.gear/rules                                        |   3 +

 .../tags/a0925ea74cea919a5bc6ccb1b81b5897983ea7ae  |  20 +

 .gear/tags/list                                    |   1 +

 .gear/upstream/remotes                             |   3 +

 ocserv-pamd.conf                                   |   5 +

 ocserv.conf                                        | 610 +++++++++++++++++++++

 ocserv.init                                        | 103 ++++

 ocserv.spec                                        | 183 +++++++

 src/worker-privs.c                                 |   4 +

 tests/data/haproxy-auth.cfg                        |   4 +-

 10 files changed, 934 insertions(+), 2 deletions(-)

diff --git a/.gear/rules b/.gear/rules

new file mode 100644

index 00000000..2cce167b

--- /dev/null

+++ b/.gear/rules

@@ -0,0 +1,3 @@

+tar: @version@:.

+diff: @version@:. .

+

diff --git a/.gear/tags/a0925ea74cea919a5bc6ccb1b81b5897983ea7ae b/.gear/tags/a0925ea74cea919a5bc6ccb1b81b5897983ea7ae

new file mode 100644

index 00000000..5c363b9a

--- /dev/null

+++ b/.gear/tags/a0925ea74cea919a5bc6ccb1b81b5897983ea7ae

@@ -0,0 +1,20 @@

+object 895a23f372fd2ef7f29c8ccd635e33b32de0915f

+type commit

+tag 1.2.1

+tagger Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> 1692709837 +0200

+

+released 1.2.1

+-----BEGIN PGP SIGNATURE-----

+

+iQHWBAABCAA8FiEEH0JBiQXYIGqnVMzcKe5YuZaGUXEFAmTks9EeHG4ubWF2cm9n

+aWFubm9wb3Vsb3NAZ21haWwuY29tAAoJECnuWLmWhlFxtDIMH16uVZbf2SRvpbob

+pgKT4YmMyHzc0ToPLcviSHkPoynWIIYT9Ye04gvn6uOFSt1D9pJhw+mP+1v4qKX3

+4PQpmppZ5Njeh3XRZPPv8b7J5Nw5YmwOxplIG/5uZKNQTnBJl3w+KDpbwO1gOO7Q

+V62fMGFG+MfIjBHRMZme6dJl1dl0PKD7SSrpQW8e1SDuys1YPJCRy3uFI8nROwBR

+ELXmcZoWEbo2C535tSoquzBUBH46r/GmBNUpIt9BntALJb6p2rdgxeW5dMfC3Z84

+Y2uNCqQWHOd7olKQLHNNDW7UO3LdWFa5fv0Xjd3TlOb79GnPIUFf/KT1E0aeTqzM

+S04q/Iirz+TVTdCkBNJKtimDdzMKfIfCoqiu0tXhDIWhtIpLgvZb2j5+5cpRttJY

+HUQbtdhTvsHp9X6a7ctOrOhSX34BTIvNbbceJNjKQwsbrG+/FkOXXBPPEtAjm4pa

+5aPCtvo5YK/JBmCfdEJ10vUqrf7JJ6YxVH8f8EAOonEiJg405iN+FJI=

+=nO4G

+-----END PGP SIGNATURE-----

diff --git a/.gear/tags/list b/.gear/tags/list

new file mode 100644

index 00000000..d61adf9c

--- /dev/null

+++ b/.gear/tags/list

@@ -0,0 +1 @@

+a0925ea74cea919a5bc6ccb1b81b5897983ea7ae 1.2.1

diff --git a/.gear/upstream/remotes b/.gear/upstream/remotes

new file mode 100644

index 00000000..56cacf9d

--- /dev/null

+++ b/.gear/upstream/remotes

@@ -0,0 +1,3 @@

+[remote "upstream"]

+	url = https://gitlab.com/openconnect/ocserv.git

+	fetch = +refs/heads/*:refs/remotes/upstream/*

diff --git a/ocserv-pamd.conf b/ocserv-pamd.conf

new file mode 100644

index 00000000..15944256

--- /dev/null

+++ b/ocserv-pamd.conf

@@ -0,0 +1,5 @@

+#%PAM-1.0

+auth		include		system-auth

+account		required	pam_nologin.so

+account		include		system-auth

+session		include		system-auth

diff --git a/ocserv.conf b/ocserv.conf

new file mode 100644

index 00000000..02a51238

--- /dev/null

+++ b/ocserv.conf

@@ -0,0 +1,610 @@

+### The following directives do not change with server reload.

+#

+# User authentication method. To require multiple methods to be

+# used for the user to login, add multiple auth directives. The values

+# in the 'auth' directive are AND composed (if multiple all must

+# succeed).

+# Available options: certificate, plain, pam, radius, gssapi.

+# Note that authentication methods utilizing passwords cannot be

+# combined (e.g., the plain, pam or radius methods).

+#

+# certificate:

+#  This indicates that all connecting users must present a certificate.

