13 files changed, 659 insertions, 0 deletions

diff --git a/net/Makefile b/net/Makefile
index f11cb819cb6c..1144fd9c3ceb 100644
--- a/net/Makefile
+++ b/net/Makefile
@@ -449,6 +449,7 @@
     SUBDIR += nxproxy
     SUBDIR += nyancat
     SUBDIR += nylon
+    SUBDIR += ocserv
     SUBDIR += ohphone
     SUBDIR += olsrd
     SUBDIR += omcmd
diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile
new file mode 100644
index 000000000000..6526e7d7dc4b
--- /dev/null
+++ b/net/ocserv/Makefile
@@ -0,0 +1,78 @@
+# Created by: Carlos J Puga Medina <cpm@fbsd.es>
+# $FreeBSD$
+
+PORTNAME=	ocserv
+PORTVERSION=	0.10.7
+CATEGORIES=	net security
+MASTER_SITES=	ftp://ftp.infradead.org/pub/ocserv/
+
+MAINTAINER=	cpm@fbsd.es
+COMMENT=	Server implementing the AnyConnect SSL VPN protocol
+
+LICENSE=	GPLv2
+
+BUILD_DEPENDS=	autogen:${PORTSDIR}/devel/autogen \
+		gsed:${PORTSDIR}/textproc/gsed \
+		bash:${PORTSDIR}/shells/bash
+LIB_DEPENDS=	liblz4.so:${PORTSDIR}/archivers/liblz4 \
+		libiconv.so:${PORTSDIR}/converters/libiconv \
+		libtalloc.so:${PORTSDIR}/devel/talloc \
+		libprotobuf-c.so:${PORTSDIR}/devel/protobuf-c \
+		libgnutls.so:${PORTSDIR}/security/gnutls
+
+USES=	autoreconf cpe gmake gperf libtool ncurses pathfix pkgconfig readline tar:xz
+CPE_VENDOR=	infradead
+CFLAGS+=	-I${LOCALBASE}/include
+LDFLAGS+=	-L${LOCALBASE}/lib -lintl
+GNU_CONFIGURE=	yes
+USE_LDCONFIG=	yes
+
+CONFIGURE_ARGS=	--disable-nls \
+		--enable-local-libopts \
+		--without-http-parser \
+		--without-pcl-lib \
+		--without-radius
+
+USERS=		_ocserv
+GROUPS=		_ocserv
+
+USE_RC_SUBR=	ocserv
+
+OPTIONS_DEFINE=		DOCS EXAMPLES GSSAPI
+
+PORTDOCS=	AUTHORS ChangeLog INSTALL NEWS README TODO
+PORTEXAMPLES=	profile.xml sample.config sample.passwd
+
+.include <bsd.port.options.mk>
+
+.if ${PORT_OPTIONS:MGSSAPI}
+USES+=	gssapi:mit
+LIB_DEPENDS+=	libkrb5support.so:${PORTSDIR}/security/krb5
+.else
+CONFIGURE_ARGS+=	--without-gssapi
+.endif
+
+post-patch:
+	${RM} ${WRKSRC}/doc/occtl.8
+	${RM} ${WRKSRC}/doc/ocpasswd.8
+	${RM} ${WRKSRC}/doc/ocserv.8
+
+post-install:
+	${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/occtl
+	${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/ocpasswd
+	${STRIP_CMD} ${STAGEDIR}${PREFIX}/sbin/ocserv
+	${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv/
+	${MKDIR} ${STAGEDIR}/var/run/ocserv/
+	${CP} ${FILESDIR}/ocserv.conf ${STAGEDIR}${PREFIX}/etc/ocserv/conf.sample
+
+.if ${PORT_OPTIONS:MDOCS}
+	${MKDIR} ${STAGEDIR}${DOCSDIR}
+	cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR}
+.endif
+
+.if ${PORT_OPTIONS:MEXAMPLES}
+	${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
+	cd ${WRKSRC}/doc && ${INSTALL_DATA} ${PORTEXAMPLES} ${STAGEDIR}${EXAMPLESDIR}
+.endif
+
+.include <bsd.port.mk>
diff --git a/net/ocserv/distinfo b/net/ocserv/distinfo
new file mode 100644
index 000000000000..53c631bfd509
--- /dev/null
+++ b/net/ocserv/distinfo
@@ -0,0 +1,2 @@
+SHA256 (ocserv-0.10.7.tar.xz) = 222212baae53e7f74273245e1459d4132cda41ad255a21f1e42ab4cd240f431d
+SIZE (ocserv-0.10.7.tar.xz) = 712232
diff --git a/net/ocserv/files/ocserv.conf b/net/ocserv/files/ocserv.conf
new file mode 100644
index 000000000000..a649d5cb3ce7
--- /dev/null
+++ b/net/ocserv/files/ocserv.conf
@@ -0,0 +1,290 @@
+# User authentication method. Could be set multiple times and in that case
+# all should succeed.
