ocserv: updated to 0.10.2

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
2024-06-20 07:38:40 +02:00 · 2015-04-08 20:50:37 +02:00 · 2015-04-08 20:50:37 +02:00 · bdd3409115
commit bdd3409115
parent f64a24267c
5 changed files with 165 additions and 6 deletions
--- a/net/ocserv/Makefile
+++ b/net/ocserv/Makefile
@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=ocserv
-PKG_VERSION:=0.9.2
-PKG_RELEASE:=2
+PKG_VERSION:=0.10.2
+PKG_RELEASE:=1

 PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_SOURCE_URL :=ftp://ftp.infradead.org/pub/ocserv/
-PKG_MD5SUM:=9697c37cc81b30be2b178258ee595d97
+PKG_SOURCE_URL:=ftp://ftp.infradead.org/pub/ocserv/
+PKG_MD5SUM:=32ce2c2a00a97ab7c27e571aae207b2d

 PKG_LICENSE:=GPLv2
 PKG_LICENSE_FILES:=COPYING
--- a/net/ocserv/files/ocserv.conf.template
+++ b/net/ocserv/files/ocserv.conf.template
@ -35,7 +35,7 @@ max-clients = |MAX_CLIENTS|

 # Limit the number of client connections to one every X milliseconds 
 # (X is the provided value). Set to zero for no limit.
-#rate-limit-ms = 100
+rate-limit-ms = 100

 # Limit the number of identical clients (i.e., users connecting 
 # multiple times). Unset or set to zero for unlimited.
@ -142,6 +142,27 @@ auth-timeout = 40
 # a failed authentication attempt.
 min-reauth-time = 360

+# Banning clients in ocserv works with a point system. IP addresses
+# that get a score over that configured number are banned for
+# min-reauth-time seconds. By default a wrong password attempt is 10 points,
+# a KKDCP POST is 1 point, and a connection is 1 point. Note that
+# due to difference processes being involved the count of points
+# will not be real-time precise.
+#
+# Score banning cannot be reliably used when receiving proxied connections
+# locally from an HTTP server (i.e., when listen-clear-file is used).
+#
+# Set to zero to disable.
+max-ban-score = 50
+
+# The time (in seconds) that all score kept for a client is reset.
+ban-reset-time = 300
+
+# In case you'd like to change the default points.
+#ban-points-wrong-password = 10
+#ban-points-connection = 1
+#ban-points-kkdcp = 1
+
 # Cookie timeout (in seconds)
 # which he can reconnect. That cookie will be invalided if not
 # used within this timeout value. On a user disconnection, that
--- a/net/ocserv/files/ocserv.init
+++ b/net/ocserv/files/ocserv.init
@ -34,7 +34,7 @@ setup_config() {
 	ipv6_addr=`echo $ip6addr|cut -d '/' -f 1`
 	ipv6_prefix=`echo $ip6addr|cut -d '/' -f 2`

-	test $auth = "plain" && authsuffix="\[/var/etc/ocpasswd\]"
+	test $auth = "plain" && authsuffix="\[passwd=/var/etc/ocpasswd\]"

