = /usr/local/etc/ocserv/crl.pem +# See the manual to generate an empty CRL initially. The CRL will be reloaded +# periodically when ocserv detects a change in the file. To force a reload use +# SIGHUP. +#crl = /etc/ocserv/crl.pem -# GnuTLS priority string -tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT" +# Uncomment this to enable compression negotiation (LZS, LZ4). +#compression = true -# To enforce perfect forward secrecy (PFS) on the main channel. -#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA" +# Set the minimum size under which a packet will not be compressed. +# That is to allow low-latency for VoIP packets. The default size +# is 256 bytes. Modify it if the clients typically use compression +# as well of VoIP with codecs that exceed the default value. +#no-compress-limit = 256 +# GnuTLS priority string; note that SSL 3.0 is disabled by default +# as there are no openconnect (and possibly anyconnect clients) using +# that protocol. The string below does not enforce perfect forward +# secrecy, in order to be compatible with legacy clients. +# +# Note that the most performant ciphersuites are the moment are the ones +# involving AES-GCM. These are very fast in x86 and x86-64 hardware, and +# in addition require no padding, thus taking full advantage of the MTU. +# For that to be taken advantage of, the openconnect client must be +# used, and the server must be compiled against GnuTLS 3.2.7 or later. +# Use "gnutls-cli --benchmark-tls-ciphers", to see the performance +# difference with AES_128_CBC_SHA1 (the default for anyconnect clients) +# in your system. + +tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" + +# More combinations in priority strings are available, check +# http://gnutls.org/manual/html_node/Priority-Strings.html +# E.g., the string below enforces perfect forward secrecy (PFS) +# on the main channel. +#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" + +# That option requires the established DTLS channel to use the same +# cipher as the primary TLS channel. This cannot be combined with +# listen-clear-file since the ciphersuite information is not available +# in that configuration. Note also, that this option implies that +# dtls-legacy option is false; this option cannot be enforced +# in the legacy/compat protocol. +#match-tls-dtls-ciphers = true + # The time (in seconds) that a client is allowed to stay connected prior # to authentication -auth-timeout = 40 +auth-timeout = 240 # The time (in seconds) that a client is allowed to stay idle (no traffic) # before being disconnected. Unset to disable. #idle-timeout = 1200 +# The time (in seconds) that a client is allowed to stay connected +# Unset to disable. When set a client will be disconnected after being +# continuously connected for this amount of time, and its cookies will +# be invalidated (i.e., re-authentication will be required). +#session-timeout = 86400 + # The time (in seconds) that a mobile client is allowed to stay idle (no # traffic) before being disconnected. Unset to disable. #mobile-idle-timeout = 2400 # The time (in seconds) that a client is not allowed to reconnect after # a failed authentication attempt. -#min-reauth-time = 2 +min-reauth-time = 300 -# Cookie validity time (in seconds) +# Banning clients in ocserv works with a point system. IP addresses +# that get a score over that configured number are banned for +# min-reauth-time seconds. By default a wrong password attempt is 10 points, +# a KKDCP POST is 1 point, and a connection is 1 point. Note that +# due to difference processes being involved the count of points +# will not be real-time precise. +# +# Score banning cannot be reliably used when receiving proxied connections +# locally from an HTTP server (i.e., when listen-clear-file is used). +# +# Set to zero to disable. +max-ban-score = 80 + +# The time (in seconds) that all score kept for a client is reset. +ban-reset-time = 1200 + +# In case you'd like to change the default points. +#ban-points-wrong-password = 10 +#ban-points-connection = 1 +#ban-points-kkdcp = 1 + +# Cookie timeout (in seconds) # Once a client is authenticated he's provided a cookie with -# which he can reconnect. This option sets the maximum lifetime -# of that cookie. -#cookie-validity = 86400 +# which he can reconnect. That cookie will be invalidated if not +# used within this