+# Options: certificate, pam. 
+#auth = "certificate"
+#auth = "pam"
+
+# The plain option requires specifying a password file which contains
+# entries of the following format.
+# "username:groupname:encoded-password"
+# One entry must be listed per line, and 'ocpasswd' can be used
+# to generate password entries.
+auth = "plain[passwd=/usr/local/etc/ocserv/passwd]"
+
+# A banner to be displayed on clients
+banner = "Welcome to OpenConnect VPN"
+
+# Use listen-host to limit to specific IPs or to the IPs of a provided 
+# hostname.
+#listen-host = [IP|HOSTNAME]
+
+# Limit the number of clients. Unset or set to zero for unlimited.
+#max-clients = 1024
+max-clients = 8
+
+# Limit the number of client connections to one every X milliseconds 
+# (X is the provided value). Set to zero for no limit.
+#rate-limit-ms = 100
+
+# Limit the number of identical clients (i.e., users connecting 
+# multiple times). Unset or set to zero for unlimited.
+max-same-clients = 2
+
+# TCP and UDP port number
+tcp-port = 4443
+udp-port = 4443
+
+# Keepalive in seconds
+keepalive = 32400
+
+# Dead peer detection in seconds.
+dpd = 120
+
+# Dead peer detection for mobile clients. The needs to
+# be much higher to prevent such clients being awaken too 
+# often by the DPD messages, and save battery.
+# (clients that send the X-AnyConnect-Identifier-DeviceType)
+#mobile-dpd = 1800
+
+# MTU discovery (DPD must be enabled)
+try-mtu-discovery = false
+
+# The key and the certificates of the server
+# The key may be a file, or any URL supported by GnuTLS (e.g., 
+# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
+# or pkcs11:object=my-vpn-key;object-type=private)
+#
+# There may be multiple certificate and key pairs and each key
+# should correspond to the preceding certificate.
+server-cert = /usr/local/etc/ocserv/pub.pem
+server-key = /usr/local/etc/ocserv/key.pem
+
+# Diffie-Hellman parameters. Only needed if you require support
+# for the DHE ciphersuites (by default this server supports ECDHE).
+# Can be generated using:
+# certtool --generate-dh-params --outfile /path/to/dh.pem
+#dh-params = /path/to/dh.pem
+
+# If you have a certificate from a CA that provides an OCSP
+# service you may provide a fresh OCSP status response within
+# the TLS handshake. That will prevent the client from connecting
+# independently on the OCSP server.
+# You can update this response periodically using:
+# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
+# Make sure that you replace the following file in an atomic way.
+#ocsp-response = /path/to/ocsp.der
+
+# In case PKCS #11 or TPM keys are used the PINs should be available
+# in files. The srk-pin-file is applicable to TPM keys only, and is the 
+# storage root key.
+#pin-file = /path/to/pin.txt
+#srk-pin-file = /path/to/srkpin.txt
+
+# The Certificate Authority that will be used to verify
+# client certificates (public keys) if certificate authentication
+# is set.
