New port: net/ocserv: server implementing the AnyConnect SSL VPN protocol

OpenConnect server (ocserv) is an SSL VPN server. Its purpose is
to be a secure, small, fast and configurable VPN server. It implements
the OpenConnect SSL VPN protocol, and has also (currently experimental)
compatibility with clients using the AnyConnect SSL VPN protocol.
The OpenConnect protocol provides a dual TCP/UDP VPN channel, and
uses the standard IETF security protocols to secure it. Both IPv4
and IPv6 are supported.

Ocserv's main features are security through provilege separation
and sandboxing, accounting, and resilience due to a combined use
of TCP and UDP.  Authentication occurs in an isolated security
module process, and each user is assigned an unprivileged worker
process, and a networking (tun) device. That not only eases the
control of the resources of each user or group of users, but also
prevents data leak (e.g., heartbleed-style attacks), and privilege
escalation due to any bug on the VPN handling (worker) process. A
management interface allows for viewing and querying logged-in
users.

WWW: http://www.infradead.org/ocserv/

PR:		202253
Submitted by:	Carlos Jacobo Puga Medina <cpm@fbsd.es>
Reviewed by:	pi

GIDs

@@ -238,6 +238,7 @@ dahdi:*:843:asterisk
 subsonic:*:844:
 fossy:*:901:www
 scanlogd:*:902:
+_ocserv:*:903:
 influxd:*:907:
 riemann:*:908:
 proxy65:*:909:

UIDs

@@ -242,6 +242,7 @@ munin:*:842:842::0:0:Munin:/var/munin:/usr/sbin/nologin
 subsonic:*:844:844::0:0:Subsonic standalone-server:/nonexistent:/usr/sbin/nologin
 fossy:*:901:901::0:0:FOSSology user:/usr/local/share/fossology:/usr/local/bin/bash
 scanlogd:*:902:902::0:0:scanlogd user:/nonexistent:/usr/sbin/nologin
+_ocserv:*:903:903::0:0:ocserv user:/nonexistent:/usr/sbin/nologin
 influxd:*:907:907::0:0:InfluxDB Daemon:/var/empty:/usr/sbin/nologin
 riemann:*:908:908::0:0:Riemann User:/var/empty:/usr/sbin/nologin
 proxy65:*:909:909::0:0:Proxy65 Daemon:/nonexistent:/usr/sbin/nologin

net/Makefile

@@ -449,6 +449,7 @@
     SUBDIR += nxproxy
     SUBDIR += nyancat
     SUBDIR += nylon
+    SUBDIR += ocserv
     SUBDIR += ohphone
     SUBDIR += olsrd
     SUBDIR += omcmd

