From 5b9f8224631f705c67b108fbb7b9794dea44d960 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 3 Jun 2014 18:18:45 +0200 Subject: [PATCH] Added ocserv --- net/ocserv/Config.in | 14 + net/ocserv/Makefile | 77 ++++ net/ocserv/files/config | 17 + net/ocserv/files/ocserv-script | 11 + net/ocserv/files/ocserv.conf.template | 339 ++++++++++++++++++ net/ocserv/files/ocserv.init | 187 ++++++++++ .../patches/0001-native-endianess.patch | 70 ++++ 7 files changed, 715 insertions(+) create mode 100644 net/ocserv/Config.in create mode 100644 net/ocserv/Makefile create mode 100644 net/ocserv/files/config create mode 100755 net/ocserv/files/ocserv-script create mode 100644 net/ocserv/files/ocserv.conf.template create mode 100644 net/ocserv/files/ocserv.init create mode 100644 net/ocserv/patches/0001-native-endianess.patch diff --git a/net/ocserv/Config.in b/net/ocserv/Config.in new file mode 100644 index 0000000000..75ebd5ada5 --- /dev/null +++ b/net/ocserv/Config.in @@ -0,0 +1,14 @@ +# ocserv avanced configuration + +menu "Configuration" + depends on PACKAGE_ocserv + +config OCSERV_PAM + bool "enable PAM" + default n + +config OCSERV_PROTOBUF + bool "use external libprotobuf" + default n + +endmenu diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile new file mode 100644 index 0000000000..4a16469e77 --- /dev/null +++ b/net/ocserv/Makefile @@ -0,0 +1,77 @@ +# +# Copyright (C) 2007-2011 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=ocserv +PKG_VERSION:=0.8.0 +PKG_RELEASE:=2 + +PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz +PKG_SOURCE_URL :=ftp://ftp.infradead.org/pub/ocserv/ +PKG_MD5SUM:=6383535a21f8eecfb1bbb7f7ac99c41f + +PKG_LICENSE:=GPLv3 +PKG_LICENSE_FILES:=COPYING +PKG_FIXUP:=autoreconf + +include $(INCLUDE_DIR)/package.mk + +define Package/ocserv/config + source "$(SOURCE)/Config.in" +endef + +define Package/ocserv + SECTION:=net + CATEGORY:=Network + SUBMENU:=VPN + TITLE:=OpenConnect VPN server + URL:=http://www.infradead.org/ocserv/ + MAINTAINER:=Nikos Mavrogiannopoulos + DEPENDS:= +libgnutls +libncurses +libreadline +OCSERV_PAM:libpam +OCSERV_PROTOBUF:libprotobuf-c +endef + +define Package/ocserv/description + OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to be + a secure, small, fast and configurable VPN server. It implements the + OpenConnect SSL VPN protocol, and has also (currently experimental) + compatibility with clients using the AnyConnect SSL VPN protocol. The + OpenConnect VPN protocol uses the standard IETF security protocols such + as TLS 1.2, and Datagram TLS to provide the secure VPN service. +endef + +EXTRA_CPPFLAGS+=-I$(STAGING_DIR)/usr/include/readline/ +EXTRA_LDFLAGS+=-lncurses + +CONFIGURE_ARGS+= \ + --enable-local-libopts \ + --with-libreadline-prefix="$(STAGING_DIR)/" \ + +ifneq ($(CONFIG_OCSERV_PAM),y) +CONFIGURE_ARGS += --without-pam +endif + +ifneq ($(CONFIG_OCSERV_PROTOBUF),y) +CONFIGURE_ARGS += --without-protobuf +endif + +define Package/ocserv/install + $(INSTALL_DIR) $(1)/usr/sbin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ocserv $(1)/usr/sbin/ + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ocpasswd $(1)/usr/bin/ + $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/occtl $(1)/usr/bin/ + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/ocserv.init $(1)/etc/init.d/ocserv + $(INSTALL_DIR) $(1)/etc/ocserv + $(INSTALL_CONF) ./files/ocserv.conf.template $(1)/etc/ocserv/ocserv.conf.template + $(INSTALL_DIR) $(1)/etc/config + $(INSTALL_CONF) ./files/config $(1)/etc/config/ocserv +endef + +$(eval $(call BuildPackage,ocserv)) diff --git a/net/ocserv/files/config b/net/ocserv/files/config new file mode 100644 index 0000000000..48144598c0 --- /dev/null +++ b/net/ocserv/files/config @@ -0,0 +1,17 @@ + +config ocserv 'config' + option port '4443' + option dpd '180' + option max_clients '8' + option max_same '2' + option enable '0' + option zone 'lan' + +config ocservusers + +config dns + option ip '8.8.8.8' + +config routes + option ip '192.168.1.0' + option netmask '255.255.255.0' diff --git a/net/ocserv/files/ocserv-script b/net/ocserv/files/ocserv-script new file mode 100755 index 0000000000..e0a601b75d --- /dev/null +++ b/net/ocserv/files/ocserv-script @@ -0,0 +1,11 @@ +#!/bin/sh + +ZONE=`uci get ocserv.config.ZONE` + +if [ "$REASON" = "connect" ];then + env -i ACTION=ifup INTERFACE="$ZONE" DEVICE=$DEVICE /sbin/hotplug-call "iface" +else + env -i ACTION=ifdown INTERFACE="$ZONE" DEVICE=$DEVICE /sbin/hotplug-call "iface" +fi + +exit 0 diff --git a/net/ocserv/files/ocserv.conf.template b/net/ocserv/files/ocserv.conf.template new file mode 100644 index 0000000000..8461b90270 --- /dev/null +++ b/net/ocserv/files/ocserv.conf.template @@ -0,0 +1,339 @@ +# User authentication method. Could be set multiple times and in that case +# all should succeed. +# Options: certificate, pam. +#auth = "certificate" +#auth = "pam" + +# The gid-min option is used by auto-select-group option, in order to +# select the minimum group ID. +#auth = "pam[gid-min=1000]" + +# The plain option requires specifying a password file which contains +# entries of the following format. +# "username:groupname:encoded-password" +# One entry must be listed per line, and 'ocpasswd' can be used +# to generate password entries. +auth = "|AUTH|" + +# A banner to be displayed on clients +banner = "Welcome to OpenWRT" + +# Use listen-host to limit to specific IPs or to the IPs of a provided +# hostname. +#listen-host = [IP|HOSTNAME] + +# Limit the number of clients. Unset or set to zero for unlimited. +#max-clients = 1024 +max-clients = |MAX_CLIENTS| + +# Limit the number of client connections to one every X milliseconds +# (X is the provided value). Set to zero for no limit. +#rate-limit-ms = 100 + +# Limit the number of identical clients (i.e., users connecting +# multiple times). Unset or set to zero for unlimited. +max-same-clients = |MAX_SAME| + +# TCP and UDP port number +tcp-port = |PORT| +|UDP|udp-port = |PORT| + +# Keepalive in seconds +keepalive = 32400 + +# Dead peer detection in seconds. +dpd = |DPD| + +# Dead peer detection for mobile clients. The needs to +# be much higher to prevent such clients being awaken too +# often by the DPD messages, and save battery. +# (clients that send the X-AnyConnect-Identifier-DeviceType) +#mobile-dpd = 1800 + +# MTU discovery (DPD must be enabled) +try-mtu-discovery = false + +# The key and the certificates of the server +# The key may be a file, or any URL supported by GnuTLS (e.g., +# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user +# or pkcs11:object=my-vpn-key;object-type=private) +# +# There may be multiple certificate and key pairs and each key +# should correspond to the preceding certificate. +server-cert = /etc/ocserv/server-cert.pem +server-key = /etc/ocserv/server-key.pem + +# Diffie-Hellman parameters. Only needed if you require support +# for the DHE ciphersuites (by default this server supports ECDHE). +# Can be generated using: +# certtool --generate-dh-params --outfile /path/to/dh.pem +#dh-params = /path/to/dh.pem + +# If you have a certificate from a CA that provides an OCSP +# service you may provide a fresh OCSP status response within +# the TLS handshake. That will prevent the client from connecting +# independently on the OCSP server. +# You can update this response periodically using: +# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response +# Make sure that you replace the following file in an atomic way. +#ocsp-response = /path/to/ocsp.der + +# In case PKCS #11 or TPM keys are used the PINs should be available +# in files. The srk-pin-file is applicable to TPM keys only, and is the +# storage root key. +#pin-file = /path/to/pin.txt +#srk-pin-file = /path/to/srkpin.txt + +# The Certificate Authority that will be used to verify +# client certificates (public keys) if certificate authentication +# is set. +#ca-cert = /etc/ocserv/ca.pem + +# The object identifier that will be used to read the user ID in the client +# certificate. The object identifier should be part of the certificate's DN +# Useful OIDs are: +# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1 +#cert-user-oid = 0.9.2342.19200300.100.1.1 + +# The object identifier that will be used to read the user group in the +# client certificate. The object identifier should be part of the certificate's +# DN. Useful OIDs are: +# OU (organizational unit) = 2.5.4.11 +#cert-group-oid = 2.5.4.11 + +# The revocation list of the certificates issued by the 'ca-cert' above. +#crl = /etc/ocserv/crl.pem + +# GnuTLS priority string +tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT" + +# To enforce perfect forward secrecy (PFS) on the main channel. +#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA" + +# The time (in seconds) that a client is allowed to stay connected prior +# to authentication +auth-timeout = 40 + +# The time (in seconds) that a client is allowed to stay idle (no traffic) +# before being disconnected. Unset to disable. +#idle-timeout = 1200 + +# The time (in seconds) that a mobile client is allowed to stay idle (no +# traffic) before being disconnected. Unset to disable. +#mobile-idle-timeout = 2400 + +# The time (in seconds) that a client is not allowed to reconnect after +# a failed authentication attempt. +#min-reauth-time = 2 + +# Cookie timeout (in seconds) +# which he can reconnect. That cookie will be invalided if not +# used within this timeout value. On a user disconnection, that +# cookie will also be active for this time amount prior to be +# invalid. That should allow a reasonable amount of time for roaming +# between different networks. +cookie-timeout = 300 + +# Whether roaming is allowed, i.e., if true a cookie is +# restricted to a single IP address and cannot be re-used +# from a different IP. +deny-roaming = false + +# ReKey time (in seconds) +# ocserv will ask the client to refresh keys periodically once +# this amount of seconds is elapsed. Set to zero to disable. +rekey-time = 172800 + +# ReKey method +# Valid options: ssl, new-tunnel +# ssl: Will perform an efficient rehandshake on the channel allowing +# a seamless connection during rekey. +# new-tunnel: Will instruct the client to discard and re-establish the channel. +# Use this option only if the connecting clients have issues with the ssl +# option. +rekey-method = ssl + +# Script to call when a client connects and obtains an IP +# Parameters are passed on the environment. +# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), +# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP +# in the P-t-P connection), IP_REMOTE (the VPN IP of the client), +# ID (a unique numeric ID); REASON may be "connect" or "disconnect". +connect-script = /usr/bin/ocserv-script +disconnect-script = /usr/bin/ocserv-script + +# UTMP +use-utmp = false + +# Whether to enable support for the occtl tool (i.e., either through D-BUS, +# or via a unix socket). +use-occtl = true + +# socket file used for IPC with occtl. You only need to set that, +# if you use more than a single servers. +occtl-socket-file = /var/run/occtl.socket + +# PID file. It can be overriden in the command line. +pid-file = /var/run/ocserv.pid + +# The default server directory. Does not require any devices present. +chroot-dir = /var/lib/ocserv + +# socket file used for IPC, will be appended with .PID +# It must be accessible within the chroot environment (if any) +#socket-file = /var/run/ocserv-socket +socket-file = ocserv-socket + +# The user the worker processes will be run as. It should be +# unique (no other services run as this user). +run-as-user = ocserv +run-as-group = ocserv + +# Set the protocol-defined priority (SO_PRIORITY) for packets to +# be sent. That is a number from 0 to 6 with 0 being the lowest +# priority. Alternatively this can be used to set the IP Type- +# Of-Service, by setting it to a hexadecimal number (e.g., 0x20). +# This can be set per user/group or globally. +#net-priority = 3 + +# Set the VPN worker process into a specific cgroup. This is Linux +# specific and can be set per user/group or globally. +#cgroup = "cpuset,cpu:test" + +# +# Network settings +# + +# The name of the tun device +device = vpns + +# Whether the generated IPs will be predictable, i.e., IP stays the +# same for the same user when possible. +predictable-ips = |PREDICTABLE_IPS| + +# The default domain to be advertised +default-domain = example.com + +# The pool of addresses that leases will be given from. +ipv4-network = |IPV4ADDR| +ipv4-netmask = |NETMASK| + +# The advertized DNS server. Use multiple lines for +# multiple servers. +# dns = fc00::4be0 +#dns = 192.168.1.2 + +# The NBNS server (if any) +#nbns = 192.168.1.3 + +# The IPv6 subnet that leases will be given from. +|ENABLE_IPV6|ipv6-network = |IPV6ADDR| +|ENABLE_IPV6|ipv6-prefix = |IPV6PREFIX| + +# The domains over which the provided DNS should be used. Use +# multiple lines for multiple domains. +#split-dns = example.com + +# Prior to leasing any IP from the pool ping it to verify that +# it is not in use by another (unrelated to this server) host. +ping-leases = false + +# Unset to assign the default MTU of the device +# mtu = + +# Unset to enable bandwidth restrictions (in bytes/sec). The +# setting here is global, but can also be set per user or per group. +#rx-data-per-sec = 40000 +#tx-data-per-sec = 40000 + +# The number of packets (of MTU size) that are available in +# the output buffer. The default is low to improve latency. +# Setting it higher will improve throughput. +#output-buffer = 10 + +# Routes to be forwarded to the client. If you need the +# client to forward routes to the server, you may use the +# config-per-user/group or even connect and disconnect scripts. +# +# To set the server as the default gateway for the client just +# comment out all routes from the server. +#route = 192.168.1.0/255.255.255.0 +#route = 192.168.5.0/255.255.255.0 +#route = fef4:db8:1000:1001::/64 + +# Configuration files that will be applied per user connection or +# per group. Each