timeout value. This cookie remains valid, during +# the user's connected time, and after user disconnection it +# remains active for this amount of time. That setting should allow a +# reasonable amount of time for roaming between different networks. +cookie-timeout = 300 +# If this is enabled (not recommended) the cookies will stay +# valid even after a user manually disconnects, and until they +# expire. This may improve roaming with some broken clients. +#persistent-cookies = true + +# Whether roaming is allowed, i.e., if true a cookie is +# restricted to a single IP address and cannot be re-used +# from a different IP. +deny-roaming = false + # ReKey time (in seconds) # ocserv will ask the client to refresh keys periodically once -# this amount of seconds is elapsed. Set to zero to disable. +# this amount of seconds is elapsed. Set to zero to disable (note +# that, some clients fail if rekey is disabled). rekey-time = 172800 # ReKey method @@ -142,36 +379,39 @@ rekey-time = 172800 # option. rekey-method = ssl -# Script to call when a client connects and obtains an IP -# Parameters are passed on the environment. -# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), -# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP -# in the P-t-P connection), IP_REMOTE (the VPN IP of the client), +# Script to call when a client connects and obtains an IP. +# The following parameters are passed on the environment. +# REASON, VHOST, USERNAME, GROUPNAME, DEVICE, IP_REAL (the real IP of the client), +# IP_REAL_LOCAL (the local interface IP the client connected), IP_LOCAL +# (the local IP in the P-t-P connection), IP_REMOTE (the VPN IP of the client), +# IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6 +# assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and # ID (a unique numeric ID); REASON may be "connect" or "disconnect". -#connect-script = /scripts/ocserv-script -#disconnect-script = /scripts/ocserv-script +# In addition the following variables OCSERV_ROUTES (the applied routes for this +# client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client), +# will contain a space separated list of routes or DNS servers. A version +# of these variables with the 4 or 6 suffix will contain only the IPv4 or +# IPv6 values. +# The disconnect script will receive the additional values: STATS_BYTES_IN, +# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes +# output from the tun device, and the duration of the session in seconds. + +#connect-script = /usr/bin/myscript +#disconnect-script = /usr/bin/myscript + # UTMP -use-utmp = false +# Register the connected clients to utmp. This will allow viewing +# the connected clients using the command 'who'. +#use-utmp = true -# OCCTL +# Whether to enable support for the occtl tool (i.e., either through D-BUS, +# or via a unix socket). use-occtl = true -# PID file. It can be overriden in the command line. -pid-file = /var/run/ocserv/pid +# PID file. It can be overridden in the command line. +pid-file = /var/run/ocserv.pid -# The default server directory. Does not require any devices present. -chroot-dir = /var/run/ocserv - -# socket file used for IPC, will be appended with .PID -# It must be accessible within the chroot environment (if any) -socket-file = socket - -# The user the worker processes will be run as. It should be -# unique (no other services run as this user). -run-as-user = _ocserv -run-as-group = _ocserv - # Set the protocol-defined priority (SO_PRIORITY) for packets to # be sent. That is a number from 0 to 6 with 0 being the lowest # priority. Alternatively this can be used to set the IP Type- @@ -187,16 +427,44 @@ run-as-group = _ocserv # Network settings # -# The name of the tun device +# The name to use for the tun device device = vpns +# Whether the generated IPs will be predictable, i.e., IP stays the +# same for the same user when possible. +predictable-ips = true + # The default domain to be advertised default-domain = example.com -# The pool of addresses that leases will be given from. +# The pool of addresses that leases will be given from. If the leases +# are given via Radius, or via the explicit-ip? per-user config option then +# these network values should contain a network with at least a single +# address that will remain under the full control of ocserv (that is +# to be able to assign the local part of the tun