net/ocserv/Makefile

@@ -0,0 +1,78 @@
+# Created by: Carlos J Puga Medina <cpm@fbsd.es>
+# $FreeBSD$
+
+PORTNAME=	ocserv
+PORTVERSION=	0.10.7
+CATEGORIES=	net security
+MASTER_SITES=	ftp://ftp.infradead.org/pub/ocserv/
+
+MAINTAINER=	cpm@fbsd.es
+COMMENT=	Server implementing the AnyConnect SSL VPN protocol
+
+LICENSE=	GPLv2
+
+BUILD_DEPENDS=	autogen:${PORTSDIR}/devel/autogen \
+		gsed:${PORTSDIR}/textproc/gsed \
+		bash:${PORTSDIR}/shells/bash
+LIB_DEPENDS=	liblz4.so:${PORTSDIR}/archivers/liblz4 \
+		libiconv.so:${PORTSDIR}/converters/libiconv \
+		libtalloc.so:${PORTSDIR}/devel/talloc \
+		libprotobuf-c.so:${PORTSDIR}/devel/protobuf-c \
+		libgnutls.so:${PORTSDIR}/security/gnutls
+
+USES=	autoreconf cpe gmake gperf libtool ncurses pathfix pkgconfig readline tar:xz
+CPE_VENDOR=	infradead
+CFLAGS+=	-I${LOCALBASE}/include
+LDFLAGS+=	-L${LOCALBASE}/lib -lintl
+GNU_CONFIGURE=	yes
+USE_LDCONFIG=	yes
+
+CONFIGURE_ARGS=	--disable-nls \
+		--enable-local-libopts \
+		--without-http-parser \
+		--without-pcl-lib \
+		--without-radius
+
+USERS=		_ocserv
+GROUPS=		_ocserv
+
+USE_RC_SUBR=	ocserv
+
+OPTIONS_DEFINE=		DOCS EXAMPLES GSSAPI
+
+PORTDOCS=	AUTHORS ChangeLog INSTALL NEWS README TODO
+PORTEXAMPLES=	profile.xml sample.config sample.passwd
+
+.include <bsd.port.options.mk>
+
+.if ${PORT_OPTIONS:MGSSAPI}
+USES+=	gssapi:mit
+LIB_DEPENDS+=	libkrb5support.so:${PORTSDIR}/security/krb5
+.else
+CONFIGURE_ARGS+=	--without-gssapi
+.endif
+
+post-patch:
+	${RM} ${WRKSRC}/doc/occtl.8
+	${RM} ${WRKSRC}/doc/ocpasswd.8
+	${RM} ${WRKSRC}/doc/ocserv.8
+
+post-install:
+	${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/occtl
+	${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/ocpasswd
+	${STRIP_CMD} ${STAGEDIR}${PREFIX}/sbin/ocserv
+	${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv/
+	${MKDIR} ${STAGEDIR}/var/run/ocserv/
+	${CP} ${FILESDIR}/ocserv.conf ${STAGEDIR}${PREFIX}/etc/ocserv/conf.sample
+
+.if ${PORT_OPTIONS:MDOCS}
+	${MKDIR} ${STAGEDIR}${DOCSDIR}
+	cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR}
+.endif
+
+.if ${PORT_OPTIONS:MEXAMPLES}
+	${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
+	cd ${WRKSRC}/doc && ${INSTALL_DATA} ${PORTEXAMPLES} ${STAGEDIR}${EXAMPLESDIR}
+.endif
+
+.include <bsd.port.mk>

net/ocserv/distinfo

@@ -0,0 +1,2 @@
+SHA256 (ocserv-0.10.7.tar.xz) = 222212baae53e7f74273245e1459d4132cda41ad255a21f1e42ab4cd240f431d
+SIZE (ocserv-0.10.7.tar.xz) = 712232