+#  The username and user group will be then extracted from it (see

+#  cert-user-oid and cert-group-oid). The certificate to be accepted

+#  it must be signed by the CA certificate as specified in 'ca-cert' and

+#  it must not be listed in the CRL, as specified by the 'crl' option.

+#

+# pam[gid-min=1000]:

+#  This enabled PAM authentication of the user. The gid-min option is used 

+# by auto-select-group option, in order to select the minimum valid group ID.

+#

+# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]

+#  The plain option requires specifying a password file which contains

+# entries of the following format.

+# "username:groupname1,groupname2:encoded-password"

+# One entry must be listed per line, and 'ocpasswd' should be used

+# to generate password entries. The 'otp' suboption allows to specify

+# an oath password file to be used for one time passwords; the format of

+# the file is described in https://code.google.com/p/mod-authn-otp/wiki/UsersFile

+#

+# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name,override-interim-updates=false]:

+#  The radius option requires specifying freeradius-client configuration

+# file. If the groupconfig option is set, then config-per-user will be overriden,

+# and all configuration will be read from radius. The 'override-interim-updates' if set to

+# true will ignore Acct-Interim-Interval from the server and 'stats-report-time' will be considered.

+#

+# gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]

+#  The gssapi option allows to use authentication methods supported by GSSAPI,

+# such as Kerberos tickets with ocserv. It should be best used as an alternative

+# to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with

+# tickets and without tickets to login. The default value for require-local-user-map

+# is true. The 'tgt-freshness-time' if set, it would require the TGT tickets presented

+# to have been issued within the provided number of seconds. That option is used to

+# restrict logins even if the KDC provides long time TGT tickets.

+

+#auth = "pam"

+auth = "pam[gid-min=500]"

+#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"

+#auth = "certificate"

+#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"

+

+# Specify alternative authentication methods that are sufficient

+# for authentication. That is, if set, any of the methods enabled

+# will be sufficient to login, irrespective of the main 'auth' entries.

+# When multiple options are present, they are OR composed (any of them

+# succeeding allows login).

+#enable-auth = "certificate"

+#enable-auth = "gssapi"

+#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]"

+

+# Accounting methods available:

+# radius: can be combined with any authentication method, it provides

+#      radius accounting to available users (see also stats-report-time).

+#

+# pam: can be combined with any authentication method, it provides

+#      a validation of the connecting user's name using PAM. It is

+#      superfluous to use this method when authentication is already

+#      PAM.

+#

+# Only one accounting method can be specified.

+#acct = "radius[config=/etc/radiusclient/radiusclient.conf]"

+

+# Use listen-host to limit to specific IPs or to the IPs of a provided 

+# hostname.

+#listen-host = [IP|HOSTNAME]

+

+# When the server has a dynamic DNS address (that may change),

+# should set that to true to ask the client to resolve again on

+# reconnects.

+#listen-host-is-dyndns = true

+

+# TCP and UDP port number

+tcp-port = 443

+udp-port = 443

+

+# Accept connections using a socket file. It accepts HTTP

+# connections (i.e., without SSL/TLS unlike its TCP counterpart),

+# and uses it as the primary channel. That option cannot be

+# combined with certificate authentication.

+#listen-clear-file = /var/run/ocserv-conn.socket

+

+# The user the worker processes will be run as. It should be

+# unique (no other services run as this user).

+run-as-user = ocserv

+run-as-group = ocserv

+

+# socket file used for IPC with occtl. You only need to set that,

+# if you use more than a single servers.

+#occtl-socket-file = /run/occtl.socket

+

+# socket file used for server IPC (worker-main), will be appended with .PID

+# It must be accessible within the chroot environment (if any), so it is best

+# specified relatively to the chroot directory.

+socket-file = ocserv.sock

+

+# The default server directory. Does not require any devices present.

+chroot-dir = /var/lib/ocserv

+

+

+### All configuration options below this line are reloaded on a SIGHUP.

+### The options above, will remain unchanged. Note however, that the 

+### server-cert, server-key, dh-params and ca-cert options will be reloaded

+### if the provided file changes, on server reload. That allows certificate

+### rotation, but requires the server key to remain the same for seamless

+### operation. If the server key changes on reload, there may be connection

+### failures during the reloading time.

+

+

+# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of 

+# system calls allowed to a worker process, in order to reduce damage from a

+# bug in the worker process. It is available on Linux systems at a performance cost.

+# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).

+# Note however, that process isolation is restricted to the specific libc versions

+# the isolation was tested at. If you get random failures on worker processes, try

+# disabling that option and report the failures you, along with system and debugging

+# information at: https://gitlab.com/ocserv/ocserv/issues

+isolate-workers = true

+

+# A banner to be displayed on clients

+#banner = "Welcome"

+

+# Limit the number of clients. Unset or set to zero for unlimited.

+#max-clients = 1024

+max-clients = 16

+

+# Limit the number of identical clients (i.e., users connecting 

+# multiple times). Unset or set to zero for unlimited.

+max-same-clients = 2

+

+# Limit the number of client connections to one every X milliseconds 

+# (X is the provided value). Set to zero for no limit.