device address). +# Note that, you could use addresses from a subnet of your LAN network if you +# enable [proxy arp in the LAN interface](http://ocserv.gitlab.io/www/recipes-ocserv-pseudo-bridge.html); +# in that case it is recommended to set ping-leases to true. ipv4-network = 192.168.1.0 ipv4-netmask = 255.255.255.0 +# An alternative way of specifying the network: +#ipv4-network = 192.168.1.0/24 + +# The IPv6 subnet that leases will be given from. +#ipv6-network = fda9:4efe:7e3b:03ea::/48 + +# Specify the size of the network to provide to clients. It is +# generally recommended to provide clients with a /64 network in +# IPv6, but any subnet may be specified. To provide clients only +# with a single IP use the prefix 128. +#ipv6-subnet-prefix = 128 +#ipv6-subnet-prefix = 64 + +# Whether to tunnel all DNS queries via the VPN. This is the default +# when a default route is set. +#tunnel-all-dns = true + # The advertized DNS server. Use multiple lines for # multiple servers. # dns = fc00::4be0 @@ -205,20 +473,21 @@ dns = 192.168.1.2 # The NBNS server (if any) #nbns = 192.168.1.3 -# The IPv6 subnet that leases will be given from. -#ipv6-network = fc00:: -#ipv6-prefix = 16 - # The domains over which the provided DNS should be used. Use # multiple lines for multiple domains. #split-dns = example.com # Prior to leasing any IP from the pool ping it to verify that # it is not in use by another (unrelated to this server) host. +# Only set to true, if there can be occupied addresses in the +# IP range for leases. ping-leases = false -# Unset to assign the default MTU of the device -# mtu = +# Use this option to set a link MTU value to the incoming +# connections. Unset to use the default MTU of the TUN device. +# Note that the MTU is negotiated using the value set and the +# value sent by the peer. +#mtu = 1420 # Unset to enable bandwidth restrictions (in bytes/sec). The # setting here is global, but can also be set per user or per group. @@ -235,56 +504,186 @@ ping-leases = false # config-per-user/group or even connect and disconnect scripts. # # To set the server as the default gateway for the client just -# comment out all routes from the server. -route = 192.168.1.0/255.255.255.0 -route = 192.168.5.0/255.255.255.0 +# comment out all routes from the server, or use the special keyword +# 'default'. + +route = 10.10.10.0/255.255.255.0 +route = 192.168.0.0/255.255.0.0 #route = fef4:db8:1000:1001::/64 +#route = default +# Subsets of the routes above that will not be routed by +# the server. + +no-route = 192.168.5.0/255.255.255.0 + +# Note the that following two firewalling options currently are available +# in Linux systems with iptables software. + +# If set, the script /usr/local/bin/ocserv-fw will be called to restrict +# the user to its allowed routes and prevent him from accessing +# any other routes. In case of defaultroute, the no-routes are restricted. +# All the routes applied by ocserv can be reverted using /usr/local/bin/ocserv-fw +# --removeall. This option can be set globally or in the per-user configuration. +#restrict-user-to-routes = true + +# This option implies restrict-user-to-routes set to true. If set, the +# script /usr/local/bin/ocserv-fw will be called to restrict the user to +# access specific ports in the network. This option can be set globally +# or in the per-user configuration. +#restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()" + +# You could also use negation, i.e., block the user from accessing these ports only. +#restrict-user-to-ports = "!(tcp(443), tcp(80))" + +# When set to true, all client's iroutes are made visible to all +# connecting clients except for the ones offering them. This option +# only makes sense if config-per-user is set. +#expose-iroutes = true + +# Groups that a client is allowed to select from. +# A client may belong in multiple groups, and in certain use-cases +# it is needed to switch between them. For these cases the client can +# select prior to authentication. Add multiple entries for multiple groups. +# The group may be followed by a user-friendly name in brackets. +#select-group = group1 +#select-group = group2[My special group] + +# The name of the (virtual) group that if selected it would assign the user +# to its default group. +#default-select-group = DEFAULT + +# Instead of specifying manually all the allowed