file name on these directories must match the username +# or the groupname. +# The options allowed in the configuration files are dns, nbns, +# ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route, +# net-priority and cgroup. +# +# Note that the 'iroute' option allows to add routes on the server +# based on a user or group. The syntax depends on the input accepted +# by the commands route-add-cmd and route-del-cmd (see below). + +#config-per-user = /etc/ocserv/config-per-user/ +#config-per-group = /etc/ocserv/config-per-group/ + +# When config-per-xxx is specified and there is no group or user that +# matches, then utilize the following configuration. + +#default-user-config = /etc/ocserv/defaults/user.conf +#default-group-config = /etc/ocserv/defaults/group.conf + +# Groups that a client is allowed to select from. +# A client may belong in multiple groups, and in certain use-cases +# it is needed to switch between them. For these cases the client can +# select prior to authentication. Add multiple entries for multiple groups. +#select-group = group1 +#select-group = group2[My group 2] +#select-group = tost[The tost group] + +# The name of the group that if selected it would allow to use +# the assigned by default group. +#default-select-group = DEFAULT + +# Instead of specifying manually all the allowed groups, you may instruct +# ocserv to scan all available groups and include the full list. That +# option is only functional on plain authentication. +#auto-select-group = true + +# The system command to use to setup a route. %{R} will be replaced with the +# route/mask and %{D} with the (tun) device. +# +# The following example is from linux systems. %{R} should be something +# like 192.168.2.0/24 + +#route-add-cmd = "ip route add %{R} dev %{D}" +#route-del-cmd = "ip route delete %{R} dev %{D}" + +# This option allows to forward a proxy. The special strings '%{U}' +# and '%{G}', if present will be replaced by the username and group name. +#proxy-url = http://example.com/ +#proxy-url = http://example.com/%{U}/%{G}/hello + +# +# The following options are for (experimental) AnyConnect client +# compatibility. + +# Client profile xml. A sample file exists in doc/profile.xml. +# This file must be accessible from inside the worker's chroot. +# It is not used by the openconnect client. +#user-profile = profile.xml + +# Binary files that may be downloaded by the CISCO client. Must +# be within any chroot environment. +#binary-files = /path/to/binaries + +# Unless set to false it is required for clients to present their +# certificate even if they are authenticating via a previously granted +# cookie and complete their authentication in the same TCP connection. +# Legacy CISCO clients do not do that, and thus this option should be +# set for them. +cisco-client-compat = |CISCO_COMPAT| + +#Advanced options + +# Option to allow sending arbitrary custom headers to the client after +# authentication and prior to VPN tunnel establishment. +#custom-header = "X-My-Header: hi there" diff --git a/net/ocserv/files/ocserv.init b/net/ocserv/files/ocserv.init new file mode 100644 index 0000000000..57b26d14d6 --- /dev/null +++ b/net/ocserv/files/ocserv.init @@ -0,0 +1,187 @@ +#!/bin/sh /etc/rc.common + +SERVICE_USE_PID=1 + +START=50 + +setup_firewall() { + local port fw + config_get port $1 port + test -z "$port" && return + + config_get fwport $1 "fwport" + test "$fwport" = "$port" && return + + #can we remove the old rule? + uci add firewall rule + uci set firewall.