+#ca-cert = /usr/local/etc/ocserv/ca.pem
+
+# The object identifier that will be used to read the user ID in the client 
+# certificate. The object identifier should be part of the certificate's DN
+# Useful OIDs are: 
+#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
+#cert-user-oid = 0.9.2342.19200300.100.1.1
+
+# The object identifier that will be used to read the user group in the 
+# client  certificate. The object identifier should be part of the certificate's
+# DN. Useful OIDs are: 
+#  OU (organizational unit) = 2.5.4.11 
+#cert-group-oid = 2.5.4.11
+
+# The revocation list of the certificates issued by the 'ca-cert' above.
+#crl = /usr/local/etc/ocserv/crl.pem
+
+# GnuTLS priority string
+tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
+
+# To enforce perfect forward secrecy (PFS) on the main channel.
+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
+
+# The time (in seconds) that a client is allowed to stay connected prior
+# to authentication
+auth-timeout = 40
+
+# The time (in seconds) that a client is allowed to stay idle (no traffic)
+# before being disconnected. Unset to disable.
+#idle-timeout = 1200
+
+# The time (in seconds) that a mobile client is allowed to stay idle (no
+# traffic) before being disconnected. Unset to disable.
+#mobile-idle-timeout = 2400
+
+# The time (in seconds) that a client is not allowed to reconnect after 
+# a failed authentication attempt.
+#min-reauth-time = 2
+
+# Cookie validity time (in seconds)
+# Once a client is authenticated he's provided a cookie with
+# which he can reconnect. This option sets the maximum lifetime
+# of that cookie.
+#cookie-validity = 86400
+
+# ReKey time (in seconds)
+# ocserv will ask the client to refresh keys periodically once
+# this amount of seconds is elapsed. Set to zero to disable.
+rekey-time = 172800
+
+# ReKey method
+# Valid options: ssl, new-tunnel
+#  ssl: Will perform an efficient rehandshake on the channel allowing
+#       a seamless connection during rekey.
+#  new-tunnel: Will instruct the client to discard and re-establish the channel.
+#       Use this option only if the connecting clients have issues with the ssl
+#       option.
+rekey-method = ssl
+
+# Script to call when a client connects and obtains an IP
+# Parameters are passed on the environment.
+# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), 
+# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
+# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
+# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
+#connect-script = /scripts/ocserv-script
+#disconnect-script = /scripts/ocserv-script
+
+# UTMP
+use-utmp = false
+
+# OCCTL
+use-occtl = true
+
+# PID file. It can be overriden in the command line.
+pid-file = /var/run/ocserv/pid
+
+# The default server directory. Does not require any devices present.
+chroot-dir = /var/run/ocserv
+
+# socket file used for IPC, will be appended with .PID
+# It must be accessible within the chroot environment (if any)
+socket-file = socket
+
+# The user the worker processes will be run as. It should be
+# unique (no other services run as this user).
+run-as-user = _ocserv
+run-as-group = _ocserv
+
+# Set the protocol-defined priority (SO_PRIORITY) for packets to
+# be sent. That is a number from 0 to 6 with 0 being the lowest
+# priority. Alternatively this can be used to set the IP Type-
+# Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
+# This can be set per user/group or globally.
+#net-priority = 3
+
+# Set the VPN worker process into a specific cgroup. This is Linux
+# specific and can be set per user/group or globally.
+#cgroup = "cpuset,cpu:test"
+
+#
+# Network settings
+#
+
+# The name of the tun device
+device = vpns
+
+# The default domain to be advertised
+default-domain = example.com
+
+# The pool of addresses that leases will be given from.
+ipv4-network = 192.168.1.0
+ipv4-netmask = 255.255.255.0
+
+# The advertized DNS server. Use multiple lines for
+# multiple servers.
+# dns = fc00::4be0
+dns = 192.168.1.2
+
+# The NBNS server (if any)
+#nbns = 192.168.1.3
+
+# The IPv6 subnet that leases will be given from.
+#ipv6-network = fc00::
+#ipv6-prefix = 16
+
+# The domains over which the provided DNS should be used. Use
+# multiple lines for multiple domains.
+#split-dns = example.com
+
+# Prior to leasing any IP from the pool ping it to verify that
+# it is not in use by another (unrelated to this server) host.
+ping-leases = false
+
+# Unset to assign the default MTU of the device
+# mtu = 
+
+# Unset to enable bandwidth restrictions (in bytes/sec). The
+# setting here is global, but can also be set per user or per group.