net/ocserv/files/ocserv.conf

@@ -0,0 +1,290 @@
+# User authentication method. Could be set multiple times and in that case
+# all should succeed.
+# Options: certificate, pam. 
+#auth = "certificate"
+#auth = "pam"
+
+# The plain option requires specifying a password file which contains
+# entries of the following format.
+# "username:groupname:encoded-password"
+# One entry must be listed per line, and 'ocpasswd' can be used
+# to generate password entries.
+auth = "plain[passwd=/usr/local/etc/ocserv/passwd]"
+
+# A banner to be displayed on clients
+banner = "Welcome to OpenConnect VPN"
+
+# Use listen-host to limit to specific IPs or to the IPs of a provided 
+# hostname.
+#listen-host = [IP|HOSTNAME]
+
+# Limit the number of clients. Unset or set to zero for unlimited.
+#max-clients = 1024
+max-clients = 8
+
+# Limit the number of client connections to one every X milliseconds 
+# (X is the provided value). Set to zero for no limit.
+#rate-limit-ms = 100
+
+# Limit the number of identical clients (i.e., users connecting 
+# multiple times). Unset or set to zero for unlimited.
+max-same-clients = 2
+
+# TCP and UDP port number
+tcp-port = 4443
+udp-port = 4443
+
+# Keepalive in seconds
+keepalive = 32400
+
+# Dead peer detection in seconds.
+dpd = 120
+
+# Dead peer detection for mobile clients. The needs to
+# be much higher to prevent such clients being awaken too 
+# often by the DPD messages, and save battery.
+# (clients that send the X-AnyConnect-Identifier-DeviceType)
+#mobile-dpd = 1800
+
+# MTU discovery (DPD must be enabled)
+try-mtu-discovery = false
+
+# The key and the certificates of the server
+# The key may be a file, or any URL supported by GnuTLS (e.g., 
+# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
+# or pkcs11:object=my-vpn-key;object-type=private)
+#
+# There may be multiple certificate and key pairs and each key
+# should correspond to the preceding certificate.
+server-cert = /usr/local/etc/ocserv/pub.pem
+server-key = /usr/local/etc/ocserv/key.pem
+
+# Diffie-Hellman parameters. Only needed if you require support
+# for the DHE ciphersuites (by default this server supports ECDHE).
+# Can be generated using:
+# certtool --generate-dh-params --outfile /path/to/dh.pem
+#dh-params = /path/to/dh.pem
+
+# If you have a certificate from a CA that provides an OCSP
+# service you may provide a fresh OCSP status response within
+# the TLS handshake. That will prevent the client from connecting
+# independently on the OCSP server.
+# You can update this response periodically using:
+# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
+# Make sure that you replace the following file in an atomic way.
+#ocsp-response = /path/to/ocsp.der
+
+# In case PKCS #11 or TPM keys are used the PINs should be available
+# in files. The srk-pin-file is applicable to TPM keys only, and is the 
+# storage root key.
+#pin-file = /path/to/pin.txt
+#srk-pin-file = /path/to/srkpin.txt
+
+# The Certificate Authority that will be used to verify
+# client certificates (public keys) if certificate authentication
+# is set.
+#ca-cert = /usr/local/etc/ocserv/ca.pem
+
+# The object identifier that will be used to read the user ID in the client 
+# certificate. The object identifier should be part of the certificate's DN
+# Useful OIDs are: 
+#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
+#cert-user-oid = 0.9.2342.19200300.100.1.1
+
+# The object identifier that will be used to read the user group in the 
+# client  certificate. The object identifier should be part of the certificate's
+# DN. Useful OIDs are: 
+#  OU (organizational unit) = 2.5.4.11 
+#cert-group-oid = 2.5.4.11
+
+# The revocation list of the certificates issued by the 'ca-cert' above.
+#crl = /usr/local/etc/ocserv/crl.pem
+
+# GnuTLS priority string
+tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
+
+# To enforce perfect forward secrecy (PFS) on the main channel.
+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
+
+# The time (in seconds) that a client is allowed to stay connected prior
+# to authentication
+auth-timeout = 40
+
+# The time (in seconds) that a client is allowed to stay idle (no traffic)
+# before being disconnected. Unset to disable.
+#idle-timeout = 1200
+
+# The time (in seconds) that a mobile client is allowed to stay idle (no
+# traffic) before being disconnected. Unset to disable.
+#mobile-idle-timeout = 2400
+
+# The time (in seconds) that a client is not allowed to reconnect after 
+# a failed authentication attempt.
+#min-reauth-time = 2
+
+# Cookie validity time (in seconds)
+# Once a client is authenticated he's provided a cookie with
+# which he can reconnect. This option sets the maximum lifetime
+# of that cookie.
+#cookie-validity = 86400
+
+# ReKey time (in seconds)
+# ocserv will ask the client to refresh keys periodically once
+# this amount of seconds is elapsed. Set to zero to disable.
+rekey-time = 172800
+
+# ReKey method
+# Valid options: ssl, new-tunnel
+#  ssl: Will perform an efficient rehandshake on the channel allowing
+#       a seamless connection during rekey.
+#  new-tunnel: Will instruct the client to discard and re-establish the channel.
