From: Steven Barth Date: Tue, 10 Jun 2014 05:26:09 +0000 (+0000) Subject: Remove ocserv (moved) X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=917b8c240f68dd558fe0a88904f747a0c3a068af;p=openwrt%2Fsvn-archive%2Farchive.git Remove ocserv (moved) SVN-Revision: 41076 --- diff --git a/net/ocserv/Config.in b/net/ocserv/Config.in deleted file mode 100644 index e0d298390c..0000000000 --- a/net/ocserv/Config.in +++ /dev/null @@ -1,14 +0,0 @@ -# ocserv avanced configuration - -menu "Configuration" - depends on PACKAGE_ocserv - -config OCSERV_PAM - bool "enable PAM" - default n - -config OCSERV_DBUS - bool "enable DBUS (needed for occtl)" - default n - -endmenu diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile deleted file mode 100644 index 9fcff95a23..0000000000 --- a/net/ocserv/Makefile +++ /dev/null @@ -1,75 +0,0 @@ -# -# Copyright (C) 2007-2011 OpenWrt.org -# -# This is free software, licensed under the GNU General Public License v2. -# See /LICENSE for more information. -# - -include $(TOPDIR)/rules.mk - -PKG_NAME:=ocserv -PKG_VERSION:=0.3.5 -PKG_RELEASE:=1 - -PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_SOURCE_URL :=ftp://ftp.infradead.org/pub/ocserv/ -PKG_MD5SUM:=7ba8ebe4eba08b6e1c9dabbc78da16e5 - -PKG_LICENSE:=GPLv2 -PKG_LICENSE_FILES:=COPYING -PKG_FIXUP:=autoreconf - -include $(INCLUDE_DIR)/package.mk - -define Package/ocserv/config - source "$(SOURCE)/Config.in" -endef - -define Package/ocserv - SECTION:=net - CATEGORY:=Network - SUBMENU:=VPN - TITLE:=OpenConnect VPN server - URL:=http://www.infradead.org/ocserv/ - DEPENDS:= +libgnutls +OCSERV_PAM:libpam +OCSERV_DBUS:libdbus +OCSERV_DBUS:libreadline +libprotobuf-c -endef - -define Package/ocserv/description - OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to be - a secure, small, fast and configurable VPN server. It implements the - OpenConnect SSL VPN protocol, and has also (currently experimental) - compatibility with clients using the AnyConnect SSL VPN protocol. The - OpenConnect VPN protocol uses the standard IETF security protocols such - as TLS 1.2, and Datagram TLS to provide the secure VPN service. -endef - -CONFIGURE_ARGS+= \ - --enable-local-libopts \ - --with-libcrypt-prefix="$(STAGING_DIR)/include" \ - -ifneq ($(CONFIG_OCSERV_DBUS),y) -CONFIGURE_ARGS += --without-dbus -endif - -ifneq ($(CONFIG_OCSERV_PAM),y) -CONFIGURE_ARGS += --without-pam -endif - -define Package/ocserv/install - $(INSTALL_DIR) $(1)/usr/sbin - $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ocserv $(1)/usr/sbin/ - $(INSTALL_DIR) $(1)/usr/bin - $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ocpasswd $(1)/usr/bin/ - $(INSTALL_DIR) $(1)/etc/init.d - $(INSTALL_BIN) ./files/ocserv.init $(1)/etc/init.d/ocserv - $(INSTALL_DIR) $(1)/etc/ocserv - $(INSTALL_CONF) ./files/ocserv.conf $(1)/etc/ocserv/ocserv.conf -ifeq ($(CONFIG_OCSERV_DBUS),y) - $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/occtl $(1)/usr/bin/ - $(INSTALL_DIR) $(1)/etc/dbus-1/system.d - $(INSTALL_CONF) $(PKG_BUILD_DIR)/doc/dbus/org.infradead.ocserv.conf $(1)/etc/dbus-1/system.d/ -endif -endef - -$(eval $(call BuildPackage,ocserv)) diff --git a/net/ocserv/files/ocserv.conf b/net/ocserv/files/ocserv.conf deleted file mode 100644 index badf4b59c7..0000000000 --- a/net/ocserv/files/ocserv.conf +++ /dev/null @@ -1,293 +0,0 @@ -# User authentication method. Could be set multiple times and in that case -# all should succeed. -# Options: certificate, pam. -#auth = "certificate" -#auth = "pam" - -# The plain option requires specifying a password file which contains -# entries of the following format. -# "username:groupname:encoded-password" -# One entry must be listed per line, and 'ocpasswd' can be used -# to generate password entries. -auth = "plain[/etc/ocserv/ocpasswd]" - -# A banner to be displayed on clients -banner = "Welcome to OpenWRT" - -# Use listen-host to limit to specific IPs or to the IPs of a provided -# hostname. -#listen-host = [IP|HOSTNAME] - -# Limit the number of clients. Unset or