+#rate-limit-ms = 100

+

+# Stats report time. The number of seconds after which each

+# worker process will report its usage statistics (number of

+# bytes transferred etc). This is useful when accounting like

+# radius is in use.

+#stats-report-time = 360

+

+# Keepalive in seconds

+keepalive = 32400

+

+# Dead peer detection in seconds.

+# Note that when the client is behind a NAT this value

+# needs to be short enough to prevent the NAT disassociating

+# his UDP session from the port number. Otherwise the client

+# could have his UDP connection stalled, for several minutes.

+dpd = 90

+

+# Dead peer detection for mobile clients. That needs to

+# be higher to prevent such clients being awaken too 

+# often by the DPD messages, and save battery.

+# The mobile clients are distinguished from the header

+# 'X-AnyConnect-Identifier-DeviceType'.

+mobile-dpd = 1800

+

+# If using DTLS, and no UDP traffic is received for this

+# many seconds, attempt to send future traffic over the TCP

+# connection instead, in an attempt to wake up the client

+# in the case that there is a NAT and the UDP translation

+# was deleted. If this is unset, do not attempt to use this

+# recovery mechanism.

+switch-to-tcp-timeout = 25

+

+# MTU discovery (DPD must be enabled)

+try-mtu-discovery = false

+

+# The key and the certificates of the server

+# The key may be a file, or any URL supported by GnuTLS (e.g., 

+# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user

+# or pkcs11:object=my-vpn-key;object-type=private)

+#

+# The server-cert file may contain a single certificate, or

+# a sorted certificate chain.

+#

+# There may be multiple server-cert and server-key directives,

+# but each key should correspond to the preceding certificate.

+# The certificate files will be reloaded when changed allowing for in-place

+# certificate renewal (they are checked and reloaded periodically;

+# a SIGHUP signal to main server will force reload).

+

+server-cert = /etc/pki/ocserv/public/server.crt

+server-key = /etc/pki/ocserv/private/server.key

+

+# Diffie-Hellman parameters. Only needed if you require support

+# for the DHE ciphersuites (by default this server supports ECDHE).

+# Can be generated using:

+# certtool --generate-dh-params --outfile /path/to/dh.pem

+#dh-params = /path/to/dh.pem

+

+# If you have a certificate from a CA that provides an OCSP

+# service you may provide a fresh OCSP status response within

+# the TLS handshake. That will prevent the client from connecting

+# independently on the OCSP server.

+# You can update this response periodically using:

+# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response

+# Make sure that you replace the following file in an atomic way.

+#ocsp-response = /path/to/ocsp.der

+

+# In case PKCS #11, TPM or encrypted keys are used the PINs should be available

+# in files. The srk-pin-file is applicable to TPM keys only, and is the 

+# storage root key.

+#pin-file = /path/to/pin.txt

+#srk-pin-file = /path/to/srkpin.txt

+

+# The password or PIN needed to unlock the key in server-key file.

+# Only needed if the file is encrypted or a PKCS #11 object. This

+# is an alternative method to pin-file.

+#key-pin = 1234

+

+# The SRK PIN for TPM.

+# This is an alternative method to srk-pin-file.

+#srk-pin = 1234

+

+# The Certificate Authority that will be used to verify

+# client certificates (public keys) if certificate authentication

+# is set.

+ca-cert = /etc/pki/ocserv/cacerts/ca.crt

+

+# The object identifier that will be used to read the user ID in the client 

+# certificate. The object identifier should be part of the certificate's DN

+# Useful OIDs are: 

+#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1

+cert-user-oid = 0.9.2342.19200300.100.1.1

+

+# The object identifier that will be used to read the user group in the 

+# client  certificate. The object identifier should be part of the certificate's

+# DN. Useful OIDs are: 

+#  OU (organizational unit) = 2.5.4.11 

+#cert-group-oid = 2.5.4.11

+

+# The revocation list of the certificates issued by the 'ca-cert' above.

+# See the manual to generate an empty CRL initially. The CRL will be reloaded

+# periodically when ocserv detects a change in the file. To force a reload use

+# SIGHUP.

+#crl = /path/to/crl.pem

+

+# Uncomment this to enable compression negotiation (LZS, LZ4).

+#compression = true

+

+# Set the minimum size under which a packet will not be compressed.

+# That is to allow low-latency for VoIP packets. The default size

+# is 256 bytes. Modify it if the clients typically use compression

+# as well of VoIP with codecs that exceed the default value.

+#no-compress-limit = 256

+

+# GnuTLS priority string; note that SSL 3.0 is disabled by default

+# as there are no openconnect (and possibly anyconnect clients) using

+# that protocol. The string below does not enforce perfect forward

+# secrecy, in order to be compatible with legacy clients.

+#

+# Note that the most performant ciphersuites are the moment are the ones

+# involving AES-GCM. These are very fast in x86 and x86-64 hardware, and

+# in addition require no padding, thus taking full advantage of the MTU.