+#       Use this option only if the connecting clients have issues with the ssl
+#       option.
+rekey-method = ssl
+
+# Script to call when a client connects and obtains an IP
+# Parameters are passed on the environment.
+# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), 
+# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
+# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
+# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
+#connect-script = /scripts/ocserv-script
+#disconnect-script = /scripts/ocserv-script
+
+# UTMP
+use-utmp = false
+
+# OCCTL
+use-occtl = true
+
+# PID file. It can be overriden in the command line.
+pid-file = /var/run/ocserv/pid
+
+# The default server directory. Does not require any devices present.
+chroot-dir = /var/run/ocserv
+
+# socket file used for IPC, will be appended with .PID
+# It must be accessible within the chroot environment (if any)
+socket-file = socket
+
+# The user the worker processes will be run as. It should be
+# unique (no other services run as this user).
+run-as-user = _ocserv
+run-as-group = _ocserv
+
+# Set the protocol-defined priority (SO_PRIORITY) for packets to
+# be sent. That is a number from 0 to 6 with 0 being the lowest
+# priority. Alternatively this can be used to set the IP Type-
+# Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
+# This can be set per user/group or globally.
+#net-priority = 3
+
+# Set the VPN worker process into a specific cgroup. This is Linux
+# specific and can be set per user/group or globally.
+#cgroup = "cpuset,cpu:test"
+
+#
+# Network settings
+#
+
+# The name of the tun device
+device = vpns
+
+# The default domain to be advertised
+default-domain = example.com
+
+# The pool of addresses that leases will be given from.
+ipv4-network = 192.168.1.0
+ipv4-netmask = 255.255.255.0
+
+# The advertized DNS server. Use multiple lines for
+# multiple servers.
+# dns = fc00::4be0
+dns = 192.168.1.2
+
+# The NBNS server (if any)
+#nbns = 192.168.1.3
+
+# The IPv6 subnet that leases will be given from.
+#ipv6-network = fc00::
+#ipv6-prefix = 16
+
+# The domains over which the provided DNS should be used. Use
+# multiple lines for multiple domains.
+#split-dns = example.com
+
+# Prior to leasing any IP from the pool ping it to verify that
+# it is not in use by another (unrelated to this server) host.
+ping-leases = false
+
+# Unset to assign the default MTU of the device
+# mtu = 
+
+# Unset to enable bandwidth restrictions (in bytes/sec). The
+# setting here is global, but can also be set per user or per group.
+#rx-data-per-sec = 40000
+#tx-data-per-sec = 40000
+
+# The number of packets (of MTU size) that are available in
+# the output buffer. The default is low to improve latency.
+# Setting it higher will improve throughput.
+#output-buffer = 10
+
+# Routes to be forwarded to the client. If you need the
+# client to forward routes to the server, you may use the 
+# config-per-user/group or even connect and disconnect scripts.
+#
+# To set the server as the default gateway for the client just
+# comment out all routes from the server.
+route = 192.168.1.0/255.255.255.0
+route = 192.168.5.0/255.255.255.0
+#route = fef4:db8:1000:1001::/64
+
+# Configuration files that will be applied per user connection or
+# per group. Each file name on these directories must match the username
+# or the groupname.
+# The options allowed in the configuration files are dns, nbns,
+#  ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route,
+#  net-priority and cgroup.
+#
+# Note that the 'iroute' option allows to add routes on the server
+# based on a user or group. The syntax depends on the input accepted
+# by the commands route-add-cmd and route-del-cmd (see below).
+
+#config-per-user = /usr/local/etc/ocserv/config-per-user/
+#config-per-group = /usr/local/etc/ocserv/config-per-group/
+
+# The system command to use to setup a route. %R will be replaced with the
+# route/mask and %D with the (tun) device.
+#
+# The following example is from linux systems. %R should be something
+# like 192.168.2.0/24
+
+#route-add-cmd = "ip route add %R dev %D"
+#route-del-cmd = "ip route delete %R dev %D"
+
+#
+# The following options are for (experimental) AnyConnect client 
+# compatibility. 
+
+# Client profile xml. A sample file exists in doc/profile.xml.
+# This file must be accessible from inside the worker's chroot. 
+# It is not used by the openconnect client.
+#user-profile = profile.xml
+
+# Binary files that may be downloaded by the CISCO client. Must
+# be within any chroot environment.
+#binary-files = /path/to/binaries
+
+# Unless set to false it is required for clients to present their
+# certificate even if they are authenticating via a previously granted
+# cookie and complete their authentication in the same TCP connection.
+# Legacy CISCO clients do not do that, and thus this option should be 
+# set for them.
+cisco-client-compat = true
+
+#Advanced options
+
+# Option to allow sending arbitrary custom headers to the client after
+# authentication and prior to VPN tunnel establishment.
+#custom-header = "X-My-Header: hi there"