+#rx-data-per-sec = 40000
+#tx-data-per-sec = 40000
+
+# The number of packets (of MTU size) that are available in
+# the output buffer. The default is low to improve latency.
+# Setting it higher will improve throughput.
+#output-buffer = 10
+
+# Routes to be forwarded to the client. If you need the
+# client to forward routes to the server, you may use the 
+# config-per-user/group or even connect and disconnect scripts.
+#
+# To set the server as the default gateway for the client just
+# comment out all routes from the server.
+route = 192.168.1.0/255.255.255.0
+route = 192.168.5.0/255.255.255.0
+#route = fef4:db8:1000:1001::/64
+
+# Configuration files that will be applied per user connection or
+# per group. Each file name on these directories must match the username
+# or the groupname.
+# The options allowed in the configuration files are dns, nbns,
+#  ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route,
+#  net-priority and cgroup.
+#
+# Note that the 'iroute' option allows to add routes on the server
+# based on a user or group. The syntax depends on the input accepted
+# by the commands route-add-cmd and route-del-cmd (see below).
+
+#config-per-user = /usr/local/etc/ocserv/config-per-user/
+#config-per-group = /usr/local/etc/ocserv/config-per-group/
+
+# The system command to use to setup a route. %R will be replaced with the
+# route/mask and %D with the (tun) device.
+#
+# The following example is from linux systems. %R should be something
+# like 192.168.2.0/24
+
+#route-add-cmd = "ip route add %R dev %D"
+#route-del-cmd = "ip route delete %R dev %D"
+
+#
+# The following options are for (experimental) AnyConnect client 
+# compatibility. 
+
+# Client profile xml. A sample file exists in doc/profile.xml.
+# This file must be accessible from inside the worker's chroot. 
+# It is not used by the openconnect client.
+#user-profile = profile.xml
+
+# Binary files that may be downloaded by the CISCO client. Must
+# be within any chroot environment.
+#binary-files = /path/to/binaries
+
+# Unless set to false it is required for clients to present their
+# certificate even if they are authenticating via a previously granted
+# cookie and complete their authentication in the same TCP connection.
+# Legacy CISCO clients do not do that, and thus this option should be 
+# set for them.
+cisco-client-compat = true
+
+#Advanced options
+
+# Option to allow sending arbitrary custom headers to the client after
+# authentication and prior to VPN tunnel establishment.
+#custom-header = "X-My-Header: hi there"
diff --git a/net/ocserv/files/ocserv.in b/net/ocserv/files/ocserv.in
new file mode 100644
index 000000000000..7775a1477ac4
--- /dev/null
+++ b/net/ocserv/files/ocserv.in
@@ -0,0 +1,26 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+# PROVIDE: ocserv
+# REQUIRE: DAEMON
+# KEYWORD: shutdown
+#
+# Add the following to /etc/rc.conf to enable ocserv:
+#
+# ocserv_enable="YES"
+#
+
+. /etc/rc.subr
+
+name="ocserv"
+rcvar="ocserv_enable"
+
+load_rc_config ${name}
+
+: ${ocserv_enable:="NO"}
+: ${ocserv_pidfile:=/var/run/${name}/pid}
+
+command=/usr/local/sbin/${name}
+
+run_rc_command "$1"
diff --git a/net/ocserv/files/patch-configure.ac b/net/ocserv/files/patch-configure.ac
new file mode 100644
index 000000000000..22a9a5f447bc
--- /dev/null
+++ b/net/ocserv/files/patch-configure.ac
@@ -0,0 +1,36 @@
+--- configure.ac.orig	2015-08-06 16:43:09 UTC
++++ configure.ac
+@@ -16,11 +16,11 @@ AM_PROG_CC_C_O
+ if [ test "$GCC" = "yes" ];then
+ 	CFLAGS="$CFLAGS -Wall"
+ fi
+-AC_PATH_PROG(CTAGS, ctags, /bin/true)
+-AC_PATH_PROG(CSCOPE, cscope, /bin/true)
+-AC_CHECK_PROG([AUTOGEN], [autogen], [autogen], [/bin/true])
++AC_PATH_PROG(CTAGS, ctags, /usr/bin/true)
++AC_PATH_PROG(CSCOPE, cscope, /usr/bin/true)
++AC_CHECK_PROG([AUTOGEN], [autogen], [autogen], [autogen])
+ 
+-if test x"$AUTOGEN" = "x/bin/true"; then
++if test x"$AUTOGEN" = "x:"; then
+ 	AC_MSG_WARN([[
+ ***
+ *** autogen not found. Will not link against libopts.