+# For that to be taken advantage of, the openconnect client must be

+# used, and the server must be compiled against GnuTLS 3.2.7 or later.

+# Use "gnutls-cli --benchmark-tls-ciphers", to see the performance

+# difference with AES_128_CBC_SHA1 (the default for anyconnect clients)

+# in your system.

+

+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"

+

+# More combinations in priority strings are available, check

+# http://gnutls.org/manual/html_node/Priority-Strings.html

+# E.g., the string below enforces perfect forward secrecy (PFS) 

+# on the main channel.

+tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"

+

+# That option requires the established DTLS channel to use the same

+# cipher as the primary TLS channel. This cannot be combined with

+# listen-clear-file since the ciphersuite information is not available

+# in that configuration. Note also, that this option implies that

+# dtls-legacy option is false; this option cannot be enforced

+# in the legacy/compat protocol.

+#match-tls-dtls-ciphers = true

+

+# The time (in seconds) that a client is allowed to stay connected prior

+# to authentication

+auth-timeout = 240

+

+# The time (in seconds) that a client is allowed to stay idle (no traffic)

+# before being disconnected. Unset to disable.

+#idle-timeout = 1200

+

+# The time (in seconds) that a client is allowed to stay connected

+# Unset to disable.

+#session-timeout = 86400

+

+# The time (in seconds) that a mobile client is allowed to stay idle (no

+# traffic) before being disconnected. Unset to disable.

+#mobile-idle-timeout = 2400

+

+# The time (in seconds) that a client is not allowed to reconnect after 

+# a failed authentication attempt.

+min-reauth-time = 300

+

+# Banning clients in ocserv works with a point system. IP addresses

+# that get a score over that configured number are banned for

+# min-reauth-time seconds. By default a wrong password attempt is 10 points,

+# a KKDCP POST is 1 point, and a connection is 1 point. Note that

+# due to difference processes being involved the count of points

+# will not be real-time precise.

+#

+# Score banning cannot be reliably used when receiving proxied connections

+# locally from an HTTP server (i.e., when listen-clear-file is used).

+#

+# Set to zero to disable.

+max-ban-score = 50

+

+# The time (in seconds) that all score kept for a client is reset.

+ban-reset-time = 300

+

+# In case you'd like to change the default points.

+#ban-points-wrong-password = 10

+#ban-points-connection = 1

+#ban-points-kkdcp = 1

+

+# Cookie timeout (in seconds)

+# Once a client is authenticated he's provided a cookie with

+# which he can reconnect. That cookie will be invalided if not

+# used within this timeout value. On a user disconnection, that

+# cookie will also be active for this time amount prior to be

+# invalid. That should allow a reasonable amount of time for roaming

+# between different networks.

+cookie-timeout = 300

+

+# If this is enabled (not recommended) the cookies will stay

+# valid even after a user manually disconnects, and until they

+# expire. This may improve roaming with some broken clients.

+#persistent-cookies = true

+

+# Whether roaming is allowed, i.e., if true a cookie is

+# restricted to a single IP address and cannot be re-used

+# from a different IP.

+deny-roaming = false

+

+# ReKey time (in seconds)

+# ocserv will ask the client to refresh keys periodically once

+# this amount of seconds is elapsed. Set to zero to disable (note

+# that, some clients fail if rekey is disabled).

+rekey-time = 172800

+

+# ReKey method

+# Valid options: ssl, new-tunnel

+#  ssl: Will perform an efficient rehandshake on the channel allowing

+#       a seamless connection during rekey.

+#  new-tunnel: Will instruct the client to discard and re-establish the channel.

+#       Use this option only if the connecting clients have issues with the ssl

+#       option.

+rekey-method = ssl

+

+# Script to call when a client connects and obtains an IP.

+# The following parameters are passed on the environment.

+# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), 

+# DEVICE, IP_REAL (the real IP of the client), IP_REAL_LOCAL (the local

+# interface IP the client connected), IP_LOCAL (the local IP

+# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),

+# IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6

+# assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and

+# ID (a unique numeric ID); REASON may be "connect" or "disconnect".

+# In addition the following variables OCSERV_ROUTES (the applied routes for this

+# client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client),

+# will contain a space separated list of routes or DNS servers. A version

+# of these variables with the 4 or 6 suffix will contain only the IPv4 or

+# IPv6 values.

+

+# The disconnect script will receive the additional values: STATS_BYTES_IN,

+# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes 

+# output from the tun device, and the duration of the session in seconds.

+

+#connect-script = /usr/bin/ocserv-script

+#disconnect-script = /usr/bin/ocserv-script

+

+# UTMP

+# Register the connected clients to utmp. This will allow viewing

+# the connected clients using the command 'who'.

+#use-utmp = true

+

+# Whether to enable support for the occtl tool (i.e., either through D-BUS,

+# or via a unix socket).

+use-occtl = true

+

+# PID file. It can be overriden in the command line.