net/ocserv/files/ocserv.in

@@ -0,0 +1,26 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+# PROVIDE: ocserv
+# REQUIRE: DAEMON
+# KEYWORD: shutdown
+#
+# Add the following to /etc/rc.conf to enable ocserv:
+#
+# ocserv_enable="YES"
+#
+
+. /etc/rc.subr
+
+name="ocserv"
+rcvar="ocserv_enable"
+
+load_rc_config ${name}
+
+: ${ocserv_enable:="NO"}
+: ${ocserv_pidfile:=/var/run/${name}/pid}
+
+command=/usr/local/sbin/${name}
+
+run_rc_command "$1"

net/ocserv/files/patch-configure.ac

@@ -0,0 +1,36 @@
+--- configure.ac.orig	2015-08-06 16:43:09 UTC
++++ configure.ac
+@@ -16,11 +16,11 @@ AM_PROG_CC_C_O
+ if [ test "$GCC" = "yes" ];then
+ 	CFLAGS="$CFLAGS -Wall"
+ fi
+-AC_PATH_PROG(CTAGS, ctags, /bin/true)
+-AC_PATH_PROG(CSCOPE, cscope, /bin/true)
+-AC_CHECK_PROG([AUTOGEN], [autogen], [autogen], [/bin/true])
++AC_PATH_PROG(CTAGS, ctags, /usr/bin/true)
++AC_PATH_PROG(CSCOPE, cscope, /usr/bin/true)
++AC_CHECK_PROG([AUTOGEN], [autogen], [autogen], [autogen])
+ 
+-if test x"$AUTOGEN" = "x/bin/true"; then
++if test x"$AUTOGEN" = "x:"; then
+ 	AC_MSG_WARN([[
+ ***
+ *** autogen not found. Will not link against libopts.
+@@ -124,7 +124,7 @@ if test "$test_for_libnl" = yes;then
+ fi
+ 
+ have_readline=no
+-AC_LIB_HAVE_LINKFLAGS(readline,, [
++AC_LIB_HAVE_LINKFLAGS(readline,ncurses, [
+ #include <stdio.h>
+ #include <readline/readline.h>], [rl_replace_line(0,0);])
+   if test x$ac_cv_libreadline = xyes; then
+@@ -441,7 +441,7 @@ if test "$NEED_LIBOPTS_DIR" = "true";the
+ 			cp -f $i $nam
+ 		fi
+ 	done
+-	AC_SUBST([AUTOGEN], [/bin/true])
++	AC_SUBST([AUTOGEN], [autogen])
+ 	enable_local_libopts=yes
+ else
+ 	enable_local_libopts=no