 	dyndns="false"
 	hostname=`uci show ddns|grep domain|head -1|cut -d '=' -f 2 2>/dev/null`
--- a/net/ocserv/patches/001-sec-mod-do-not-impose-timeouts-on-reads-from-main.patch
+++ b/net/ocserv/patches/001-sec-mod-do-not-impose-timeouts-on-reads-from-main.patch
@ -0,0 +1,104 @@
+From 0967f05f8d7665a67f3cb0fbed46c48dc7ec74cb Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Tue, 31 Mar 2015 10:13:08 +0200
+Subject: [PATCH] sec-mod: do not impose timeouts on reads from main
+
+---
+ src/sec-mod.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 53 insertions(+), 7 deletions(-)
+
+diff --git a/src/sec-mod.c b/src/sec-mod.c
+index b824e87..5a0763d 100644
+--- a/src/sec-mod.c
+++ b/src/sec-mod.c
+@@ -404,7 +404,56 @@ static void check_other_work(sec_mod_st *sec)
+ }
+ 
+ static
+-int serve_request(sec_mod_st *sec, int cfd, unsigned is_main, uint8_t *buffer, unsigned buffer_size)
+int serve_request_main(sec_mod_st *sec, int cfd, uint8_t *buffer, unsigned buffer_size)
+{
+	int ret, e;
+	unsigned cmd, length;
+	uint16_t l16;
+	void *pool = buffer;
+
+	/* read request */
+	ret = force_read(cfd, buffer, 3);
+	if (ret == 0)
+		goto leave;
+	else if (ret < 3) {
+		e = errno;
+		seclog(sec, LOG_INFO, "error receiving msg head: %s",
+		       strerror(e));
+		ret = ERR_BAD_COMMAND;
+		goto leave;
+	}
+
+	cmd = buffer[0];
+	memcpy(&l16, &buffer[1], 2);
+	length = l16;
+
+	if (length > buffer_size - 4) {
+		seclog(sec, LOG_INFO, "too big message (%d)", length);
+		ret = ERR_BAD_COMMAND;
+		goto leave;
+	}
+
+	/* read the body */
+	ret = force_read(cfd, buffer, length);
+	if (ret < 0) {
+		e = errno;
+		seclog(sec, LOG_INFO, "error receiving msg body: %s",
+		       strerror(e));
+		ret = ERR_BAD_COMMAND;
+		goto leave;
+	}
+
+	ret = process_packet_from_main(pool, cfd, sec, cmd, buffer, ret);
+	if (ret < 0) {
+		seclog(sec, LOG_INFO, "error processing data for '%s' command (%d)", cmd_request_to_str(cmd), ret);
+	}
+	
+ leave:
+	return ret;
+}
+
+static
+int serve_request(sec_mod_st *sec, int cfd, uint8_t *buffer, unsigned buffer_size)
+ {
+ 	int ret, e;
+ 	unsigned cmd, length;
+@@ -443,10 +492,7 @@ int serve_request(sec_mod_st *sec, int cfd, unsigned is_main, uint8_t *buffer, u
+ 		goto leave;
+ 	}
+ 
+-	if (is_main)
+-		ret = process_packet_from_main(pool, cfd, sec, cmd, buffer, ret);
+-	else
+-		ret = process_packet(pool, cfd, sec, cmd, buffer, ret);
+	ret = process_packet(pool, cfd, sec, cmd, buffer, ret);
+ 	if (ret < 0) {
+ 		seclog(sec, LOG_INFO, "error processing data for '%s' command (%d)", cmd_request_to_str(cmd), ret);
+ 	}
+@@ -677,7 +723,7 @@ void sec_mod_server(void *main_pool, struct perm_cfg_st *perm_config, const char
+ 			if (buffer == NULL) {
+ 				seclog(sec, LOG_ERR, "error in memory allocation");
+ 			} else {
+-				ret = serve_request(sec, cmd_fd, 1, buffer, buffer_size);
+				ret = serve_request_main(sec, cmd_fd, buffer, buffer_size);
+ 				if (ret < 0 && ret == ERR_BAD_COMMAND) {
+ 					seclog(sec, LOG_ERR, "error processing command from main");
+ 					exit(1);
+@@ -710,7 +756,7 @@ void sec_mod_server(void *main_pool, struct perm_cfg_st *perm_config, const char
+ 				if (buffer == NULL) {
+ 					seclog(sec, LOG_ERR, "error in memory allocation");
+ 				} else {
+-					serve_request(sec, cfd, 0, buffer, buffer_size);
+					serve_request(sec, cfd, buffer, buffer_size);
+ 					talloc_free(buffer);
+ 				}
+ 			}
+-- 
+2.1.4
+
--- a/net/ocserv/patches/002-reject-bad-commands-from-main.patch
+++ b/net/ocserv/patches/002-reject-bad-commands-from-main.patch
@ -0,0 +1,34 @@
+From 99dd4a6e03b669a5b5fe234fa665b75bbd95c593 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Tue, 7 Apr 2015 17:13:29 +0200
+Subject: [PATCH] reject bad commands from main
+
+---
+ src/sec-mod.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/sec-mod.c b/src/sec-mod.c
+index 5a0763d..7783264 100644
+--- a/src/sec-mod.c
+++ b/src/sec-mod.c
+@@ -325,7 +325,7 @@ int process_packet_from_main(void *pool, int cfd, sec_mod_st * sec, cmd_request_
+ 					     data.data);
+ 		if (msg == NULL) {
+ 			seclog(sec, LOG_INFO, "error unpacking auth ban ip reply\n");
+-			return -1;
+			return ERR_BAD_COMMAND;
+ 		}
+ 
+ 		handle_sec_auth_ban_ip_reply(cfd, sec, msg);
+@@ -342,7 +342,7 @@ int process_packet_from_main(void *pool, int cfd, sec_mod_st * sec, cmd_request_
+ 						      data.data);
+ 			if (msg == NULL) {
+ 				seclog(sec, LOG_INFO, "error unpacking session close\n");
+-				return -1;
+				return ERR_BAD_COMMAND;
+ 			}
+ 
+ 			ret = handle_sec_auth_session_cmd(cfd, sec, msg, cmd);
+-- 
+2.1.4
+