+pid-file = /run/ocserv.pid

+

+# Set the protocol-defined priority (SO_PRIORITY) for packets to

+# be sent. That is a number from 0 to 6 with 0 being the lowest

+# priority. Alternatively this can be used to set the IP Type-

+# Of-Service, by setting it to a hexadecimal number (e.g., 0x20).

+# This can be set per user/group or globally.

+#net-priority = 3

+

+# Set the VPN worker process into a specific cgroup. This is Linux

+# specific and can be set per user/group or globally.

+#cgroup = "cpuset,cpu:test"

+

+#

+# Network settings

+#

+

+# The name to use for the tun device

+device = vpns

+

+# Whether the generated IPs will be predictable, i.e., IP stays the

+# same for the same user when possible.

+predictable-ips = true

+

+# The default domain to be advertised

+default-domain = example.com

+

+# The pool of addresses that leases will be given from. If the leases

+# are given via Radius, or via the explicit-ip? per-user config option then 

+# these network values should contain a network with at least a single

+# address that will remain under the full control of ocserv (that is

+# to be able to assign the local part of the tun device address).

+#ipv4-network = 192.168.1.0

+#ipv4-netmask = 255.255.255.0

+

+# An alternative way of specifying the network:

+#ipv4-network = 192.168.1.0/24

+

+# The IPv6 subnet that leases will be given from.

+#ipv6-network = fda9:4efe:7e3b:03ea::/64

+

+# Specify the size of the network to provide to clients. It is

+# generally recommended to provide clients with a /64 network in

+# IPv6, but any subnet may be specified. To provide clients only

+# with a single IP use the prefix 128.

+#ipv6-subnet-prefix = 128

+#ipv6-subnet-prefix = 64

+

+# Whether to tunnel all DNS queries via the VPN. This is the default

+# when a default route is set.

+#tunnel-all-dns = true

+

+# The advertized DNS server. Use multiple lines for

+# multiple servers.

+# dns = fc00::4be0

+#dns = 192.168.1.2

+

+# The NBNS server (if any)

+#nbns = 192.168.1.3

+

+# The domains over which the provided DNS should be used. Use

+# multiple lines for multiple domains.

+#split-dns = example.com

+

+# Prior to leasing any IP from the pool ping it to verify that

+# it is not in use by another (unrelated to this server) host.

+# Only set to true, if there can be occupied addresses in the

+# IP range for leases.

+ping-leases = false

+

+# Use this option to enforce an MTU value to the incoming

+# connections. Unset to use the default MTU of the TUN device.

+#mtu = 1420

+

+# Unset to enable bandwidth restrictions (in bytes/sec). The

+# setting here is global, but can also be set per user or per group.

+#rx-data-per-sec = 40000

+#tx-data-per-sec = 40000

+

+# The number of packets (of MTU size) that are available in

+# the output buffer. The default is low to improve latency.

+# Setting it higher will improve throughput.

+#output-buffer = 10

+

+# Routes to be forwarded to the client. If you need the

+# client to forward routes to the server, you may use the 

+# config-per-user/group or even connect and disconnect scripts.

+#

+# To set the server as the default gateway for the client just

+# comment out all routes from the server, or use the special keyword

+# 'default'.

+

+#route = 10.10.10.0/255.255.255.0

+#route = 192.168.0.0/255.255.0.0

+#route = fef4:db8:1000:1001::/64

+

+# Subsets of the routes above that will not be routed by

+# the server.

+

+#no-route = 192.168.5.0/255.255.255.0

+

+# If set, the script /usr/bin/ocserv-fw will be called to restrict

+# the user to its allowed routes and prevent him from accessing

+# any other routes. In case of defaultroute, the no-routes are restricted.

+# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw

+# --removeall. This option can be set globally or in the per-user configuration.

+#restrict-user-to-routes = true

+

+# When set to true, all client's iroutes are made visible to all

+# connecting clients except for the ones offering them. This option

+# only makes sense if config-per-user is set.

+#expose-iroutes = true

+

+# Groups that a client is allowed to select from.

+# A client may belong in multiple groups, and in certain use-cases

+# it is needed to switch between them. For these cases the client can

+# select prior to authentication. Add multiple entries for multiple groups.

+# The group may be followed by a user-friendly name in brackets.

+#select-group = group1

+#select-group = group2[My special group]

+

+# The name of the (virtual) group that if selected it would assign the user

+# to its default group.

+#default-select-group = DEFAULT

+

+# Instead of specifying manually all the allowed groups, you may instruct

+# ocserv to scan all available groups and include the full list.

+#auto-select-group = true

+

+# Configuration files that will be applied per user connection or

+# per group. Each file name on these directories must match the username

+# or the groupname.

+# The options allowed in the configuration files are dns, nbns,

+#  ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, no-route,

+#  explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp, 

+#  user-profile, cgroup, stats-report-time, and session-timeout.

+#

+# Note that the 'iroute' option allows to add routes on the server

+# based on a user or group. The syntax depends on the input accepted

+# by the commands route-add-cmd and route-del-cmd (see below). The no-udp

+# is a boolean option (e.g., no-udp = true), and will prevent a UDP session

+# for that specific user or group.

