mirror of
https://git.openwrt.org/feed/packages.git
synced 2024-06-20 07:38:40 +02:00
ocserv: updated to 0.10.2
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This commit is contained in:
parent
f64a24267c
commit
bdd3409115
|
@ -8,13 +8,13 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=ocserv
|
||||
PKG_VERSION:=0.9.2
|
||||
PKG_RELEASE:=2
|
||||
PKG_VERSION:=0.10.2
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
|
||||
PKG_SOURCE_URL :=ftp://ftp.infradead.org/pub/ocserv/
|
||||
PKG_MD5SUM:=9697c37cc81b30be2b178258ee595d97
|
||||
PKG_SOURCE_URL:=ftp://ftp.infradead.org/pub/ocserv/
|
||||
PKG_MD5SUM:=32ce2c2a00a97ab7c27e571aae207b2d
|
||||
|
||||
PKG_LICENSE:=GPLv2
|
||||
PKG_LICENSE_FILES:=COPYING
|
||||
|
|
|
@ -35,7 +35,7 @@ max-clients = |MAX_CLIENTS|
|
|||
|
||||
# Limit the number of client connections to one every X milliseconds
|
||||
# (X is the provided value). Set to zero for no limit.
|
||||
#rate-limit-ms = 100
|
||||
rate-limit-ms = 100
|
||||
|
||||
# Limit the number of identical clients (i.e., users connecting
|
||||
# multiple times). Unset or set to zero for unlimited.
|
||||
|
@ -142,6 +142,27 @@ auth-timeout = 40
|
|||
# a failed authentication attempt.
|
||||
min-reauth-time = 360
|
||||
|
||||
# Banning clients in ocserv works with a point system. IP addresses
|
||||
# that get a score over that configured number are banned for
|
||||
# min-reauth-time seconds. By default a wrong password attempt is 10 points,
|
||||
# a KKDCP POST is 1 point, and a connection is 1 point. Note that
|
||||
# due to difference processes being involved the count of points
|
||||
# will not be real-time precise.
|
||||
#
|
||||
# Score banning cannot be reliably used when receiving proxied connections
|
||||
# locally from an HTTP server (i.e., when listen-clear-file is used).
|
||||
#
|
||||
# Set to zero to disable.
|
||||
max-ban-score = 50
|
||||
|
||||
# The time (in seconds) that all score kept for a client is reset.
|
||||
ban-reset-time = 300
|
||||
|
||||
# In case you'd like to change the default points.
|
||||
#ban-points-wrong-password = 10
|
||||
#ban-points-connection = 1
|
||||
#ban-points-kkdcp = 1
|
||||
|
||||
# Cookie timeout (in seconds)
|
||||
# which he can reconnect. That cookie will be invalided if not
|
||||
# used within this timeout value. On a user disconnection, that
|
||||
|
|
|
@ -34,7 +34,7 @@ setup_config() {
|
|||
ipv6_addr=`echo $ip6addr|cut -d '/' -f 1`
|
||||
ipv6_prefix=`echo $ip6addr|cut -d '/' -f 2`
|
||||
|
||||
test $auth = "plain" && authsuffix="\[/var/etc/ocpasswd\]"
|
||||
test $auth = "plain" && authsuffix="\[passwd=/var/etc/ocpasswd\]"
|
||||
|
||||
dyndns="false"
|
||||
hostname=`uci show ddns|grep domain|head -1|cut -d '=' -f 2 2>/dev/null`
|
||||
|
|
|
@ -0,0 +1,104 @@
|
|||
From 0967f05f8d7665a67f3cb0fbed46c48dc7ec74cb Mon Sep 17 00:00:00 2001
|
||||
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
||||
Date: Tue, 31 Mar 2015 10:13:08 +0200
|
||||
Subject: [PATCH] sec-mod: do not impose timeouts on reads from main
|
||||
|
||||
---
|
||||
src/sec-mod.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++-------
|
||||
1 file changed, 53 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/sec-mod.c b/src/sec-mod.c
|
||||
index b824e87..5a0763d 100644
|
||||
--- a/src/sec-mod.c
|
||||
+++ b/src/sec-mod.c
|
||||
@@ -404,7 +404,56 @@ static void check_other_work(sec_mod_st *sec)
|
||||
}
|
||||
|
||||
static
|
||||
-int serve_request(sec_mod_st *sec, int cfd, unsigned is_main, uint8_t *buffer, unsigned buffer_size)
|
||||
+int serve_request_main(sec_mod_st *sec, int cfd, uint8_t *buffer, unsigned buffer_size)
|
||||
+{
|
||||
+ int ret, e;
|
||||
+ unsigned cmd, length;
|
||||
+ uint16_t l16;
|
||||
+ void *pool = buffer;
|
||||
+
|
||||
+ /* read request */
|
||||
+ ret = force_read(cfd, buffer, 3);
|
||||
+ if (ret == 0)
|
||||
+ goto leave;
|
||||
+ else if (ret < 3) {
|
||||
+ e = errno;
|