+@@ -124,7 +124,7 @@ if test "$test_for_libnl" = yes;then
+ fi
+ 
+ have_readline=no
+-AC_LIB_HAVE_LINKFLAGS(readline,, [
++AC_LIB_HAVE_LINKFLAGS(readline,ncurses, [
+ #include <stdio.h>
+ #include <readline/readline.h>], [rl_replace_line(0,0);])
+   if test x$ac_cv_libreadline = xyes; then
+@@ -441,7 +441,7 @@ if test "$NEED_LIBOPTS_DIR" = "true";the
+ 			cp -f $i $nam
+ 		fi
+ 	done
+-	AC_SUBST([AUTOGEN], [/bin/true])
++	AC_SUBST([AUTOGEN], [autogen])
+ 	enable_local_libopts=yes
+ else
+ 	enable_local_libopts=no
diff --git a/net/ocserv/files/patch-doc_Makefile.am b/net/ocserv/files/patch-doc_Makefile.am
new file mode 100644
index 000000000000..9790304c9f20
--- /dev/null
+++ b/net/ocserv/files/patch-doc_Makefile.am
@@ -0,0 +1,42 @@
+--- doc/Makefile.am.orig	2015-05-26 16:33:38 UTC
++++ doc/Makefile.am
+@@ -5,18 +5,27 @@ EXTRA_DIST = design.dia sample.config sc
+ 
+ dist_man_MANS = ocserv.8 ocpasswd.8 occtl.8
+ 
+-ocserv.8: ../src/ocserv-args.def
+-	-sed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' $< > "$<".tmp && \
+-	@AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl "$<".tmp && \
+-	rm -f "$<".tmp
++ocserv.8:
++	-gsed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' \
++		../src/ocserv-args.def > ../src/ocserv-args.def.tmp && \
++	@AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl \
++		../src/ocserv-args.def.tmp && \
++	rm -f ../src/ocserv-args.def.tmp
++	sed -I -e 's/^\.NOP //' $@
+ 
+-occtl.8: ../src/occtl-args.def
+-	-sed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' $< > "$<".tmp && \
+-	@AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl "$<".tmp && \
+-	rm -f "$<".tmp
++occtl.8:
++	-gsed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' \
++		../src/occtl-args.def > ../src/occtl-args.def.tmp && \
++	@AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl \
++		../src/occtl-args.def.tmp && \
++	rm -f ../src/occtl-args.def.tmp
++	sed -I -e 's/^\.NOP //' $@
+ 
+-ocpasswd.8: ../src/ocpasswd-args.def
+-	-sed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' $< > "$<".tmp && \
+-	@AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl "$<".tmp && \
+-	rm -f "$<".tmp
++ocpasswd.8:
++	-gsed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' \
++		../src/ocpasswd-args.def > ../src/ocpasswd-args.def.tmp && \
++	@AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl \
++		../src/ocpasswd-args.def.tmp && \
++	rm -f ../src/ocpasswd-args.def.tmp
++	sed -I -e 's/^\.NOP //' $@
+ 
diff --git a/net/ocserv/files/patch-src_config.c b/net/ocserv/files/patch-src_config.c
new file mode 100644
index 000000000000..ab450e6c33ea
--- /dev/null
+++ b/net/ocserv/files/patch-src_config.c
@@ -0,0 +1,31 @@
+--- src/config.c.orig	2015-07-18 10:35:29 UTC
++++ src/config.c
+@@ -52,8 +52,7 @@
+ #include <tlslib.h>
+ #include "common-config.h"
+ 
+-#define OLD_DEFAULT_CFG_FILE "/etc/ocserv.conf"
+-#define DEFAULT_CFG_FILE "/etc/ocserv/ocserv.conf"
++#define DEFAULT_CFG_FILE "/usr/local/etc/ocserv/conf"