+

+#config-per-user = /etc/ocserv/config-per-user/

+#config-per-group = /etc/ocserv/config-per-group/

+

+# When config-per-xxx is specified and there is no group or user that

+# matches, then utilize the following configuration.

+#default-user-config = /etc/ocserv/defaults/user.conf

+#default-group-config = /etc/ocserv/defaults/group.conf

+

+# The system command to use to setup a route. %{R} will be replaced with the

+# route/mask and %{D} with the (tun) device.

+#

+# The following example is from linux systems. %R should be something

+# like 192.168.2.0/24 (the argument of iroute).

+

+#route-add-cmd = "ip route add %{R} dev %{D}"

+#route-del-cmd = "ip route delete %{R} dev %{D}"

+

+# This option allows to forward a proxy. The special keywords '%{U}'

+# and '%{G}', if present will be replaced by the username and group name.

+#proxy-url = http://example.com/

+#proxy-url = http://example.com/%{U}/

+

+# This option allows you to specify a URL location where a client can

+# post using MS-KKDCP, and the message will be forwarded to the provided

+# KDC server. That is a translation URL between HTTP and Kerberos.

+# In MIT kerberos you'll need to add in realms:

+#   EXAMPLE.COM = {

+#     kdc = https://ocserv.example.com/kerberos

+#     http_anchors = FILE:/etc/ocserv-ca.pem

+#   }

+# This option is available if ocserv is compiled with GSSAPI support. 

+

+#kkdcp = SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT

+#kkdcp = /kerberos EXAMPLE.COM udp@127.0.0.1:88

+#kkdcp = /kerberos-tcp EXAMPLE.COM tcp@127.0.0.1:88

+

+#

+# The following options are for (experimental) AnyConnect client 

+# compatibility. 

+

+# This option will enable the pre-draft-DTLS version of DTLS, and

+# will not require clients to present their certificate on every TLS

+# connection. It must be set to true to support legacy CISCO clients

+# and openconnect clients < 7.08. When set to true, it implies dtls-legacy = true.

+cisco-client-compat = true

+

+# This option allows to disable the DTLS-PSK negotiation (enabled by default).

+# The DTLS-PSK negotiation was introduced in ocserv 0.11.5 to deprecate

+# the pre-draft-DTLS negotiation inherited from AnyConnect. It allows the

+# DTLS channel to negotiate its ciphers and the DTLS protocol version.

+#dtls-psk = false

+

+# This option allows to disable the legacy DTLS negotiation (enabled by default,

+# but that may change in the future).

+# The legacy DTLS uses a pre-draft version of the DTLS protocol and was

+# from AnyConnect protocol. It has several limitations, that are addressed

+# by the dtls-psk protocol supported by openconnect 7.08+.

+dtls-legacy = true

+

+# Client profile xml. A sample file exists in doc/profile.xml.

+# It is required by some of the CISCO clients.

+# This file must be accessible from inside the worker's chroot. 

+user-profile = profile.xml

+

+#Advanced options

+

+# Option to allow sending arbitrary custom headers to the client after

+# authentication and prior to VPN tunnel establishment. You shouldn't

+# need to use this option normally; if you do and you think that

+# this may help others, please send your settings and reason to

+# the openconnect mailing list. The special keywords '%{U}'

+# and '%{G}', if present will be replaced by the username and group name.

+#custom-header = "X-My-Header: hi there"

+

diff --git a/ocserv.init b/ocserv.init

new file mode 100644

index 00000000..23b435e7

--- /dev/null

+++ b/ocserv.init

@@ -0,0 +1,103 @@

+#!/bin/sh

+#

+# ocserv        OpenConnect SSL VPN server

+#

+#

+# chkconfig: - 24 76

+# description: OpenConnect SSL VPN server

+# processname: ocserv

+# config: /etc/ocserv/ocserv.conf

+# pidfile: /var/run/ocserv.pid

+

+### BEGIN INIT INFO

+# Provides: ocserv

+# Required-Start: $network

+# Required-Stop: $network

+# Short-Description: start and stop ocserv

+# Description: ocserv is a VPN server

+### END INIT INFO

+

+WITHOUT_RC_COMPAT=1

+

+# Source function library.

+. /etc/init.d/functions

+

+# Source networking configuration.

+SourceIfNotEmpty /etc/sysconfig/network

+

+PIDFILE=/var/run/ocserv.pid

+LOCKFILE=/var/lock/subsys/ocserv

+GENKEY=/usr/sbin/ocserv-genkey

+RETVAL=0

+

+

+start()

+{

+	is_yes "$NETWORKING" || return 0

+	modprobe -q tun >/dev/null 2>&1

+	if [ -x "$GENKEY" ]; then

+	    action "Generate SSL certificate" "$GENKEY"

+	fi

+	start_daemon --pidfile "$PIDFILE" --lockfile "$LOCKFILE" --expect-user root -- ocserv --pid-file "$PIDFILE" --config /etc/ocserv/ocserv.conf

+	RETVAL=$?

