ocserv: updated to 0.10.2

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

5 files changed, 165 insertions, 6 deletions

diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile
index b38e9b452..050fdc74d 100644
--- a/net/ocserv/Makefile
+++ b/net/ocserv/Makefile
@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ocserv
-PKG_VERSION:=0.9.2
-PKG_RELEASE:=2
+PKG_VERSION:=0.10.2
+PKG_RELEASE:=1
 
 PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_SOURCE_URL :=ftp://ftp.infradead.org/pub/ocserv/
-PKG_MD5SUM:=9697c37cc81b30be2b178258ee595d97
+PKG_SOURCE_URL:=ftp://ftp.infradead.org/pub/ocserv/
+PKG_MD5SUM:=32ce2c2a00a97ab7c27e571aae207b2d
 
 PKG_LICENSE:=GPLv2
 PKG_LICENSE_FILES:=COPYING
diff --git a/net/ocserv/files/ocserv.conf.template b/net/ocserv/files/ocserv.conf.template
index 1694fd782..b5bbec31e 100644
--- a/net/ocserv/files/ocserv.conf.template
+++ b/net/ocserv/files/ocserv.conf.template
@@ -35,7 +35,7 @@ max-clients = |MAX_CLIENTS|
 
 # Limit the number of client connections to one every X milliseconds 
 # (X is the provided value). Set to zero for no limit.
-#rate-limit-ms = 100
+rate-limit-ms = 100
 
 # Limit the number of identical clients (i.e., users connecting 
 # multiple times). Unset or set to zero for unlimited.
@@ -142,6 +142,27 @@ auth-timeout = 40
 # a failed authentication attempt.
 min-reauth-time = 360
 
+# Banning clients in ocserv works with a point system. IP addresses
+# that get a score over that configured number are banned for
+# min-reauth-time seconds. By default a wrong password attempt is 10 points,
+# a KKDCP POST is 1 point, and a connection is 1 point. Note that
+# due to difference processes being involved the count of points
+# will not be real-time precise.
+#
+# Score banning cannot be reliably used when receiving proxied connections
+# locally from an HTTP server (i.e., when listen-clear-file is used).
+#
+# Set to zero to disable.
+max-ban-score = 50
+
+# The time (in seconds) that all score kept for a client is reset.
+ban-reset-time = 300
+
+# In case you'd like to change the default points.
+#ban-points-wrong-password = 10
+#ban-points-connection = 1
+#ban-points-kkdcp = 1
+
 # Cookie timeout (in seconds)
 # which he can reconnect. That cookie will be invalided if not
 # used within this timeout value. On a user disconnection, that
diff --git a/net/ocserv/files/ocserv.init b/net/ocserv/files/ocserv.init
index aee342d68..fe0718b3b 100644
--- a/net/ocserv/files/ocserv.init
+++ b/net/ocserv/files/ocserv.init
@@ -34,7 +34,7 @@ setup_config() {
 	ipv6_addr=`echo $ip6addr|cut -d '/' -f 1`
 	ipv6_prefix=`echo $ip6addr|cut -d '/' -f 2`
 
-	test $auth = "plain" && authsuffix="\[/var/etc/ocpasswd\]"
+	test $auth = "plain" && authsuffix="\[passwd=/var/etc/ocpasswd\]"
 
