From bdd340911511195e0e7372caaf20df76627059ff Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 8 Apr 2015 20:50:37 +0200 Subject: [PATCH] ocserv: updated to 0.10.2 Signed-off-by: Nikos Mavrogiannopoulos --- net/ocserv/Makefile | 8 +- net/ocserv/files/ocserv.conf.template | 23 +++- net/ocserv/files/ocserv.init | 2 +- ...t-impose-timeouts-on-reads-from-main.patch | 104 ++++++++++++++++++ .../002-reject-bad-commands-from-main.patch | 34 ++++++ 5 files changed, 165 insertions(+), 6 deletions(-) create mode 100644 net/ocserv/patches/001-sec-mod-do-not-impose-timeouts-on-reads-from-main.patch create mode 100644 net/ocserv/patches/002-reject-bad-commands-from-main.patch diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile index b38e9b452..050fdc74d 100644 --- a/net/ocserv/Makefile +++ b/net/ocserv/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=ocserv -PKG_VERSION:=0.9.2 -PKG_RELEASE:=2 +PKG_VERSION:=0.10.2 +PKG_RELEASE:=1 PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_SOURCE_URL :=ftp://ftp.infradead.org/pub/ocserv/ -PKG_MD5SUM:=9697c37cc81b30be2b178258ee595d97 +PKG_SOURCE_URL:=ftp://ftp.infradead.org/pub/ocserv/ +PKG_MD5SUM:=32ce2c2a00a97ab7c27e571aae207b2d PKG_LICENSE:=GPLv2 PKG_LICENSE_FILES:=COPYING diff --git a/net/ocserv/files/ocserv.conf.template b/net/ocserv/files/ocserv.conf.template index 1694fd782..b5bbec31e 100644 --- a/net/ocserv/files/ocserv.conf.template +++ b/net/ocserv/files/ocserv.conf.template @@ -35,7 +35,7 @@ max-clients = |MAX_CLIENTS| # Limit the number of client connections to one every X milliseconds # (X is the provided value). Set to zero for no limit. -#rate-limit-ms = 100 +rate-limit-ms = 100 # Limit the number of identical clients (i.e., users connecting # multiple times). Unset or set to zero for unlimited. @@ -142,6 +142,27 @@ auth-timeout = 40 # a failed authentication attempt. min-reauth-time = 360 +# Banning clients in ocserv works with a point system. IP addresses +# that get a score over that configured number are banned for +# min-reauth-time seconds. By default a wrong password attempt is 10 points, +# a KKDCP POST is 1 point, and a connection is 1 point. Note that +# due to difference processes being involved the count of points +# will not be real-time precise. +# +# Score banning cannot be reliably used when receiving proxied connections +# locally from an HTTP server (i.e., when listen-clear-file is used). +# +# Set to zero to disable. +max-ban-score = 50 + +# The time (in seconds) that all score kept for a client is reset. +ban-reset-time = 300 + +# In case you'd like to change the default points. +#ban-points-wrong-password = 10 +#ban-points-connection = 1 +#ban-points-kkdcp = 1 + # Cookie timeout (in seconds) # which he can reconnect. That cookie will be invalided if not # used within this timeout value. On a user disconnection, that diff --git a/net/ocserv/files/ocserv.init b/net/ocserv/files/ocserv.init index aee342d68..fe0718b3b 100644 --- a/net/ocserv/files/ocserv.init +++ b/net/ocserv/files/ocserv.init @@ -34,7 +34,7 @@ setup_config() { ipv6_addr=`echo $ip6addr|cut -d '/' -f 1` ipv6_prefix=`echo $ip6addr|cut -d '/' -f 2` - test $auth = "plain" && authsuffix="\[/var/etc/ocpasswd\]" + test $auth = "plain" && authsuffix="\[passwd=/var/etc/ocpasswd\]" dyndns="false" hostname=`uci show ddns|grep domain|head -1|cut -d '=' -f 2 2>/dev/null` diff --git a/net/ocserv/patches/001-sec-mod-do-not-impose-timeouts-on-reads-from-main.patch b/net/ocserv/patches/001-sec-mod-do-not-impose-timeouts-on-reads-from-main.patch new file mode 100644 index 000000000..0d3d2219d --- /dev/null +++ b/net/ocserv/patches/001-sec-mod-do-not-impose-timeouts-on-reads-from-main.patch @@ -0,0 +1,104 @@ +From 0967f05f8d7665a67f3cb0fbed46c48dc7ec74cb Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Tue, 31 Mar 2015 10:13:08 +0200 +Subject: [PATCH] sec-mod: do not impose timeouts on reads from main + +--- + src/sec-mod.