groups, you may instruct +# ocserv to scan all available groups and include the full list. +#auto-select-group = true + # Configuration files that will be applied per user connection or # per group. Each file name on these directories must match the username # or the groupname. # The options allowed in the configuration files are dns, nbns, -# ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route, -# net-priority and cgroup. +# ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, no-route, +# explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp, +# keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns, +# restrict-user-to-routes, user-profile, cgroup, stats-report-time, +# mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports, +# and session-timeout. # -# Note that the 'iroute' option allows to add routes on the server +# Note that the 'iroute' option allows one to add routes on the server # based on a user or group. The syntax depends on the input accepted -# by the commands route-add-cmd and route-del-cmd (see below). +# by the commands route-add-cmd and route-del-cmd (see below). The no-udp +# is a boolean option (e.g., no-udp = true), and will prevent a UDP session +# for that specific user or group. The hostname option will set a +# hostname to override any proposed by the user. Note also, that, any +# routes, no-routes, DNS or NBNS servers present will overwrite the global ones. #config-per-user = /usr/local/etc/ocserv/config-per-user/ #config-per-group = /usr/local/etc/ocserv/config-per-group/ -# The system command to use to setup a route. %R will be replaced with the -# route/mask and %D with the (tun) device. +# When config-per-xxx is specified and there is no group or user that +# matches, then utilize the following configuration. +#default-user-config = /usr/local/etc/ocserv/defaults/user.conf +#default-group-config = /usr/local/etc/ocserv/defaults/group.conf + +# The system command to use to setup a route. %{R} will be replaced with the +# route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device. # -# The following example is from linux systems. %R should be something -# like 192.168.2.0/24 +# The following example is from linux systems. %{R} should be something +# like 192.168.2.0/255.255.255.0 and %{RI} 192.168.2.0/24 (the argument of iroute). -#route-add-cmd = "ip route add %R dev %D" -#route-del-cmd = "ip route delete %R dev %D" +#route-add-cmd = "ip route add %{R} dev %{D}" +#route-del-cmd = "ip route delete %{R} dev %{D}" +# This option allows one to forward a proxy. The special keywords '%{U}' +# and '%{G}', if present will be replaced by the username and group name. +#proxy-url = http://example.com/ +#proxy-url = http://example.com/%{U}/ + +# This option allows you to specify a URL location where a client can +# post using MS-KKDCP, and the message will be forwarded to the provided +# KDC server. That is a translation URL between HTTP and Kerberos. +# In MIT kerberos you'll need to add in realms: +# EXAMPLE.COM = { +# kdc = https://ocserv.example.com/KdcProxy +# http_anchors = FILE:/etc/ocserv-ca.pem +# } +# In some distributions the krb5-k5tls plugin of kinit is required. # -# The following options are for (experimental) AnyConnect client -# compatibility. +# The following option is available in ocserv, when compiled with GSSAPI support. -# Client profile xml. A sample file exists in doc/profile.xml. +#kkdcp = "SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT" +#kkdcp = "/KdcProxy KERBEROS.REALM udp@127.0.0.1:88" +#kkdcp = "/KdcProxy KERBEROS.REALM tcp@127.0.0.1:88" +#kkdcp = "/KdcProxy KERBEROS.REALM tcp@[::1]:88" + +# Client profile xml. This can be used to advertise alternative servers +# to the client. A minimal file can be: +# +# +# +# +# VPN Server name +# localhost +# +# +# +# +# Other fields may be used by some of the CISCO clients. # This file must be accessible from inside the worker's chroot. -# It is not used by the openconnect client. +# Note that enabling this option is not recommended as it will allow +# the worker processes to open arbitrary files (when isolate-workers is +# set to true). #user-profile = profile.xml -# Binary files that may be downloaded by the CISCO client. Must -# be within any chroot environment. -#binary-files = /path/to/binaries +# +# The following options are for (experimental) AnyConnect client +# compatibility. -# Unless set to false it is required for clients to present their -# certificate even if they are authenticating via a previously granted -# cookie and complete their authentication in the same TCP connection. -# Legacy CISCO clients do not do that, and thus this option should be -# set for them. +# This option will enable the pre-draft-DTLS version of DTLS, and +# will not require clients to present their certificate on every TLS +# connection. It must be set to true to support legacy CISCO clients +# and openconnect clients < 7.08. When set to true, it implies dtls-legacy = true. cisco-client-compat = true +# This option allows one to disable the DTLS-PSK negotiation (enabled by default). +# The DTLS-PSK negotiation was introduced in ocserv 0.11.5 to deprecate +# the pre-draft-DTLS negotiation inherited from AnyConnect. It allows the +# DTLS channel to negotiate its ciphers and the DTLS protocol version. +#dtls-psk = false + +# This option allows one to disable the legacy DTLS negotiation (enabled by default, +# but that may change in the future). +# The legacy DTLS uses a pre-draft version of the DTLS protocol and was +# from AnyConnect protocol. It has several limitations, that are addressed +# by the dtls-psk protocol supported by openconnect 7.08+. +dtls-legacy = true + #Advanced options # Option to allow sending arbitrary custom headers to the client after -# authentication and prior to VPN tunnel establishment. +# authentication and prior to VPN tunnel establishment. You shouldn't +# need to use this option normally; if you do and you think that +# this may help others, please send your settings and reason to +# the openconnect mailing list. The special keywords '%{U}' +# and '%{G}', if present will be replaced by the username and group name. #custom-header = "X-My-Header: hi there" + + + +# An example virtual host with different authentication methods serviced +# by this server. + +[vhost:www.example.com] +auth = "certificate" + +ca-cert = ../tests/certs/ca.pem + +# The certificate set here must include a 'dns_name' corresponding to +# the virtual host name. + +server-cert = ../tests/certs/server-cert-secp521r1.pem +server-key = ../tests/certs/server-key-secp521r1.pem + +ipv4-network = 192.168.2.0 +ipv4-netmask = 255.255.255.0 + +cert-user-oid = 0.9.2342.19200300.100.1.1 Modified: head/net/ocserv/files/patch-configure.ac ============================================================================== --- head/net/ocserv/files/patch-configure.ac Mon May 14 18:18:12 2018 (r469942) +++ head/net/ocserv/files/patch-configure.ac Mon May 14 18:23:23 2018 (r469943) @@ -1,15 +1,15 @@ ---- configure.ac.orig 2017-02-12 09:19:02 UTC +--- configure.ac.orig 2018-04-22 08:43:20 UTC +++ configure.ac -@@ -19,7 +19,7 @@ if [ test "$GCC" = "yes" ];then +@@ -15,7 +15,7 @@ AM_PROG_AR + AM_PROG_CC_C_O + AC_PROG_SED + if [ test "$GCC" = "yes" ];then +- CFLAGS="$CFLAGS -Wall -Wno-strict-aliasing -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers -Wno-implicit-fallthrough -Wno-stringop-truncation" ++ CFLAGS="$CFLAGS -Wall -Wno-strict-aliasing -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers -Wno-implicit-fallthrough" fi AC_PATH_PROG(CTAGS, ctags, [:]) AC_PATH_PROG(CSCOPE, cscope, [:]) --AC_CHECK_PROG([AUTOGEN], [autogen], [autogen], [:]) -+AC_CHECK_PROG([AUTOGEN], [autogen], [autogen], [autogen]) - - AX_CODE_COVERAGE - -@@ -140,7 +140,7 @@ if test "$test_for_libnl" = yes;then +@@ -168,7 +168,7 @@ if test "$test_for_geoip" = yes;then fi have_readline=no @@ -18,20 +18,3 @@ #include #include ], [rl_replace_line(0,0);]) if test x$ac_cv_libreadline = xyes; then -@@ -190,6 +190,7 @@ AC_ARG_WITH(pam, - - pam_enabled=no - -+oldlibs=$LIBS - if test "$test_for_pam" = yes;then - oldlibs=$LIBS - LIBS="$oldlibs -lpam" -@@ -511,7 +512,7 @@ if test "$NEED_LIBOPTS_DIR" = "true";the - src/ocpasswd-args.h:src/ocpasswd/ocpasswd-args.h.in - src/ocserv-args.c:src/ocserv-args.c.in - src/ocserv-args.h:src/ocserv-args.h.in]) -- AC_SUBST([AUTOGEN], [:]) -+ AC_SUBST([AUTOGEN], [autogen]) - enable_local_libopts=yes - else - enable_local_libopts=no Added: head/net/ocserv/files/patch-doc_sample.config ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/net/ocserv/files/patch-doc_sample.config Mon May 14 18:23:23 2018 (r469943) @@ -0,0 +1,76 @@ +--- doc/sample.config.orig 2018-04-15 19:13:39 