net/ocserv/files/patch-doc_Makefile.am

@@ -0,0 +1,42 @@
+--- doc/Makefile.am.orig	2015-05-26 16:33:38 UTC
++++ doc/Makefile.am
+@@ -5,18 +5,27 @@ EXTRA_DIST = design.dia sample.config sc
+ 
+ dist_man_MANS = ocserv.8 ocpasswd.8 occtl.8
+ 
+-ocserv.8: ../src/ocserv-args.def
+-	-sed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' $< > "$<".tmp && \
+-	@AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl "$<".tmp && \
+-	rm -f "$<".tmp
++ocserv.8:
++	-gsed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' \
++		../src/ocserv-args.def > ../src/ocserv-args.def.tmp && \
++	@AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl \
++		../src/ocserv-args.def.tmp && \
++	rm -f ../src/ocserv-args.def.tmp
++	sed -I -e 's/^\.NOP //' $@
+ 
+-occtl.8: ../src/occtl-args.def
+-	-sed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' $< > "$<".tmp && \
+-	@AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl "$<".tmp && \
+-	rm -f "$<".tmp
++occtl.8:
++	-gsed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' \
++		../src/occtl-args.def > ../src/occtl-args.def.tmp && \
++	@AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl \
++		../src/occtl-args.def.tmp && \
++	rm -f ../src/occtl-args.def.tmp
++	sed -I -e 's/^\.NOP //' $@
+ 
+-ocpasswd.8: ../src/ocpasswd-args.def
+-	-sed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' $< > "$<".tmp && \
+-	@AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl "$<".tmp && \
+-	rm -f "$<".tmp
++ocpasswd.8:
++	-gsed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' \
++		../src/ocpasswd-args.def > ../src/ocpasswd-args.def.tmp && \
++	@AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl \
++		../src/ocpasswd-args.def.tmp && \
++	rm -f ../src/ocpasswd-args.def.tmp
++	sed -I -e 's/^\.NOP //' $@
+ 

net/ocserv/files/patch-src_config.c

@@ -0,0 +1,31 @@
+--- src/config.c.orig	2015-07-18 10:35:29 UTC
++++ src/config.c
+@@ -52,8 +52,7 @@
+ #include <tlslib.h>
+ #include "common-config.h"
+ 
+-#define OLD_DEFAULT_CFG_FILE "/etc/ocserv.conf"
+-#define DEFAULT_CFG_FILE "/etc/ocserv/ocserv.conf"
++#define DEFAULT_CFG_FILE "/usr/local/etc/ocserv/conf"
+ 
+ static char pid_file[_POSIX_PATH_MAX] = "";
+ static const char* cfg_file = DEFAULT_CFG_FILE;
+@@ -414,7 +413,7 @@ static void figure_auth_funcs(struct per
+ 			}
+ 			talloc_free(auth[j]);
+ 		}
+-		fprintf(stderr, "Setting '%s' as primary authentication method\n", config->auth[0].name);
++		/* fprintf(stderr, "Setting '%s' as primary authentication method\n", config->auth[0].name); */
+ 	} else {
+ 		unsigned x = config->auth_methods;
+ 		/* Append authentication methods (alternative options) */
+@@ -583,9 +582,6 @@ size_t urlfw_size = 0;
+ #endif
+ 
+ 	pov = configFileLoad(file);
+-	if (pov == NULL && file != NULL && strcmp(file, DEFAULT_CFG_FILE) == 0)
+-		pov = configFileLoad(OLD_DEFAULT_CFG_FILE);
+-
+ 	if (pov == NULL) {
+ 		fprintf(stderr, "Error loading config file %s\n", file);
+ 		exit(1);