||||
+ seclog(sec, LOG_INFO, "error receiving msg head: %s",
|
||||
+ strerror(e));
|
||||
+ ret = ERR_BAD_COMMAND;
|
||||
+ goto leave;
|
||||
+ }
|
||||
+
|
||||
+ cmd = buffer[0];
|
||||
+ memcpy(&l16, &buffer[1], 2);
|
||||
+ length = l16;
|
||||
+
|
||||
+ if (length > buffer_size - 4) {
|
||||
+ seclog(sec, LOG_INFO, "too big message (%d)", length);
|
||||
+ ret = ERR_BAD_COMMAND;
|
||||
+ goto leave;
|
||||
+ }
|
||||
+
|
||||
+ /* read the body */
|
||||
+ ret = force_read(cfd, buffer, length);
|
||||
+ if (ret < 0) {
|
||||
+ e = errno;
|
||||
+ seclog(sec, LOG_INFO, "error receiving msg body: %s",
|
||||
+ strerror(e));
|
||||
+ ret = ERR_BAD_COMMAND;
|
||||
+ goto leave;
|
||||
+ }
|
||||
+
|
||||
+ ret = process_packet_from_main(pool, cfd, sec, cmd, buffer, ret);
|
||||
+ if (ret < 0) {
|
||||
+ seclog(sec, LOG_INFO, "error processing data for '%s' command (%d)", cmd_request_to_str(cmd), ret);
|
||||
+ }
|
||||
+
|
||||
+ leave:
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static
|
||||
+int serve_request(sec_mod_st *sec, int cfd, uint8_t *buffer, unsigned buffer_size)
|
||||
{
|
||||
int ret, e;
|
||||
unsigned cmd, length;
|
||||
@@ -443,10 +492,7 @@ int serve_request(sec_mod_st *sec, int cfd, unsigned is_main, uint8_t *buffer, u
|
||||
goto leave;
|
||||
}
|
||||
|
||||
- if (is_main)
|
||||
- ret = process_packet_from_main(pool, cfd, sec, cmd, buffer, ret);
|
||||
- else
|
||||
- ret = process_packet(pool, cfd, sec, cmd, buffer, ret);
|
||||
+ ret = process_packet(pool, cfd, sec, cmd, buffer, ret);
|
||||
if (ret < 0) {
|
||||
seclog(sec, LOG_INFO, "error processing data for '%s' command (%d)", cmd_request_to_str(cmd), ret);
|
||||
}
|
||||
@@ -677,7 +723,7 @@ void sec_mod_server(void *main_pool, struct perm_cfg_st *perm_config, const char
|
||||
if (buffer == NULL) {
|
||||
seclog(sec, LOG_ERR, "error in memory allocation");
|
||||
} else {
|
||||
- ret = serve_request(sec, cmd_fd, 1, buffer, buffer_size);
|
||||
+ ret = serve_request_main(sec, cmd_fd, buffer, buffer_size);
|
||||
if (ret < 0 && ret == ERR_BAD_COMMAND) {
|
||||
seclog(sec, LOG_ERR, "error processing command from main");
|
||||
exit(1);
|
||||
@@ -710,7 +756,7 @@ void sec_mod_server(void *main_pool, struct perm_cfg_st *perm_config, const char
|
||||
if (buffer == NULL) {
|
||||
seclog(sec, LOG_ERR, "error in memory allocation");
|
||||
} else {
|
||||
- serve_request(sec, cfd, 0, buffer, buffer_size);
|
||||
+ serve_request(sec, cfd, buffer, buffer_size);
|
||||
talloc_free(buffer);
|
||||
}
|
||||
}
|
||||
--
|
||||
2.1.4
|
||||
|
34
net/ocserv/patches/002-reject-bad-commands-from-main.patch
Normal file
34
net/ocserv/patches/002-reject-bad-commands-from-main.patch
Normal file
|
@ -0,0 +1,34 @@
|
|||
From 99dd4a6e03b669a5b5fe234fa665b75bbd95c593 Mon Sep 17 00:00:00 2001
|
||||
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
||||
Date: Tue, 7 Apr 2015 17:13:29 +0200
|
||||
Subject: [PATCH] reject bad commands from main
|
||||
|
||||
---
|
||||
src/sec-mod.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/sec-mod.c b/src/sec-mod.c
|
||||
index 5a0763d..7783264 100644
|
||||
--- a/src/sec-mod.c
|
||||
+++ b/src/sec-mod.c
|
||||
@@ -325,7 +325,7 @@ int process_packet_from_main(void *pool, int cfd, sec_mod_st * sec, cmd_request_
|
||||
data.data);
|
||||
if (msg == NULL) {
|
||||
seclog(sec, LOG_INFO, "error unpacking auth ban ip reply\n");
|
||||
- return -1;
|
||||
+ return ERR_BAD_COMMAND;
|
||||
}
|
||||
|
||||
handle_sec_auth_ban_ip_reply(cfd, sec, msg);
|
||||
@@ -342,7 +342,7 @@ int process_packet_from_main(void *pool, int cfd, sec_mod_st * sec, cmd_request_
|
||||
data.data);
|
||||
if (msg == NULL) {
|
||||
seclog(sec, LOG_INFO, "error unpacking session close\n");
|
||||
- return -1;
|
||||
+ return ERR_BAD_COMMAND;
|
||||
}
|
||||
|
||||
ret = handle_sec_auth_session_cmd(cfd, sec, msg, cmd);
|
||||
--
|
||||
2.1.4
|
||||
|
Loading…
Reference in New Issue
Block a user