set to zero for unlimited. -#max-clients = 1024 -max-clients = 8 - -# Limit the number of client connections to one every X milliseconds -# (X is the provided value). Set to zero for no limit. -#rate-limit-ms = 100 - -# Limit the number of identical clients (i.e., users connecting -# multiple times). Unset or set to zero for unlimited. -max-same-clients = 2 - -# TCP and UDP port number -tcp-port = 4443 -udp-port = 4443 - -# Keepalive in seconds -keepalive = 32400 - -# Dead peer detection in seconds. -dpd = 120 - -# Dead peer detection for mobile clients. The needs to -# be much higher to prevent such clients being awaken too -# often by the DPD messages, and save battery. -# (clients that send the X-AnyConnect-Identifier-DeviceType) -#mobile-dpd = 1800 - -# MTU discovery (DPD must be enabled) -try-mtu-discovery = false - -# The key and the certificates of the server -# The key may be a file, or any URL supported by GnuTLS (e.g., -# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user -# or pkcs11:object=my-vpn-key;object-type=private) -# -# There may be multiple certificate and key pairs and each key -# should correspond to the preceding certificate. -server-cert = /etc/ocserv/server-cert.pem -server-key = /etc/ocserv/server-key.pem - -# Diffie-Hellman parameters. Only needed if you require support -# for the DHE ciphersuites (by default this server supports ECDHE). -# Can be generated using: -# certtool --generate-dh-params --outfile /path/to/dh.pem -#dh-params = /path/to/dh.pem - -# If you have a certificate from a CA that provides an OCSP -# service you may provide a fresh OCSP status response within -# the TLS handshake. That will prevent the client from connecting -# independently on the OCSP server. -# You can update this response periodically using: -# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response -# Make sure that you replace the following file in an atomic way. -#ocsp-response = /path/to/ocsp.der - -# In case PKCS #11 or TPM keys are used the PINs should be available -# in files. The srk-pin-file is applicable to TPM keys only, and is the -# storage root key. -#pin-file = /path/to/pin.txt -#srk-pin-file = /path/to/srkpin.txt - -# The Certificate Authority that will be used to verify -# client certificates (public keys) if certificate authentication -# is set. -#ca-cert = /etc/ocserv/ca.pem - -# The object identifier that will be used to read the user ID in the client -# certificate. The object identifier should be part of the certificate's DN -# Useful OIDs are: -# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1 -#cert-user-oid = 0.9.2342.19200300.100.1.1 - -# The object identifier that will be used to read the user group in the -# client certificate. The object identifier should be part of the certificate's -# DN. Useful OIDs are: -# OU (organizational unit) = 2.5.4.11 -#cert-group-oid = 2.5.4.11 - -# The revocation list of the certificates issued by the 'ca-cert' above. -#crl = /etc/ocserv/crl.pem - -# GnuTLS priority string -tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT" - -# To enforce perfect forward secrecy (PFS) on the main channel. -#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA" - -# The time (in seconds) that a client is allowed to stay connected prior -# to authentication -auth-timeout = 40 - -# The time (in seconds) that a client is allowed to stay idle (no traffic) -# before being disconnected. Unset to disable. -#idle-timeout = 1200 - -# The time (in seconds) that a mobile client is allowed to stay idle (no -# traffic) before being disconnected. Unset to disable. -#mobile-idle-timeout = 2400 - -# The time (in seconds) that a client is not allowed to reconnect after -# a failed authentication attempt. -#min-reauth-time = 2 - -# Cookie validity time (in seconds) -# Once a client is authenticated he's provided a cookie with -# which he can reconnect. This option sets the maximum lifetime -# of that cookie. -cookie-validity = 86400 - -# ReKey time (in seconds) -# ocserv will