+ 
+ static char pid_file[_POSIX_PATH_MAX] = "";
+ static const char* cfg_file = DEFAULT_CFG_FILE;
+@@ -414,7 +413,7 @@ static void figure_auth_funcs(struct per
+ 			}
+ 			talloc_free(auth[j]);
+ 		}
+-		fprintf(stderr, "Setting '%s' as primary authentication method\n", config->auth[0].name);
++		/* fprintf(stderr, "Setting '%s' as primary authentication method\n", config->auth[0].name); */
+ 	} else {
+ 		unsigned x = config->auth_methods;
+ 		/* Append authentication methods (alternative options) */
+@@ -583,9 +582,6 @@ size_t urlfw_size = 0;
+ #endif
+ 
+ 	pov = configFileLoad(file);
+-	if (pov == NULL && file != NULL && strcmp(file, DEFAULT_CFG_FILE) == 0)
+-		pov = configFileLoad(OLD_DEFAULT_CFG_FILE);
+-
+ 	if (pov == NULL) {
+ 		fprintf(stderr, "Error loading config file %s\n", file);
+ 		exit(1);
diff --git a/net/ocserv/files/patch-src_main-ctl-unix.c b/net/ocserv/files/patch-src_main-ctl-unix.c
new file mode 100644
index 000000000000..f1da865b5c40
--- /dev/null
+++ b/net/ocserv/files/patch-src_main-ctl-unix.c
@@ -0,0 +1,55 @@
+--- src/main-ctl-unix.c.orig	2015-05-26 16:33:38 UTC
++++ src/main-ctl-unix.c
+@@ -110,10 +110,15 @@ int ctl_handler_init(main_server_st * s)
+ 	struct sockaddr_un sa;
+ 	int sd, e;
+ 
+-	if (s->config->use_occtl == 0 || s->perm_config->occtl_socket_file == NULL)
++	mslog(s, NULL, LOG_INFO, "using control unix socket: %s", s->perm_config->occtl_socket_file);
++
++	if (s->config->use_occtl == 0 ||
++		s->perm_config->occtl_socket_file == NULL) {
++		mslog(s, NULL, LOG_INFO, "not using control unix socket");
+ 		return 0;
++	}
+ 
+-	mslog(s, NULL, LOG_DEBUG, "initializing control unix socket: %s", s->perm_config->occtl_socket_file);
++	mslog(s, NULL, LOG_INFO, "initializing control unix socket: %s", s->perm_config->occtl_socket_file);
+ 	memset(&sa, 0, sizeof(sa));
+ 	sa.sun_family = AF_UNIX;
+ 	strlcpy(sa.sun_path, s->perm_config->occtl_socket_file, sizeof(sa.sun_path));
+@@ -122,7 +127,7 @@ int ctl_handler_init(main_server_st * s)
+ 	sd = socket(AF_UNIX, SOCK_STREAM, 0);
+ 	if (sd == -1) {
+ 		e = errno;
+-		mslog(s, NULL, LOG_ERR, "could not create socket '%s': %s",
++		mslog(s, NULL, LOG_INFO, "could not create socket '%s': %s",
+ 		      s->perm_config->occtl_socket_file, strerror(e));
+ 		return -1;
+ 	}
+@@ -131,7 +136,7 @@ int ctl_handler_init(main_server_st * s)
+ 	ret = bind(sd, (struct sockaddr *)&sa, SUN_LEN(&sa));
+ 	if (ret == -1) {
+ 		e = errno;
+-		mslog(s, NULL, LOG_ERR, "could not bind socket '%s': %s",
++		mslog(s, NULL, LOG_INFO, "could not bind socket '%s': %s",
+ 		      s->perm_config->occtl_socket_file, strerror(e));
+ 		return -1;
+ 	}
+@@ -139,14 +144,14 @@ int ctl_handler_init(main_server_st * s)
+ 	ret = chown(s->perm_config->occtl_socket_file, s->perm_config->uid, s->perm_config->gid);
+ 	if (ret == -1) {
+ 		e = errno;
+-		mslog(s, NULL, LOG_ERR, "could not chown socket '%s': %s",
++		mslog(s, NULL, LOG_INFO, "could not chown socket '%s': %s",