UTC ++++ doc/sample.config +@@ -19,7 +19,7 @@ + # This enabled PAM authentication of the user. The gid-min option is used + # by auto-select-group option, in order to select the minimum valid group ID. + # +-# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] ++# plain[passwd=/usr/local/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] + # The plain option requires specifying a password file which contains + # entries of the following format. + # "username:groupname1,groupname2:encoded-password" +@@ -102,8 +102,8 @@ udp-port = 443 + + # The user the worker processes will be run as. It should be + # unique (no other services run as this user). +-run-as-user = nobody +-run-as-group = daemon ++run-as-user = _ocserv ++run-as-group = _ocserv + + # socket file used for IPC with occtl. You only need to set that, + # if you use more than a single servers. +@@ -172,16 +172,6 @@ ca-cert = ../tests/certs/ca.pem + ### failures during the reloading time. + + +-# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of +-# system calls allowed to a worker process, in order to reduce damage from a +-# bug in the worker process. It is available on Linux systems at a performance cost. +-# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8). +-# Note however, that process isolation is restricted to the specific libc versions +-# the isolation was tested at. If you get random failures on worker processes, try +-# disabling that option and report the failures you, along with system and debugging +-# information at: https://gitlab.com/ocserv/ocserv/issues +-isolate-workers = true +- + # A banner to be displayed on clients + #banner = "Welcome" + +@@ -530,15 +520,15 @@ no-route = 192.168.5.0/255.255.255.0 + # Note the that following two firewalling options currently are available + # in Linux systems with iptables software. + +-# If set, the script /usr/bin/ocserv-fw will be called to restrict ++# If set, the script /usr/local/bin/ocserv-fw will be called to restrict + # the user to its allowed routes and prevent him from accessing + # any other routes. In case of defaultroute, the no-routes are restricted. +-# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw ++# All the routes applied by ocserv can be reverted using /usr/local/bin/ocserv-fw + # --removeall. This option can be set globally or in the per-user configuration. + #restrict-user-to-routes = true + + # This option implies restrict-user-to-routes set to true. If set, the +-# script /usr/bin/ocserv-fw will be called to restrict the user to ++# script /usr/local/bin/ocserv-fw will be called to restrict the user to + # access specific ports in the network. This option can be set globally + # or in the per-user configuration. + #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()" +@@ -586,13 +576,13 @@ no-route = 192.168.5.0/255.255.255.0 + # hostname to override any proposed by the user. Note also, that, any + # routes, no-routes, DNS or NBNS servers present will overwrite the global ones. + +-#config-per-user = /etc/ocserv/config-per-user/ +-#config-per-group = /etc/ocserv/config-per-group/ ++#config-per-user = /usr/local/etc/ocserv/config-per-user/ ++#config-per-group = /usr/local/etc/ocserv/config-per-group/ + + # When config-per-xxx is specified and there is no group or user that + # matches, then utilize the following configuration. +-#default-user-config = /etc/ocserv/defaults/user.conf +-#default-group-config = /etc/ocserv/defaults/group.conf ++#default-user-config = /usr/local/etc/ocserv/defaults/user.conf ++#default-group-config = /usr/local/etc/ocserv/defaults/group.conf + + # The system command to use to setup a route. %{R} will be replaced with the + # route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device. Modified: head/net/ocserv/files/patch-src_config.c ============================================================================== --- head/net/ocserv/files/patch-src_config.c Mon May 14 18:18:12 2018 (r469942) +++ head/net/ocserv/files/patch-src_config.c Mon May 14 18:23:23 2018 (r469943) @@ -1,34 +1,11 @@ ---- src/config.c.orig 2016-09-22 13:51:31 UTC +--- src/config.c.orig 2018-04-15 19:13:39 UTC +++ src/config.c -@@ -54,8 +54,7 @@ - #include - #include "common-config.h" +@@ -57,7 +57,7 @@ + #include --#define OLD_DEFAULT_CFG_FILE "/etc/ocserv.conf" *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***