net/ocserv/files/patch-src_main-ctl-unix.c

@@ -0,0 +1,55 @@
+--- src/main-ctl-unix.c.orig	2015-05-26 16:33:38 UTC
++++ src/main-ctl-unix.c
+@@ -110,10 +110,15 @@ int ctl_handler_init(main_server_st * s)
+ 	struct sockaddr_un sa;
+ 	int sd, e;
+ 
+-	if (s->config->use_occtl == 0 || s->perm_config->occtl_socket_file == NULL)
++	mslog(s, NULL, LOG_INFO, "using control unix socket: %s", s->perm_config->occtl_socket_file);
++
++	if (s->config->use_occtl == 0 ||
++		s->perm_config->occtl_socket_file == NULL) {
++		mslog(s, NULL, LOG_INFO, "not using control unix socket");
+ 		return 0;
++	}
+ 
+-	mslog(s, NULL, LOG_DEBUG, "initializing control unix socket: %s", s->perm_config->occtl_socket_file);
++	mslog(s, NULL, LOG_INFO, "initializing control unix socket: %s", s->perm_config->occtl_socket_file);
+ 	memset(&sa, 0, sizeof(sa));
+ 	sa.sun_family = AF_UNIX;
+ 	strlcpy(sa.sun_path, s->perm_config->occtl_socket_file, sizeof(sa.sun_path));
+@@ -122,7 +127,7 @@ int ctl_handler_init(main_server_st * s)
+ 	sd = socket(AF_UNIX, SOCK_STREAM, 0);
+ 	if (sd == -1) {
+ 		e = errno;
+-		mslog(s, NULL, LOG_ERR, "could not create socket '%s': %s",
++		mslog(s, NULL, LOG_INFO, "could not create socket '%s': %s",
+ 		      s->perm_config->occtl_socket_file, strerror(e));
+ 		return -1;
+ 	}
+@@ -131,7 +136,7 @@ int ctl_handler_init(main_server_st * s)
+ 	ret = bind(sd, (struct sockaddr *)&sa, SUN_LEN(&sa));
+ 	if (ret == -1) {
+ 		e = errno;
+-		mslog(s, NULL, LOG_ERR, "could not bind socket '%s': %s",
++		mslog(s, NULL, LOG_INFO, "could not bind socket '%s': %s",
+ 		      s->perm_config->occtl_socket_file, strerror(e));
+ 		return -1;
+ 	}
+@@ -139,14 +144,14 @@ int ctl_handler_init(main_server_st * s)
+ 	ret = chown(s->perm_config->occtl_socket_file, s->perm_config->uid, s->perm_config->gid);
+ 	if (ret == -1) {
+ 		e = errno;
+-		mslog(s, NULL, LOG_ERR, "could not chown socket '%s': %s",
++		mslog(s, NULL, LOG_INFO, "could not chown socket '%s': %s",
+ 		      s->perm_config->occtl_socket_file, strerror(e));
+ 	}
+ 
+ 	ret = listen(sd, 1024);
+ 	if (ret == -1) {
+ 		e = errno;
+-		mslog(s, NULL, LOG_ERR, "could not listen to socket '%s': %s",
++		mslog(s, NULL, LOG_INFO, "could not listen to socket '%s': %s",
+ 		      s->perm_config->occtl_socket_file, strerror(e));
+ 		return -1;
+ 	}

net/ocserv/files/patch-src_main.c

@@ -0,0 +1,14 @@
+--- src/main.c.orig	2015-07-01 18:41:01 UTC
++++ src/main.c
+@@ -131,8 +131,9 @@ int y;
+ 		perror("setsockopt(IP_PKTINFO) failed");
+ #elif defined(IP_RECVDSTADDR) /* *BSD */
+ 	y = 1;
+-	if (setsockopt(fd, IPPROTO_IP, IP_RECVDSTADDR,
+-		       (const void *)&y, sizeof(y)) < 0)
++	if (family == AF_INET &&
++	    setsockopt(fd, IPPROTO_IP, IP_RECVDSTADDR,
++		(const void *)&y, sizeof(y)) < 0)
+ 		perror("setsockopt(IP_RECVDSTADDR) failed");
+ #endif
+ #if defined(IPV6_RECVPKTINFO)