+	return $RETVAL

+}

+

+stop() {

+	stop_daemon --pidfile "$PIDFILE" --lockfile "$LOCKFILE" --expect-user root -- ocserv

+	RETVAL=$?

+	return $RETVAL

+}

+

+restart()

+{

+	stop

+	start

+}

+

+reload()

+{

+	msg_reloading multipathd

+	stop_daemon --pidfile "$PIDFILE" --expect-user root -HUP -- ocserv

+	RETVAL=$?

+	return $RETVAL

+}

+

+# See how we were called.

+case "$1" in

+	start)

+		start

+		;;

+	stop)

+		stop

+		;;

+	reload)

+		reload

+		;;

+	restart)

+		restart

+		;;

+	condstop)

+		if [ -e "$LOCKFILE" ]; then

+			stop

+		fi

+		;;

+	condrestart)

+		if [ -e "$LOCKFILE" ]; then

+			restart

+		fi

+		;;

+	condreload)

+		if [ -e "$LOCKFILE" ]; then

+			reload

+		fi

+		;;

+	status)

+		occtl show status

+		;;

+	*)

+		msg_usage "${0##*/} {start|stop|reload|restart|condstop|condrestart|condreload|status}"

+		RETVAL=1

+esac

+

+exit $RETVAL

diff --git a/ocserv.spec b/ocserv.spec

new file mode 100644

index 00000000..2b2168c2

--- /dev/null

+++ b/ocserv.spec

@@ -0,0 +1,183 @@

+%global _unpackaged_files_terminate_build 1

+%define _localstatedir /var

+%def_with maxmind

+%def_enable man

+%def_disable check

+

+Name: ocserv

+Version: 1.2.1

+Release: alt1

+

+Summary: OpenConnect SSL VPN server

+License: GPLv2+

+Group: System/Servers

+

+Url: http://www.infradead.org/ocserv/

+Source: %name-%version.tar

+Patch: %name-%version-%release.patch

+

+BuildRequires: libnettle-devel >= 2.7

+BuildRequires: libgnutls-devel >= 3.3.0

+BuildRequires: libprotobuf-c-devel protobuf-c-compiler

+BuildRequires: libev-devel

+BuildRequires: libtalloc-devel

+BuildRequires: libnl-devel >= 3.1

+%if_with maxmind

+BuildRequires: libmaxminddb-devel >= 1.0.0

+%else

+BuildRequires: libGeoIP-devel >= 1.6.0

+%endif

+BuildRequires: libreadline-devel

+BuildRequires: liboath-devel

+BuildRequires: libpam-devel

+BuildRequires: uid_wrapper socket_wrapper nss_wrapper pam_wrapper

+BuildRequires: libradcli-devel >= 1.2.5

+BuildRequires: libseccomp-devel

+BuildRequires: libsystemd-devel

+BuildRequires: libhttp-parser-devel

+BuildRequires: liblz4-devel

+BuildRequires: libkrb5-devel libtasn1-devel >= 3.4

+BuildRequires: libpcl-devel

+BuildRequires: iproute2 gnutls-utils

+BuildRequires: gperf

+BuildRequires: haproxy

+BuildRequires: openconnect

+BuildRequires: curl

+BuildRequires: gssntlmssp

+BuildRequires: /proc

+%if_enabled man

+BuildRequires: /usr/bin/ronn

+%endif

+

+Requires: gnutls-utils

+Requires: iproute2

+

+%description

+OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to be a

+secure, small, fast and configurable VPN server. It implements the OpenConnect

+SSL VPN protocol, and has also (currently experimental) compatibility with

+clients using the AnyConnect SSL VPN protocol. The OpenConnect VPN protocol

+uses the standard IETF security protocols such as TLS 1.2, and Datagram TLS

+to provide the secure VPN service.

+

+%prep

+%setup

+%patch -p1

+

+rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h

+rm -rf src/protobuf/protobuf-c/

+touch src/*.proto

+rm -rf src/ccan/talloc

+rm -f src/pcl/*.c src/pcl/*.h

+sed -i 's|/etc/ocserv.conf|/etc/ocserv/ocserv.conf|g' src/config.c

+sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/data/*.config

+

+%build

+%autoreconf

+

+%configure \

+    --enable-systemd \

+    --without-libwrap \

+    --without-root-tests \

+    --runstatedir=/run \

+    %{subst_with maxmind}

+

+%make_build

+

+%install

+%makeinstall_std

+

+mkdir -p %buildroot%_sysconfdir/pam.d

+mkdir -p %buildroot%_sysconfdir/ocserv

+install -p -m 644 ocserv-pamd.conf %buildroot%_sysconfdir/pam.d/ocserv

+install -p -m 644 ocserv.conf %buildroot%_sysconfdir/ocserv

+mkdir -p %buildroot%_localstatedir/lib/ocserv

+install -p -m 644 doc/profile.xml %buildroot%_localstatedir/lib/ocserv

+mkdir -p %buildroot%_unitdir

+install -p -m 644 doc/systemd/standalone/%name.service %buildroot%_unitdir

+install -p -m 755 doc/scripts/ocserv-script %buildroot%_bindir

+mkdir -p %buildroot%_initrddir

+install -D -m 0755 ocserv.init %buildroot%_initrddir/%name

+

+%check

+export PATH=/sbin:/usr/sbin:$PATH

+%make check VERBOSE=1

+

+%pre

+%_sbindir/groupadd -r -f %name 2>/dev/null ||:

+%_sbindir/useradd -r -g %name -G %name  -c 'Ocserv VPN Daemon' \

+        -s /sbin/nologin  -d %_localstatedir/lib/%name %name 2>/dev/null ||:

+

+%post

+%post_service %name

+    

+%preun

+%preun_service %name

+

+%files

+%doc NEWS COPYING README.md

+%dir %_localstatedir/lib/ocserv

+%dir %_sysconfdir/ocserv

+%config(noreplace) %_sysconfdir/ocserv/ocserv.conf

+%config(noreplace) %_sysconfdir/pam.d/ocserv

+%if_enabled man

+%_man8dir/*

+%endif

+%_bindir/ocpasswd

+%_bindir/occtl

+%_bindir/%name-fw

+%_bindir/%name-script

+%_sbindir/%name

+%_sbindir/%name-worker

+%_localstatedir/lib/ocserv/profile.xml

+%_unitdir/%name.service

+%_initdir/%name

+

+%changelog

+* Thu Sep 07 2023 Alexey Shabalin <shaba@altlinux.org> 1.2.1-alt1

+- 1new version 1.2.1

+

+* Tue Dec 27 2022 Alexey Shabalin <shaba@altlinux.org> 1.1.6-alt2

+- Backported upstream patches

+- Disable check (new hasher or make?)

+

+* Wed Mar 02 2022 Alexey Shabalin <shaba@altlinux.org> 1.1.6-alt1

+- new version 1.1.6

+

+* Wed Dec 22 2021 Alexey Shabalin <shaba@altlinux.org> 1.1.5-alt1

+- new version 1.1.5

+

+* Thu Sep 16 2021 Michael Shigorin <mike@altlinux.org> 1.1.3-alt1.1

+- introduce man knob (on by default)

+

+* Mon Jul 19 2021 Alexey Shabalin <shaba@altlinux.org> 1.1.3-alt1

+- new version 1.1.3

+

+* Fri May 28 2021 Alexey Shabalin <shaba@altlinux.org> 1.1.2-alt3

+- fixed check on 32-bit arches (glebfm@)

+

+* Sun May 16 2021 Alexey Shabalin <shaba@altlinux.org> 1.1.2-alt2

+- disable check for 32-bit arches

+

+* Fri Jan 29 2021 Alexey Shabalin <shaba@altlinux.org> 1.1.2-alt1

+- new version 1.1.2

+

+* Tue Nov 24 2020 Alexey Shabalin <shaba@altlinux.org> 1.1.1-alt1

+- new version 1.1.1

+

+* Tue Jul 21 2020 Alexey Shabalin <shaba@altlinux.org> 1.1.0-alt1

+- new version 1.1.0

+

+* Fri May 08 2020 Alexey Shabalin <shaba@altlinux.org> 1.0.1-alt1

+- new version 1.0.1

+

+* Thu Apr 02 2020 Alexey Shabalin <shaba@altlinux.org> 1.0.0-alt1

+- new version 1.0.0

+

+* Thu Dec 19 2019 Alexey Shabalin <shaba@altlinux.org> 0.12.5-alt1

+- 0.12.5

+- build with libmaxminddb

+

+* Tue Sep 24 2019 Alexey Shabalin <shaba@altlinux.org> 0.12.4-alt1

+- initial build for ALT

+

diff --git a/src/worker-privs.c b/src/worker-privs.c

index c48bce26..33b4a035 100644

--- a/src/worker-privs.c

+++ b/src/worker-privs.c

@@ -104,7 +104,11 @@ int disable_system_calls(struct worker_st *ws)

 	/* Socket wrapper tests use additional syscalls; only enable

 	 * them when socket wrapper is active */

 	if (getenv("SOCKET_WRAPPER_DIR") != NULL) {

+#ifdef __NR_lstat64

+		ADD_SYSCALL(lstat64, 0);

+#endif

 		ADD_SYSCALL(readlink, 0);

+		ADD_SYSCALL(readlinkat, 0);

 	}

 	/* we use quite some system calls here, and in the end

diff --git a/tests/data/haproxy-auth.cfg b/tests/data/haproxy-auth.cfg

index c7570b9e..7bcbfa2b 100644

--- a/tests/data/haproxy-auth.cfg

+++ b/tests/data/haproxy-auth.cfg

@@ -1,6 +1,6 @@

 global

-	user haproxy

-	group haproxy

+	user _haproxy

+	group _haproxy

 	#daemon

 	# Default SSL material locations