Remove ocserv (moved)

git-svn-id: svn://svn.openwrt.org/openwrt/packages@41076 3c298f89-4303-0410-b956-a3cf2f4a3e73
2014-06-10 05:26:09 +00:00 · 2014-06-10 05:26:09 +00:00 · 0cc3cbd1f2
commit 0cc3cbd1f2
parent ac8b8b7be4
4 changed files with 0 additions and 443 deletions
--- a/net/ocserv/Config.in
+++ b/net/ocserv/Config.in
@ -1,14 +0,0 @@
 # ocserv avanced configuration
 menu "Configuration"
 	depends on PACKAGE_ocserv
 config OCSERV_PAM
 	bool "enable PAM"
 	default n
 config OCSERV_DBUS
 	bool "enable DBUS (needed for occtl)"
 	default n
 endmenu
--- a/net/ocserv/Makefile
+++ b/net/ocserv/Makefile
@ -1,75 +0,0 @@
 #
 # Copyright (C) 2007-2011 OpenWrt.org
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
 #
 include $(TOPDIR)/rules.mk
 PKG_NAME:=ocserv
 PKG_VERSION:=0.3.5
 PKG_RELEASE:=1
 PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL :=ftp://ftp.infradead.org/pub/ocserv/
 PKG_MD5SUM:=7ba8ebe4eba08b6e1c9dabbc78da16e5
 PKG_LICENSE:=GPLv2
 PKG_LICENSE_FILES:=COPYING
 PKG_FIXUP:=autoreconf
 include $(INCLUDE_DIR)/package.mk
 define Package/ocserv/config
 	source "$(SOURCE)/Config.in"
 endef
 define Package/ocserv
  SECTION:=net
  CATEGORY:=Network
  SUBMENU:=VPN
  TITLE:=OpenConnect VPN server
  URL:=http://www.infradead.org/ocserv/
  DEPENDS:= +libgnutls +OCSERV_PAM:libpam +OCSERV_DBUS:libdbus +OCSERV_DBUS:libreadline +libprotobuf-c
 endef
 define Package/ocserv/description
 OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to be 
 a secure, small, fast and configurable VPN server. It implements the
 OpenConnect SSL VPN protocol, and has also (currently experimental)
 compatibility with clients using the AnyConnect SSL VPN protocol. The
 OpenConnect VPN protocol uses the standard IETF security protocols such
 as TLS 1.2, and Datagram TLS to provide the secure VPN service. 
 endef
 CONFIGURE_ARGS+= \
 	--enable-local-libopts \
 	--with-libcrypt-prefix="$(STAGING_DIR)/include" \
 ifneq ($(CONFIG_OCSERV_DBUS),y)
 CONFIGURE_ARGS += --without-dbus
 endif
 ifneq ($(CONFIG_OCSERV_PAM),y)
 CONFIGURE_ARGS += --without-pam
 endif
 define Package/ocserv/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ocserv $(1)/usr/sbin/
 	$(INSTALL_DIR) $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ocpasswd $(1)/usr/bin/
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) ./files/ocserv.init $(1)/etc/init.d/ocserv
 	$(INSTALL_DIR) $(1)/etc/ocserv
 	$(INSTALL_CONF) ./files/ocserv.conf $(1)/etc/ocserv/ocserv.conf
 ifeq ($(CONFIG_OCSERV_DBUS),y)
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/occtl $(1)/usr/bin/
 	$(INSTALL_DIR) $(1)/etc/dbus-1/system.d
 	$(INSTALL_CONF) $(PKG_BUILD_DIR)/doc/dbus/org.infradead.ocserv.conf $(1)/etc/dbus-1/system.d/
 endif
 endef
 $(eval $(call BuildPackage,ocserv))
--- a/net/ocserv/files/ocserv.conf
+++ b/net/ocserv/files/ocserv.conf
@ -1,293 +0,0 @@
 # User authentication method. Could be set multiple times and in that case
 # all should succeed.
 # Options: certificate, pam. 
 #auth = "certificate"
 #auth = "pam"