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++------- + 1 file changed, 53 insertions(+), 7 deletions(-) + +diff --git a/src/sec-mod.c b/src/sec-mod.c +index b824e87..5a0763d 100644 +--- a/src/sec-mod.c ++++ b/src/sec-mod.c +@@ -404,7 +404,56 @@ static void check_other_work(sec_mod_st *sec) + } + + static +-int serve_request(sec_mod_st *sec, int cfd, unsigned is_main, uint8_t *buffer, unsigned buffer_size) ++int serve_request_main(sec_mod_st *sec, int cfd, uint8_t *buffer, unsigned buffer_size) ++{ ++ int ret, e; ++ unsigned cmd, length; ++ uint16_t l16; ++ void *pool = buffer; ++ ++ /* read request */ ++ ret = force_read(cfd, buffer, 3); ++ if (ret == 0) ++ goto leave; ++ else if (ret < 3) { ++ e = errno; ++ seclog(sec, LOG_INFO, "error receiving msg head: %s", ++ strerror(e)); ++ ret = ERR_BAD_COMMAND; ++ goto leave; ++ } ++ ++ cmd = buffer[0]; ++ memcpy(&l16, &buffer[1], 2); ++ length = l16; ++ ++ if (length > buffer_size - 4) { ++ seclog(sec, LOG_INFO, "too big message (%d)", length); ++ ret = ERR_BAD_COMMAND; ++ goto leave; ++ } ++ ++ /* read the body */ ++ ret = force_read(cfd, buffer, length); ++ if (ret < 0) { ++ e = errno; ++ seclog(sec, LOG_INFO, "error receiving msg body: %s", ++ strerror(e)); ++ ret = ERR_BAD_COMMAND; ++ goto leave; ++ } ++ ++ ret = process_packet_from_main(pool, cfd, sec, cmd, buffer, ret); ++ if (ret < 0) { ++ seclog(sec, LOG_INFO, "error processing data for '%s' command (%d)", cmd_request_to_str(cmd), ret); ++ } ++ ++ leave: ++ return ret; ++} ++ ++static ++int serve_request(sec_mod_st *sec, int cfd, uint8_t *buffer, unsigned buffer_size) + { + int ret, e; + unsigned cmd, length; +@@ -443,10 +492,7 @@ int serve_request(sec_mod_st *sec, int cfd, unsigned is_main, uint8_t *buffer, u + goto leave; + } + +- if (is_main) +- ret = process_packet_from_main(pool, cfd, sec, cmd, buffer, ret); +- else +- ret = process_packet(pool, cfd, sec, cmd, buffer, ret); ++ ret = process_packet(pool, cfd, sec, cmd, buffer, ret); + if (ret < 0) { + seclog(sec, LOG_INFO, "error processing data for '%s' command (%d)", cmd_request_to_str(cmd), ret); + } +@@ -677,7 +723,7 @@ void sec_mod_server(void *main_pool, struct perm_cfg_st *perm_config, const char + if (buffer == NULL) { + seclog(sec, LOG_ERR, "error in memory allocation"); + } else { +- ret = serve_request(sec, cmd_fd, 1, buffer, buffer_size); ++ ret = serve_request_main(sec, cmd_fd, buffer, buffer_size); + if (ret < 0 && ret == ERR_BAD_COMMAND) { + seclog(sec, LOG_ERR, "error processing command from main"); + exit(1); +@@ -710,7 +756,7 @@ void sec_mod_server(void *main_pool, struct perm_cfg_st *perm_config, const char + if (buffer == NULL) { + seclog(sec, LOG_ERR, "error in memory allocation"); + } else { +- serve_request(sec, cfd, 0, buffer, buffer_size); ++ serve_request(sec, cfd, buffer, buffer_size); + talloc_free(buffer); + } + } +-- +2.1.4 + diff --git a/net/ocserv/patches/002-reject-bad-commands-from-main.patch b/net/ocserv/patches/002-reject-bad-commands-from-main.patch new file mode 100644 index 000000000..b3e72d3dc --- /dev/null +++ b/net/ocserv/patches/002-reject-bad-commands-from-main.patch @@ -0,0 +1,34 @@ +From 99dd4a6e03b669a5b5fe234fa665b75bbd95c593 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Tue, 7 Apr 2015 17:13:29 +0200 +Subject: [PATCH] reject bad commands from main + +--- + src/sec-mod.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/sec-mod.c b/src/sec-mod.c +index 5a0763d..7783264 100644 +--- a/src/sec-mod.c ++++ b/src/sec-mod.c +@@ -325,7 +325,7 @@ int process_packet_from_main(void *pool, int cfd, sec_mod_st * sec, cmd_request_ + data.data); + if (msg == NULL) { + seclog(sec, LOG_INFO, "error unpacking auth ban ip reply\n"); +- return -1; ++ return ERR_BAD_COMMAND; + } + + handle_sec_auth_ban_ip_reply(cfd, sec, msg); +@@ -342,7 +342,7 @@ int process_packet_from_main(void *pool, int cfd, sec_mod_st * sec, cmd_request_ + data.data); + if (msg == NULL) { + seclog(sec, LOG_INFO, "error unpacking session close\n"); +- return -1; ++ return ERR_BAD_COMMAND; + } + + ret = handle_sec_auth_session_cmd(cfd, sec, msg, cmd); +-- +2.1.4 +