Browse Source

ocserv: updated to 0.10.2

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
lilik-openwrt-22.03
Nikos Mavrogiannopoulos 10 years ago
parent
commit
bdd3409115
5 changed files with 165 additions and 6 deletions
  1. +4
    -4
      net/ocserv/Makefile
  2. +22
    -1
      net/ocserv/files/ocserv.conf.template
  3. +1
    -1
      net/ocserv/files/ocserv.init
  4. +104
    -0
      net/ocserv/patches/001-sec-mod-do-not-impose-timeouts-on-reads-from-main.patch
  5. +34
    -0
      net/ocserv/patches/002-reject-bad-commands-from-main.patch

+ 4
- 4
net/ocserv/Makefile View File

@ -8,13 +8,13 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=ocserv PKG_NAME:=ocserv
PKG_VERSION:=0.9.2
PKG_RELEASE:=2
PKG_VERSION:=0.10.2
PKG_RELEASE:=1
PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL :=ftp://ftp.infradead.org/pub/ocserv/
PKG_MD5SUM:=9697c37cc81b30be2b178258ee595d97
PKG_SOURCE_URL:=ftp://ftp.infradead.org/pub/ocserv/
PKG_MD5SUM:=32ce2c2a00a97ab7c27e571aae207b2d
PKG_LICENSE:=GPLv2 PKG_LICENSE:=GPLv2
PKG_LICENSE_FILES:=COPYING PKG_LICENSE_FILES:=COPYING


+ 22
- 1
net/ocserv/files/ocserv.conf.template View File

@ -35,7 +35,7 @@ max-clients = |MAX_CLIENTS|
# Limit the number of client connections to one every X milliseconds # Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit. # (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
rate-limit-ms = 100
# Limit the number of identical clients (i.e., users connecting # Limit the number of identical clients (i.e., users connecting
# multiple times). Unset or set to zero for unlimited. # multiple times). Unset or set to zero for unlimited.
@ -142,6 +142,27 @@ auth-timeout = 40
# a failed authentication attempt. # a failed authentication attempt.
min-reauth-time = 360 min-reauth-time = 360
# Banning clients in ocserv works with a point system. IP addresses
# that get a score over that configured number are banned for
# min-reauth-time seconds. By default a wrong password attempt is 10 points,
# a KKDCP POST is 1 point, and a connection is 1 point. Note that
# due to difference processes being involved the count of points
# will not be real-time precise.
#
# Score banning cannot be reliably used when receiving proxied connections
# locally from an HTTP server (i.e., when listen-clear-file is used).
#
# Set to zero to disable.
max-ban-score = 50
# The time (in seconds) that all score kept for a client is reset.
ban-reset-time = 300
# In case you'd like to change the default points.
#ban-points-wrong-password = 10
#ban-points-connection = 1
#ban-points-kkdcp = 1
# Cookie timeout (in seconds) # Cookie timeout (in seconds)
# which he can reconnect. That cookie will be invalided if not # which he can reconnect. That cookie will be invalided if not
# used within this timeout value. On a user disconnection, that # used within this timeout value. On a user disconnection, that


+ 1
- 1
net/ocserv/files/ocserv.init View File

@ -34,7 +34,7 @@ setup_config() {
ipv6_addr=`echo $ip6addr|cut -d '/' -f 1` ipv6_addr=`echo $ip6addr|cut -d '/' -f 1`
ipv6_prefix=`echo $ip6addr|cut -d '/' -f 2` ipv6_prefix=`echo $ip6addr|cut -d '/' -f 2`
test $auth = "plain" && authsuffix="\[/var/etc/ocpasswd\]"
test $auth = "plain" && authsuffix="\[passwd=/var/etc/ocpasswd\]"
dyndns="false" dyndns="false"
hostname=`uci show ddns|grep domain|head -1|cut -d '=' -f 2 2>/dev/null` hostname=`uci show ddns|grep domain|head -1|cut -d '=' -f 2 2>/dev/null`


+ 104
- 0
net/ocserv/patches/001-sec-mod-do-not-impose-timeouts-on-reads-from-main.patch View File