ask the client to refresh keys periodically once -# this amount of seconds is elapsed. Set to zero to disable. -rekey-time = 172800 - -# ReKey method -# Valid options: ssl, new-tunnel -# ssl: Will perform an efficient rehandshake on the channel allowing -# a seamless connection during rekey. -# new-tunnel: Will instruct the client to discard and re-establish the channel. -# Use this option only if the connecting clients have issues with the ssl -# option. -rekey-method = ssl - -# Script to call when a client connects and obtains an IP -# Parameters are passed on the environment. -# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), -# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP -# in the P-t-P connection), IP_REMOTE (the VPN IP of the client), -# ID (a unique numeric ID); REASON may be "connect" or "disconnect". -#connect-script = /scripts/ocserv-script -#disconnect-script = /scripts/ocserv-script - -# UTMP -use-utmp = false - -# D-BUS usage. If disabled occtl tool cannot be used. If enabled -# then ocserv must have access to register org.infradead.ocserv -# D-BUS service. See doc/dbus/org.infradead.ocserv.conf -use-dbus = true - -# PID file. It can be overriden in the command line. -pid-file = /var/run/ocserv.pid - -# The default server directory. Does not require any devices present. -chroot-dir = /var/lib/ocserv - -# socket file used for IPC, will be appended with .PID -# It must be accessible within the chroot environment (if any) -#socket-file = /var/run/ocserv-socket -socket-file = ocserv-socket - -# The user the worker processes will be run as. It should be -# unique (no other services run as this user). -run-as-user = ocserv -run-as-group = ocserv - -# Set the protocol-defined priority (SO_PRIORITY) for packets to -# be sent. That is a number from 0 to 6 with 0 being the lowest -# priority. Alternatively this can be used to set the IP Type- -# Of-Service, by setting it to a hexadecimal number (e.g., 0x20). -# This can be set per user/group or globally. -#net-priority = 3 - -# Set the VPN worker process into a specific cgroup. This is Linux -# specific and can be set per user/group or globally. -#cgroup = "cpuset,cpu:test" - -# -# Network settings -# - -# The name of the tun device -device = vpns - -# The default domain to be advertised -default-domain = example.com - -# The pool of addresses that leases will be given from. -ipv4-network = 192.168.1.0 -ipv4-netmask = 255.255.255.0 - -# The advertized DNS server. Use multiple lines for -# multiple servers. -# dns = fc00::4be0 -dns = 192.168.1.2 - -# The NBNS server (if any) -#nbns = 192.168.1.3 - -# The IPv6 subnet that leases will be given from. -#ipv6-network = fc00:: -#ipv6-prefix = 16 - -# The domains over which the provided DNS should be used. Use -# multiple lines for multiple domains. -#split-dns = example.com - -# Prior to leasing any IP from the pool ping it to verify that -# it is not in use by another (unrelated to this server) host. -ping-leases = false - -# Unset to assign the default MTU of the device -# mtu = - -# Unset to enable bandwidth restrictions (in bytes/sec). The -# setting here is global, but can also be set per user or per group. -#rx-data-per-sec = 40000 -#tx-data-per-sec = 40000 - -# The number of packets (of MTU size) that are available in -# the output buffer. The default is low to improve latency. -# Setting it higher will improve throughput. -#output-buffer = 10 - -# Routes to be forwarded to the client. If you need the -# client to forward routes to the server, you may use the -# config-per-user/group or even connect and disconnect scripts. -# -# To set the server as the default gateway for the client just -# comment out all routes from the server. -route = 192.168.1.0/255.255.255.0 -route = 192.168.5.0/255.255.255.0 -#route = fef4:db8:1000:1001::/64 - -# Configuration files that will be applied per user connection or -# per group. Each file name on these directories must match the username -# or the groupname. -# The options allowed