 # The plain option requires specifying a password file which contains
 # entries of the following format.
 # "username:groupname:encoded-password"
 # One entry must be listed per line, and 'ocpasswd' can be used
 # to generate password entries.
 auth = "plain[/etc/ocserv/ocpasswd]"
 # A banner to be displayed on clients
 banner = "Welcome to OpenWRT"
 # Use listen-host to limit to specific IPs or to the IPs of a provided 
 # hostname.
 #listen-host = [IP|HOSTNAME]
 # Limit the number of clients. Unset or set to zero for unlimited.
 #max-clients = 1024
 max-clients = 8
 # Limit the number of client connections to one every X milliseconds 
 # (X is the provided value). Set to zero for no limit.
 #rate-limit-ms = 100
 # Limit the number of identical clients (i.e., users connecting 
 # multiple times). Unset or set to zero for unlimited.
 max-same-clients = 2
 # TCP and UDP port number
 tcp-port = 4443
 udp-port = 4443
 # Keepalive in seconds
 keepalive = 32400
 # Dead peer detection in seconds.
 dpd = 120
 # Dead peer detection for mobile clients. The needs to
 # be much higher to prevent such clients being awaken too 
 # often by the DPD messages, and save battery.
 # (clients that send the X-AnyConnect-Identifier-DeviceType)
 #mobile-dpd = 1800
 # MTU discovery (DPD must be enabled)
 try-mtu-discovery = false
 # The key and the certificates of the server
 # The key may be a file, or any URL supported by GnuTLS (e.g., 
 # tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
 # or pkcs11:object=my-vpn-key;object-type=private)
 #
 # There may be multiple certificate and key pairs and each key
 # should correspond to the preceding certificate.
 server-cert = /etc/ocserv/server-cert.pem
 server-key = /etc/ocserv/server-key.pem
 # Diffie-Hellman parameters. Only needed if you require support
 # for the DHE ciphersuites (by default this server supports ECDHE).
 # Can be generated using:
 # certtool --generate-dh-params --outfile /path/to/dh.pem
 #dh-params = /path/to/dh.pem
 # If you have a certificate from a CA that provides an OCSP
 # service you may provide a fresh OCSP status response within
 # the TLS handshake. That will prevent the client from connecting
 # independently on the OCSP server.
 # You can update this response periodically using:
 # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
 # Make sure that you replace the following file in an atomic way.
 #ocsp-response = /path/to/ocsp.der
 # In case PKCS #11 or TPM keys are used the PINs should be available
 # in files. The srk-pin-file is applicable to TPM keys only, and is the 
 # storage root key.
 #pin-file = /path/to/pin.txt
 #srk-pin-file = /path/to/srkpin.txt
 # The Certificate Authority that will be used to verify
 # client certificates (public keys) if certificate authentication
 # is set.
 #ca-cert = /etc/ocserv/ca.pem
 # The object identifier that will be used to read the user ID in the client 
 # certificate. The object identifier should be part of the certificate's DN
 # Useful OIDs are: 
 #  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
 #cert-user-oid = 0.9.2342.19200300.100.1.1
 # The object identifier that will be used to read the user group in the 
 # client  certificate. The object identifier should be part of the certificate's
 # DN. Useful OIDs are: 
 #  OU (organizational unit) = 2.5.4.11 
 #cert-group-oid = 2.5.4.11
 # The revocation list of the certificates issued by the 'ca-cert' above.
 #crl = /etc/ocserv/crl.pem
 # GnuTLS priority string
 tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