net/ocserv/files/patch-src_ocserv-args.def

@@ -0,0 +1,56 @@
+--- src/ocserv-args.def.orig	2015-07-15 17:17:22 UTC
++++ src/ocserv-args.def
+@@ -68,7 +68,7 @@ doc-section = {
+   ds-format = 'texi';
+   ds-text   = <<-_EOT_
+ @subheading ocserv's configuration file format
+-By default, if no other file is specified, ocserv looks for its configuration file at @file{/etc/ocserv/ocserv.conf}.
++By default, if no other file is specified, ocserv looks for its configuration file at @file{/usr/local/etc/ocserv/conf}.
+ An example configuration file follows.
+ 
+ @example
+@@ -87,7 +87,7 @@ An example configuration file follows.
+ #  This enabled PAM authentication of the user. The gid-min option is used 
+ # by auto-select-group option, in order to select the minimum valid group ID.
+ #
+-# plain[passwd=/etc/ocserv/ocpasswd]
++# plain[passwd=/usr/local/etc/ocserv/ocpasswd]
+ #  The plain option requires specifying a password file which contains
+ # entries of the following format.
+ # "username:groupname1,groupname2:encoded-password"
+@@ -119,7 +119,7 @@ An example configuration file follows.
+ #auth = "certificate"
+ #auth = "pam"
+ #auth = "pam[gid-min=1000]"
+-#auth = "plain[passwd=/etc/ocserv/ocpasswd]"
++#auth = "plain[passwd=/usr/local/etc/ocserv/passwd]"
+ #auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
+ 
+ # Specify alternative authentication methods that are sufficient
+@@ -431,7 +431,7 @@ rekey-method = ssl
+ use-occtl = true
+ 
+ # PID file. It can be overriden in the command line.
+-pid-file = /var/run/ocserv.pid
++pid-file = /var/run/ocserv/pid
+ 
+ # Set the protocol-defined priority (SO_PRIORITY) for packets to
+ # be sent. That is a number from 0 to 6 with 0 being the lowest
+@@ -555,13 +555,13 @@ no-route = 192.168.5.0/255.255.255.0
+ # Also explicit addresses, are only allowed when they are odd. In that
+ # case the next even address will be used as the remote address (in PtP).
+ 
+-#config-per-user = /etc/ocserv/config-per-user/
+-#config-per-group = /etc/ocserv/config-per-group/
++#config-per-user = /usr/local/etc/ocserv/config-per-user/
++#config-per-group = /usr/local/etc/ocserv/config-per-group/
+ 
+ # When config-per-xxx is specified and there is no group or user that
+ # matches, then utilize the following configuration.
+-#default-user-config = /etc/ocserv/defaults/user.conf
+-#default-group-config = /etc/ocserv/defaults/group.conf
++#default-user-config = /usr/local/etc/ocserv/defaults/user.conf
++#default-group-config = /usr/local/etc/ocserv/defaults/group.conf
+ 
+ # The system command to use to setup a route. %{R} will be replaced with the
+ # route/mask and %{D} with the (tun) device.

net/ocserv/pkg-descr

@@ -0,0 +1,20 @@
+OpenConnect server (ocserv) is an SSL VPN server. Its purpose is
+to be a secure, small, fast and configurable VPN server. It implements
+the OpenConnect SSL VPN protocol, and has also (currently experimental)
+compatibility with clients using the AnyConnect SSL VPN protocol.
+The OpenConnect protocol provides a dual TCP/UDP VPN channel, and
+uses the standard IETF security protocols to secure it. Both IPv4
+and IPv6 are supported.
+
+Ocserv's main features are security through provilege separation
+and sandboxing, accounting, and resilience due to a combined use
+of TCP and UDP.  Authentication occurs in an isolated security
+module process, and each user is assigned an unprivileged worker
+process, and a networking (tun) device. That not only eases the
+control of the resources of each user or group of users, but also
+prevents data leak (e.g., heartbleed-style attacks), and privilege
+escalation due to any bug on the VPN handling (worker) process. A
+management interface allows for viewing and querying logged-in
+users.
+
+WWW: http://www.infradead.org/ocserv/

net/ocserv/pkg-plist

@@ -0,0 +1,8 @@
+bin/occtl
+bin/ocpasswd
+man/man8/occtl.8.gz
+man/man8/ocpasswd.8.gz
+man/man8/ocserv.8.gz
+@sample etc/ocserv/conf.sample
+sbin/ocserv
+@dir /var/run/ocserv