 	dyndns="false"
 	hostname=`uci show ddns|grep domain|head -1|cut -d '=' -f 2 2>/dev/null`
diff --git a/net/ocserv/patches/001-sec-mod-do-not-impose-timeouts-on-reads-from-main.patch b/net/ocserv/patches/001-sec-mod-do-not-impose-timeouts-on-reads-from-main.patch
new file mode 100644
index 000000000..0d3d2219d
--- /dev/null
+++ b/net/ocserv/patches/001-sec-mod-do-not-impose-timeouts-on-reads-from-main.patch
@@ -0,0 +1,104 @@
+From 0967f05f8d7665a67f3cb0fbed46c48dc7ec74cb Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Tue, 31 Mar 2015 10:13:08 +0200
+Subject: [PATCH] sec-mod: do not impose timeouts on reads from main
+
+---
+ src/sec-mod.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 53 insertions(+), 7 deletions(-)
+
+diff --git a/src/sec-mod.c b/src/sec-mod.c
+index b824e87..5a0763d 100644
+--- a/src/sec-mod.c
++++ b/src/sec-mod.c
+@@ -404,7 +404,56 @@ static void check_other_work(sec_mod_st *sec)
+ }
+ 
+ static
+-int serve_request(sec_mod_st *sec, int cfd, unsigned is_main, uint8_t *buffer, unsigned buffer_size)
++int serve_request_main(sec_mod_st *sec, int cfd, uint8_t *buffer, unsigned buffer_size)
++{
++	int ret, e;
++	unsigned cmd, length;
++	uint16_t l16;
++	void *pool = buffer;
++
++	/* read request */
++	ret = force_read(cfd, buffer, 3);
++	if (ret == 0)
++		goto leave;
++	else if (ret < 3) {
++		e = errno;
++		seclog(sec, LOG_INFO, "error receiving msg head: %s",
++		       strerror(e));
++		ret = ERR_BAD_COMMAND;
++		goto leave;
++	}
++
++	cmd = buffer[0];
++	memcpy(&l16, &buffer[1], 2);
++	length = l16;
++
++	if (length > buffer_size - 4) {
++		seclog(sec, LOG_INFO, "too big message (%d)", length);
++		ret = ERR_BAD_COMMAND;
++		goto leave;
++	}
++
++	/* read the body */
++	ret = force_read(cfd, buffer, length);
++	if (ret < 0) {
++		e = errno;
++		seclog(sec, LOG_INFO, "error receiving msg body: %s",
++		       strerror(e));
++		ret = ERR_BAD_COMMAND;
++		goto leave;
++	}
++
++	ret = process_packet_from_main(pool, cfd, sec, cmd, buffer, ret);
++	if (ret < 0) {
++		seclog(sec, LOG_INFO, "error processing data for '%s' command (%d)", cmd_request_to_str(cmd), ret);
++	}
++	
++ leave:
++	return ret;
++}
++
++static
++int serve_request(sec_mod_st *sec, int cfd, uint8_t *buffer, unsigned buffer_size)
+ {
+ 	int ret, e;
+ 	unsigned cmd, length;
+@@ -443,10 +492,7 @@ int serve_request(sec_mod_st *sec, int cfd, unsigned is_main, uint8_t *buffer, u
+ 		goto leave;
+ 	}
+ 
+-	if (is_main)
+-		ret = process_packet_from_main(pool, cfd, sec, cmd, buffer, ret);
+-	else
+-		ret = process_packet(pool, cfd, sec, cmd, buffer, ret);
++	ret = process_packet(pool, cfd, sec, cmd, buffer, ret);
+ 	if (ret < 0) {
+ 		seclog(sec, LOG_INFO, "error processing data for '%s' command (%d)", cmd_request_to_str(cmd), ret);
+ 	}
+@@ -677,7 +723,7 @@ void sec_mod_server(void *main_pool, struct perm_cfg_st *perm_config, const char
+ 			if (buffer == NULL) {
+ 				seclog(sec, LOG_ERR, "error in memory allocation");
+ 			} else {
+-				ret = serve_request(sec, cmd_fd, 1, buffer, buffer_size);
++				ret = serve_request_main(sec, cmd_fd, buffer, buffer_size);
+ 				if (ret < 0 && ret == ERR_BAD_COMMAND) {
+ 					seclog(sec, LOG_ERR, "error processing command from main");
+ 					exit(1);
+@@ -710,7 +756,7 @@ void sec_mod_server(void *main_pool, struct perm_cfg_st *perm_config, const char
+ 				if (buffer == NULL) {
+ 					seclog(sec, LOG_ERR, "error in memory allocation");
+ 				} else {
+-					serve_request(sec, cfd, 0, buffer, buffer_size);
++					serve_request(sec, cfd, buffer, buffer_size);
+ 					talloc_free(buffer);
+ 				}
+ 			}
+-- 
+2.1.4
+
diff --git a/net/ocserv/patches/002-reject-bad-commands-from-main.patch b/net/ocserv/patches/002-reject-bad-commands-from-main.patch
new file mode 100644
index 000000000..b3e72d3dc
--- /dev/null
+++ b/net/ocserv/patches/002-reject-bad-commands-from-main.patch
@@ -0,0 +1,34 @@
+From 99dd4a6e03b669a5b5fe234fa665b75bbd95c593 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Tue, 7 Apr 2015 17:13:29 +0200
+Subject: [PATCH] reject bad commands from main
+
+---
+ src/sec-mod.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/sec-mod.c b/src/sec-mod.c
+index 5a0763d..7783264 100644
+--- a/src/sec-mod.c
++++ b/src/sec-mod.c
+@@ -325,7 +325,7 @@ int process_packet_from_main(void *pool, int cfd, sec_mod_st * sec, cmd_request_
+ 					     data.data);
+ 		if (msg == NULL) {
+ 			seclog(sec, LOG_INFO, "error unpacking auth ban ip reply\n");
+-			return -1;
++			return ERR_BAD_COMMAND;
+ 		}
+ 
+ 		handle_sec_auth_ban_ip_reply(cfd, sec, msg);
+@@ -342,7 +342,7 @@ int process_packet_from_main(void *pool, int cfd, sec_mod_st * sec, cmd_request_
+ 						      data.data);
+ 			if (msg == NULL) {
+ 				seclog(sec, LOG_INFO, "error unpacking session close\n");
+-				return -1;
++				return ERR_BAD_COMMAND;
+ 			}
+ 
+ 			ret = handle_sec_auth_session_cmd(cfd, sec, msg, cmd);
+-- 
+2.1.4
+