 # To enforce perfect forward secrecy (PFS) on the main channel.
 #tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
 # The time (in seconds) that a client is allowed to stay connected prior
 # to authentication
 auth-timeout = 40
 # The time (in seconds) that a client is allowed to stay idle (no traffic)
 # before being disconnected. Unset to disable.
 #idle-timeout = 1200
 # The time (in seconds) that a mobile client is allowed to stay idle (no
 # traffic) before being disconnected. Unset to disable.
 #mobile-idle-timeout = 2400
 # The time (in seconds) that a client is not allowed to reconnect after 
 # a failed authentication attempt.
 #min-reauth-time = 2
 # Cookie validity time (in seconds)
 # Once a client is authenticated he's provided a cookie with
 # which he can reconnect. This option sets the maximum lifetime
 # of that cookie.
 cookie-validity = 86400
 # ReKey time (in seconds)
 # ocserv will ask the client to refresh keys periodically once
 # this amount of seconds is elapsed. Set to zero to disable.
 rekey-time = 172800
 # ReKey method
 # Valid options: ssl, new-tunnel
 #  ssl: Will perform an efficient rehandshake on the channel allowing
 #       a seamless connection during rekey.
 #  new-tunnel: Will instruct the client to discard and re-establish the channel.
 #       Use this option only if the connecting clients have issues with the ssl
 #       option.
 rekey-method = ssl
 # Script to call when a client connects and obtains an IP
 # Parameters are passed on the environment.
 # REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), 
 # DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
 # in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
 # ID (a unique numeric ID); REASON may be "connect" or "disconnect".
 #connect-script = /scripts/ocserv-script
 #disconnect-script = /scripts/ocserv-script
 # UTMP
 use-utmp = false
 # D-BUS usage. If disabled occtl tool cannot be used. If enabled
 # then ocserv must have access to register org.infradead.ocserv
 # D-BUS service. See doc/dbus/org.infradead.ocserv.conf
 use-dbus = true
 # PID file. It can be overriden in the command line.
 pid-file = /var/run/ocserv.pid
 # The default server directory. Does not require any devices present.
 chroot-dir = /var/lib/ocserv
 # socket file used for IPC, will be appended with .PID
 # It must be accessible within the chroot environment (if any)
 #socket-file = /var/run/ocserv-socket
 socket-file = ocserv-socket
 # The user the worker processes will be run as. It should be
 # unique (no other services run as this user).
 run-as-user = ocserv
 run-as-group = ocserv
 # Set the protocol-defined priority (SO_PRIORITY) for packets to
 # be sent. That is a number from 0 to 6 with 0 being the lowest
 # priority. Alternatively this can be used to set the IP Type-
 # Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
 # This can be set per user/group or globally.
 #net-priority = 3
 # Set the VPN worker process into a specific cgroup. This is Linux
 # specific and can be set per user/group or globally.
 #cgroup = "cpuset,cpu:test"
 #
 # Network settings
 #
 # The name of the tun device
 device = vpns
 # The default domain to be advertised
 default-domain = example.com
 # The pool of addresses that leases will be given from.
 ipv4-network = 192.168.1.0
 ipv4-netmask = 255.255.255.0
 # The advertized DNS server. Use multiple lines for
 # multiple servers.
 # dns = fc00::4be0
 dns = 192.168.1.2
 # The NBNS server (if any)
 #nbns = 192.168.1.3
 # The IPv6 subnet that leases will be given from.
 #ipv6-network = fc00::