@ -0,0 +1,104 @@
From 0967f05f8d7665a67f3cb0fbed46c48dc7ec74cb Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Tue, 31 Mar 2015 10:13:08 +0200
Subject: [PATCH] sec-mod: do not impose timeouts on reads from main
---
src/sec-mod.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 53 insertions(+), 7 deletions(-)
diff --git a/src/sec-mod.c b/src/sec-mod.c
index b824e87..5a0763d 100644
--- a/src/sec-mod.c
+++ b/src/sec-mod.c
@@ -404,7 +404,56 @@ static void check_other_work(sec_mod_st *sec)
}
static
-int serve_request(sec_mod_st *sec, int cfd, unsigned is_main, uint8_t *buffer, unsigned buffer_size)
+int serve_request_main(sec_mod_st *sec, int cfd, uint8_t *buffer, unsigned buffer_size)
+{
+ int ret, e;
+ unsigned cmd, length;
+ uint16_t l16;
+ void *pool = buffer;
+
+ /* read request */
+ ret = force_read(cfd, buffer, 3);
+ if (ret == 0)
+ goto leave;
+ else if (ret < 3) {
+ e = errno;
+ seclog(sec, LOG_INFO, "error receiving msg head: %s",
+ strerror(e));
+ ret = ERR_BAD_COMMAND;
+ goto leave;
+ }
+
+ cmd = buffer[0];
+ memcpy(&l16, &buffer[1], 2);
+ length = l16;
+
+ if (length > buffer_size - 4) {
+ seclog(sec, LOG_INFO, "too big message (%d)", length);
+ ret = ERR_BAD_COMMAND;
+ goto leave;
+ }
+
+ /* read the body */
+ ret = force_read(cfd, buffer, length);
+ if (ret < 0) {
+ e = errno;
+ seclog(sec, LOG_INFO, "error receiving msg body: %s",
+ strerror(e));
+ ret = ERR_BAD_COMMAND;
+ goto leave;
+ }
+
+ ret = process_packet_from_main(pool, cfd, sec, cmd, buffer, ret);
+ if (ret < 0) {
+ seclog(sec, LOG_INFO, "error processing data for '%s' command (%d)", cmd_request_to_str(cmd), ret);
+ }
+
+ leave:
+ return ret;
+}
+
+static
+int serve_request(sec_mod_st *sec, int cfd, uint8_t *buffer, unsigned buffer_size)
{
int ret, e;
unsigned cmd, length;
@@ -443,10 +492,7 @@ int serve_request(sec_mod_st *sec, int cfd, unsigned is_main, uint8_t *buffer, u
goto leave;
}
- if (is_main)
- ret = process_packet_from_main(pool, cfd, sec, cmd, buffer, ret);
- else
- ret = process_packet(pool, cfd, sec, cmd, buffer, ret);
+ ret = process_packet(pool, cfd, sec, cmd, buffer, ret);
if (ret < 0) {
seclog(sec, LOG_INFO, "error processing data for '%s' command (%d)", cmd_request_to_str(cmd), ret);
}
@@ -677,7 +723,7 @@ void sec_mod_server(void *main_pool, struct perm_cfg_st *perm_config, const char
if (buffer == NULL) {
seclog(sec, LOG_ERR, "error in memory allocation");
} else {
- ret = serve_request(sec, cmd_fd, 1, buffer, buffer_size);
+ ret = serve_request_main(sec, cmd_fd, buffer, buffer_size);
if (ret < 0 && ret == ERR_BAD_COMMAND) {
seclog(sec, LOG_ERR, "error processing command from main");
exit(1);
@@ -710,7 +756,7 @@ void sec_mod_server(void *main_pool, struct perm_cfg_st *perm_config, const char
if (buffer == NULL) {
seclog(sec, LOG_ERR, "error in memory allocation");
} else {
- serve_request(sec, cfd, 0, buffer, buffer_size);
+ serve_request(sec, cfd, buffer, buffer_size);
talloc_free(buffer);
}
}
--
2.1.4

+ 34
- 0
net/ocserv/patches/002-reject-bad-commands-from-main.patch View File

@ -0,0 +1,34 @@
From 99dd4a6e03b669a5b5fe234fa665b75bbd95c593 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Tue, 7 Apr 2015 17:13:29 +0200
Subject: [PATCH] reject bad commands from main
---
src/sec-mod.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/sec-mod.c b/src/sec-mod.c
index 5a0763d..7783264 100644
--- a/src/sec-mod.c
+++ b/src/sec-mod.c
@@ -325,7 +325,7 @@ int process_packet_from_main(void *pool, int cfd, sec_mod_st * sec, cmd_request_
data.data);
if (msg == NULL) {
seclog(sec, LOG_INFO, "error unpacking auth ban ip reply\n");
- return -1;
+ return ERR_BAD_COMMAND;
}
handle_sec_auth_ban_ip_reply(cfd, sec, msg);
@@ -342,7 +342,7 @@ int process_packet_from_main(void *pool, int cfd, sec_mod_st * sec, cmd_request_
data.data);
if (msg == NULL) {
seclog(sec, LOG_INFO, "error unpacking session close\n");
- return -1;
+ return ERR_BAD_COMMAND;
}
ret = handle_sec_auth_session_cmd(cfd, sec, msg, cmd);
--
2.1.4

Loading…
Cancel
Save