@rule[-1].src=wan + uci set firewall.@rule[-1].target=ACCEPT + uci set firewall.@rule[-1].proto=tcpudp + uci set firewall.@rule[-1].dest_port=$port + uci commit firewall + /etc/init.d/firewall restart + + uci set ocserv.config.fwport="$port" + uci commit ocserv +} + +clear_firewall() { + iptables-save | grep -v ocserv-rule | iptables-restore +} + +setup_config() { + config_get port $1 port "4443" + config_get max_clients $1 max_clients "8" + config_get max_same $1 max_same "2" + config_get dpd $1 dpd "120" + config_get predictable_ips $1 predictable_ips "1" + config_get udp $1 udp "1" + config_get auth $1 auth "plain" + config_get cisco_compat $1 cisco_compat "1" + config_get ipaddr $1 ipaddr "192.168.100.0" + config_get netmask $1 netmask "255.255.255.0" + config_get ip6addr $1 ip6addr "" + + test $predictable_ips = "0" && predictable_ips="false" + test $predictable_ips = "1" && predictable_ips="true" + test $cisco_compat = "0" && cisco_compat="false" + test $cisco_compat = "1" && cisco_compat="true" + test $udp = "0" && udp="#" + test $udp = "1" && udp="" + test -z $ip6addr && enable_ipv6="#" + + ipv6_addr=`echo $ip6addr|cut -d '/' -f 1` + ipv6_prefix=`echo $ip6addr|cut -d '/' -f 2` + + test $auth = "plain" && authsuffix="[/var/etc/ocpasswd]" + + mkdir -p /var/etc + sed -e "s/|PORT|/$port/g" \ + -e "s/|MAX_CLIENTS|/$max_clients/g" \ + -e "s/|MAX_SAME|/$max_same/g" \ + -e "s/|DPD|/$dpd/g" \ + -e "s/|AUTH|/$auth$authsuffix/g" \ + -e "s/|PREDICTABLE_IPS|/$predictable_ips/g" \ + -e "s/|CISCO_COMPAT|/$cisco_compat/g" \ + -e "s/|UDP|/$udp/g" \ + -e "s/|IPV4ADDR|/$ipaddr/g" \ + -e "s/|NETMASK|/$netmask/g" \ + -e "s/|IPV6ADDR|/$ipv6_addr/g" \ + -e "s/|IPV6PREFIX|/$ipv6_prefix/g" \ + -e "s/|ENABLE_IPV6|/$enable_ipv6/g" \ + /etc/ocserv/ocserv.conf.template > /var/etc/ocserv.conf +} + +setup_users() { + local name + local password + + config_get name $1 name + config_get password $1 password + + [ -z "$name" -o -z "$password" ] && return + + echo "$password"|ocpasswd -c /var/etc/ocpasswd "$name" +} + +setup_routes() { + local routes + + config_get ip $1 ip + config_get netmask $1 netmask + + [ -z "$ip" -o -z "$netmask" ] && return + + echo "route = $ip/$netmask" >> /var/etc/ocserv.conf +} + +setup_dns() { + local routes + + config_get ip $1 ip + + [ -z "$ip" ] && return + + echo "dns = $ip" >> /var/etc/ocserv.conf +} + +start() { + local hostname iface + + user_exists ocserv 72 || user_add ocserv 72 72 /var/lib/ocserv + group_exists ocserv 72 || group_add ocserv 72 + + hostname=`uci get ddns.myddns.domain` + [ -z "$hostname" ] && hostname=`uci get system.@system[0].hostname` + + [ ! -f /etc/ocserv/ca-key.pem ] && [ -x /usr/bin/certtool ] && { + echo "Generating CA certificate..." + mkdir -p /etc/ocserv/pki/ + certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/ca-key.pem >/dev/null 2>&1 + echo "cn=$hostname CA" >/etc/ocserv/pki/ca.tmpl + echo "expiration_days=-1" >>/etc/ocserv/pki/ca.tmpl + echo "serial=1" >>/etc/ocserv/pki/ca.tmpl + echo "ca" >>/etc/ocserv/pki/ca.tmpl + echo "cert_signing_key" >>/etc/ocserv/pki/ca.tmpl + + certtool --template /etc/ocserv/pki/ca.tmpl \ + --generate-self-signed --load-privkey /etc/ocserv/ca-key.pem \ + --outfile /etc/ocserv/ca.pem >/dev/null 2>&1 + } + + #generate server certificate/key + [ ! -f /etc/ocserv/server-key.pem ] && [ -x /usr/bin/certtool ] && { + echo "Generating server certificate..." + mkdir -p /etc/ocserv/pki/ + certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/server-key.pem >/dev/null 2>&1 + echo "cn=$hostname" >/etc/ocserv/pki/server.tmpl + echo "serial=2" >>/etc/ocserv/pki/server.tmpl + echo "expiration_days=-1" >>/etc/ocserv/pki/server.tmpl + echo "signing_key" >>/etc/ocserv/pki/server.tmpl + echo "encryption_key" >>/etc/ocserv/pki/server.tmpl + certtool --template /etc/ocserv/pki/server.tmpl \ + --generate-certificate --load-privkey /etc/ocserv/server-key.pem \ + --load-ca-certificate /etc/ocserv/ca.pem --load-ca-privkey \ + /etc/ocserv/ca-key.pem --outfile /etc/ocserv/server-cert.pem >/dev/null 2>&1 + } + + [ -f /var/run/ocserv.pid ] || { + touch /var/run/ocserv.pid + chown ocserv:ocserv /var/run/ocserv.pid + } + [ -d /var/lib/ocserv ] || { + mkdir -m 0755 -p /var/lib/ocserv + chmod 0700 /var/lib/ocserv + chown ocserv:ocserv /var/lib/ocserv + } + + config_load "ocserv" + + rm -f /var/etc/ocserv.conf + touch /var/etc/ocserv.conf + setup_config config + config_foreach setup_routes routes + config_foreach setup_dns dns + + rm -f /var/etc/ocpasswd + touch /var/etc/ocpasswd + config_foreach setup_users ocservusers + + setup_firewall config + + service_start /usr/sbin/ocserv -c /var/etc/ocserv.conf +} + +stop() { + service_stop /usr/sbin/ocserv + clear_firewall +} + +reload() { + /usr/bin/occtl show status >/dev/null 2>&1 + if test $? != 0;then + start + else + /usr/bin/occtl reload + fi +} diff --git a/net/ocserv/patches/0001-native-endianess.patch b/net/ocserv/patches/0001-native-endianess.patch new file mode 100644 index 0000000000..0afd8a3eab --- /dev/null +++ b/net/ocserv/patches/0001-native-endianess.patch @@ -0,0 +1,70 @@ +diff --git a/src/main-ctl-unix.c b/src/main-ctl-unix.c +index b4da5eb..90d604f 100644 +--- a/src/main-ctl-unix.c ++++ b/src/main-ctl-unix.c +@@ -629,7 +629,7 @@ static void ctl_handle_commands(main_server_st * s) + } + goto cleanup; + } +- length = (buffer[2] << 8) | buffer[1]; ++ memcpy(&length, &buffer[1], 2); + buffer_size = ret - 3; + + if (length != buffer_size) { +diff --git a/src/occtl-unix.c b/src/occtl-unix.c +index 183825d..0c1b3e1 100644 +--- a/src/occtl-unix.c ++++ b/src/occtl-unix.c +@@ -83,15 +83,14 @@ int send_cmd(struct unix_ctx *ctx, unsigned cmd, const void *data, + struct iovec iov[2]; + unsigned iov_len = 1; + int e, ret; +- unsigned length = 0; ++ uint16_t length = 0; + void *packed = NULL; + + if (get_size) + length = get_size(data); + + header[0] = cmd; +- header[1] = length; +- header[2] = length >> 8; ++ memcpy(&header[1], &length, 2); + + iov[0].iov_base = header; + iov[0].iov_len = 3; +@@ -145,7 +144,7 @@ int send_cmd(struct unix_ctx *ctx, unsigned cmd, const void *data, + goto fail; + } + +- length = (header[2] << 8) | header[1]; ++ memcpy(&length, &header[1], 2); + + rep->data_size = length; + rep->data = talloc_size(ctx, length); +diff --git a/src/sec-mod.c b/src/sec-mod.c +index 15ee32a..c3d4bad 100644 +--- a/src/sec-mod.c ++++ b/src/sec-mod.c +@@ -354,6 +354,7 @@ void sec_mod_server(void *main_pool, struct cfg_st *config, const char *socket_f + unsigned cmd, length; + unsigned i, buffer_size; + uint8_t *buffer, *tpool; ++ uint16_t l16; + struct pin_st pins; + int sd; + sec_mod_st *sec; +@@ -538,10 +539,11 @@ void sec_mod_server(void *main_pool, struct cfg_st *config, const char *socket_f + } + + cmd = buffer[0]; +- length = buffer[1] | buffer[2] << 8; ++ memcpy(&l16, &buffer[1], 2); ++ length = l16; + + if (length > buffer_size - 4) { +- seclog(LOG_INFO, "too big message"); ++ seclog(LOG_INFO, "too big message (%d)", length); + goto cont; + } +