 #ipv6-prefix = 16
 # The domains over which the provided DNS should be used. Use
 # multiple lines for multiple domains.
 #split-dns = example.com
 # Prior to leasing any IP from the pool ping it to verify that
 # it is not in use by another (unrelated to this server) host.
 ping-leases = false
 # Unset to assign the default MTU of the device
 # mtu = 
 # Unset to enable bandwidth restrictions (in bytes/sec). The
 # setting here is global, but can also be set per user or per group.
 #rx-data-per-sec = 40000
 #tx-data-per-sec = 40000
 # The number of packets (of MTU size) that are available in
 # the output buffer. The default is low to improve latency.
 # Setting it higher will improve throughput.
 #output-buffer = 10
 # Routes to be forwarded to the client. If you need the
 # client to forward routes to the server, you may use the 
 # config-per-user/group or even connect and disconnect scripts.
 #
 # To set the server as the default gateway for the client just
 # comment out all routes from the server.
 route = 192.168.1.0/255.255.255.0
 route = 192.168.5.0/255.255.255.0
 #route = fef4:db8:1000:1001::/64
 # Configuration files that will be applied per user connection or
 # per group. Each file name on these directories must match the username
 # or the groupname.
 # The options allowed in the configuration files are dns, nbns,
 #  ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route,
 #  net-priority and cgroup.
 #
 # Note that the 'iroute' option allows to add routes on the server
 # based on a user or group. The syntax depends on the input accepted
 # by the commands route-add-cmd and route-del-cmd (see below).
 #config-per-user = /etc/ocserv/config-per-user/
 #config-per-group = /etc/ocserv/config-per-group/
 # The system command to use to setup a route. %R will be replaced with the
 # route/mask and %D with the (tun) device.
 #
 # The following example is from linux systems. %R should be something
 # like 192.168.2.0/24
 #route-add-cmd = "ip route add %R dev %D"
 #route-del-cmd = "ip route delete %R dev %D"
 #
 # The following options are for (experimental) AnyConnect client 
 # compatibility. 
 # Client profile xml. A sample file exists in doc/profile.xml.
 # This file must be accessible from inside the worker's chroot. 
 # It is not used by the openconnect client.
 #user-profile = profile.xml
 # Binary files that may be downloaded by the CISCO client. Must
 # be within any chroot environment.
 #binary-files = /path/to/binaries
 # Unless set to false it is required for clients to present their
 # certificate even if they are authenticating via a previously granted
 # cookie and complete their authentication in the same TCP connection.
 # Legacy CISCO clients do not do that, and thus this option should be 
 # set for them.
 cisco-client-compat = true
 #Advanced options
 # Option to allow sending arbitrary custom headers to the client after
 # authentication and prior to VPN tunnel establishment.
 #custom-header = "X-My-Header: hi there"
--- a/net/ocserv/files/ocserv.init
+++ b/net/ocserv/files/ocserv.init
@ -1,61 +0,0 @@
 #!/bin/sh /etc/rc.common
 SERVICE_USE_PID=1
 START=50
 start() {
 	user_exists ocserv 72 || user_add ocserv 72 72 /var/lib/ocserv
 	group_exists ocserv 72 || group_add ocserv 72
 	[ ! -f /etc/ocserv/ca-key.pem ] && [ -x /usr/bin/certtool ] && {
 		echo "Generating CA certificate..."
 		mkdir -p /etc/ocserv/pki/
 		certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/ca-key.pem >/dev/null 2>&1
 		echo "cn=`uci get system.@system[0].hostname` CA" >/etc/ocserv/pki/ca.tmpl
 		echo "expiration_days=-1" >>/etc/ocserv/pki/ca.tmpl
 		echo "serial=1" >>/etc/ocserv/pki/ca.tmpl
 		echo "ca" >>/etc/ocserv/pki/ca.tmpl
 		echo "cert_signing_key" >>/etc/ocserv/pki/ca.tmpl
 		certtool --template /etc/ocserv/pki/ca.tmpl \
 			--generate-self-signed --load-privkey /etc/ocserv/ca-key.pem \
 			--outfile /etc/ocserv/ca.pem >/dev/null 2>&1
 	}
 	#generate server certificate/key
 	[ ! -f /etc/ocserv/server-key.pem ] && [ -x /usr/bin/certtool ] && {
 		echo "Generating server certificate..."
 		mkdir -p /etc/ocserv/pki/
 		certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/server-key.pem >/dev/null 2>&1
 		echo "cn=`uci get system.@system[0].hostname`" >/etc/ocserv/pki/server.tmpl
 		echo "serial=2" >>/etc/ocserv/pki/server.tmpl
 		echo "expiration_days=-1" >>/etc/ocserv/pki/server.tmpl
 		echo "signing_key" >>/etc/ocserv/pki/server.tmpl
 		echo "encryption_key" >>/etc/ocserv/pki/server.tmpl
 		certtool --template /etc/ocserv/pki/server.tmpl \
 			--generate-certificate --load-privkey /etc/ocserv/server-key.pem \
 			--load-ca-certificate /etc/ocserv/ca.pem --load-ca-privkey \
 			/etc/ocserv/ca-key.pem --outfile /etc/ocserv/server-cert.pem >/dev/null 2>&1
 	}
 	[ -f /etc/ocserv/ocpasswd ] || {
 		touch /etc/ocserv/ocpasswd
 	}
 	[ -f /var/run/ocserv.pid ] || {
 		touch /var/run/ocserv.pid
 		chown ocserv:ocserv /var/run/ocserv.pid
 	}
 	[ -d /var/lib/ocserv ] || {
 		mkdir -m 0755 -p /var/lib/ocserv
 		chmod 0700 /var/lib/ocserv
 		chown ocserv:ocserv /var/lib/ocserv
 	}
 	service_start /usr/sbin/ocserv -c /etc/ocserv/ocserv.conf
 }
 stop() {
 	service_stop /usr/sbin/ocserv
 }