in the configuration files are dns, nbns, -# ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route, -# net-priority and cgroup. -# -# Note that the 'iroute' option allows to add routes on the server -# based on a user or group. The syntax depends on the input accepted -# by the commands route-add-cmd and route-del-cmd (see below). - -#config-per-user = /etc/ocserv/config-per-user/ -#config-per-group = /etc/ocserv/config-per-group/ - -# The system command to use to setup a route. %R will be replaced with the -# route/mask and %D with the (tun) device. -# -# The following example is from linux systems. %R should be something -# like 192.168.2.0/24 - -#route-add-cmd = "ip route add %R dev %D" -#route-del-cmd = "ip route delete %R dev %D" - -# -# The following options are for (experimental) AnyConnect client -# compatibility. - -# Client profile xml. A sample file exists in doc/profile.xml. -# This file must be accessible from inside the worker's chroot. -# It is not used by the openconnect client. -#user-profile = profile.xml - -# Binary files that may be downloaded by the CISCO client. Must -# be within any chroot environment. -#binary-files = /path/to/binaries - -# Unless set to false it is required for clients to present their -# certificate even if they are authenticating via a previously granted -# cookie and complete their authentication in the same TCP connection. -# Legacy CISCO clients do not do that, and thus this option should be -# set for them. -cisco-client-compat = true - -#Advanced options - -# Option to allow sending arbitrary custom headers to the client after -# authentication and prior to VPN tunnel establishment. -#custom-header = "X-My-Header: hi there" diff --git a/net/ocserv/files/ocserv.init b/net/ocserv/files/ocserv.init deleted file mode 100644 index 559ec802ef..0000000000 --- a/net/ocserv/files/ocserv.init +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/sh /etc/rc.common - -SERVICE_USE_PID=1 - -START=50 - -start() { - user_exists ocserv 72 || user_add ocserv 72 72 /var/lib/ocserv - group_exists ocserv 72 || group_add ocserv 72 - - [ ! -f /etc/ocserv/ca-key.pem ] && [ -x /usr/bin/certtool ] && { - echo "Generating CA certificate..." - mkdir -p /etc/ocserv/pki/ - certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/ca-key.pem >/dev/null 2>&1 - echo "cn=`uci get system.@system[0].hostname` CA" >/etc/ocserv/pki/ca.tmpl - echo "expiration_days=-1" >>/etc/ocserv/pki/ca.tmpl - echo "serial=1" >>/etc/ocserv/pki/ca.tmpl - echo "ca" >>/etc/ocserv/pki/ca.tmpl - echo "cert_signing_key" >>/etc/ocserv/pki/ca.tmpl - - certtool --template /etc/ocserv/pki/ca.tmpl \ - --generate-self-signed --load-privkey /etc/ocserv/ca-key.pem \ - --outfile /etc/ocserv/ca.pem >/dev/null 2>&1 - } - - #generate server certificate/key - [ ! -f /etc/ocserv/server-key.pem ] && [ -x /usr/bin/certtool ] && { - echo "Generating server certificate..." - mkdir -p /etc/ocserv/pki/ - certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/server-key.pem >/dev/null 2>&1 - echo "cn=`uci get system.@system[0].hostname`" >/etc/ocserv/pki/server.tmpl - echo "serial=2" >>/etc/ocserv/pki/server.tmpl - echo "expiration_days=-1" >>/etc/ocserv/pki/server.tmpl - echo "signing_key" >>/etc/ocserv/pki/server.tmpl - echo "encryption_key" >>/etc/ocserv/pki/server.tmpl - certtool --template /etc/ocserv/pki/server.tmpl \ - --generate-certificate --load-privkey /etc/ocserv/server-key.pem \ - --load-ca-certificate /etc/ocserv/ca.pem --load-ca-privkey \ - /etc/ocserv/ca-key.pem --outfile /etc/ocserv/server-cert.pem >/dev/null 2>&1 - } - - [ -f /etc/ocserv/ocpasswd ] || { - touch /etc/ocserv/ocpasswd - } - - [ -f /var/run/ocserv.pid ] || { - touch /var/run/ocserv.pid - chown ocserv:ocserv /var/run/ocserv.pid - } - [ -d /var/lib/ocserv ] || { - mkdir -m 0755 -p /var/lib/ocserv - chmod 0700 /var/lib/ocserv - chown ocserv:ocserv /var/lib/ocserv - } - service_start /usr/sbin/ocserv -c /etc/ocserv/ocserv.conf -} - -stop() { - service_stop /usr/sbin/ocserv -} -