+ 		      s->perm_config->occtl_socket_file, strerror(e));
+ 	}
+ 
+ 	ret = listen(sd, 1024);
+ 	if (ret == -1) {
+ 		e = errno;
+-		mslog(s, NULL, LOG_ERR, "could not listen to socket '%s': %s",
++		mslog(s, NULL, LOG_INFO, "could not listen to socket '%s': %s",
+ 		      s->perm_config->occtl_socket_file, strerror(e));
+ 		return -1;
+ 	}
diff --git a/net/ocserv/files/patch-src_main.c b/net/ocserv/files/patch-src_main.c
new file mode 100644
index 000000000000..289d9a0e0ab3
--- /dev/null
+++ b/net/ocserv/files/patch-src_main.c
@@ -0,0 +1,14 @@
+--- src/main.c.orig	2015-07-01 18:41:01 UTC
++++ src/main.c
+@@ -131,8 +131,9 @@ int y;
+ 		perror("setsockopt(IP_PKTINFO) failed");
+ #elif defined(IP_RECVDSTADDR) /* *BSD */
+ 	y = 1;
+-	if (setsockopt(fd, IPPROTO_IP, IP_RECVDSTADDR,
+-		       (const void *)&y, sizeof(y)) < 0)
++	if (family == AF_INET &&
++	    setsockopt(fd, IPPROTO_IP, IP_RECVDSTADDR,
++		(const void *)&y, sizeof(y)) < 0)
+ 		perror("setsockopt(IP_RECVDSTADDR) failed");
+ #endif
+ #if defined(IPV6_RECVPKTINFO)
diff --git a/net/ocserv/files/patch-src_ocserv-args.def b/net/ocserv/files/patch-src_ocserv-args.def
new file mode 100644
index 000000000000..23810fb388f6
--- /dev/null
+++ b/net/ocserv/files/patch-src_ocserv-args.def
@@ -0,0 +1,56 @@
+--- src/ocserv-args.def.orig	2015-07-15 17:17:22 UTC
++++ src/ocserv-args.def
+@@ -68,7 +68,7 @@ doc-section = {
+   ds-format = 'texi';
+   ds-text   = <<-_EOT_
+ @subheading ocserv's configuration file format
+-By default, if no other file is specified, ocserv looks for its configuration file at @file{/etc/ocserv/ocserv.conf}.
++By default, if no other file is specified, ocserv looks for its configuration file at @file{/usr/local/etc/ocserv/conf}.
+ An example configuration file follows.
+ 
+ @example
+@@ -87,7 +87,7 @@ An example configuration file follows.
+ #  This enabled PAM authentication of the user. The gid-min option is used 
+ # by auto-select-group option, in order to select the minimum valid group ID.
+ #
+-# plain[passwd=/etc/ocserv/ocpasswd]
++# plain[passwd=/usr/local/etc/ocserv/ocpasswd]
+ #  The plain option requires specifying a password file which contains
+ # entries of the following format.
+ # "username:groupname1,groupname2:encoded-password"
+@@ -119,7 +119,7 @@ An example configuration file follows.
+ #auth = "certificate"
+ #auth = "pam"
+ #auth = "pam[gid-min=1000]"
+-#auth = "plain[passwd=/etc/ocserv/ocpasswd]"
++#auth = "plain[passwd=/usr/local/etc/ocserv/passwd]"
+ #auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
+ 
+ # Specify alternative authentication methods that are sufficient
+@@ -431,7 +431,7 @@ rekey-method = ssl
+ use-occtl = true
+ 
+ # PID file. It can be overriden in the command line.
+-pid-file = /var/run/ocserv.pid
++pid-file = /var/run/ocserv/pid
+ 
+ # Set the protocol-defined priority (SO_PRIORITY) for packets to
+ # be sent. That is a number from 0 to 6 with 0 being the lowest
+@@ -555,13 +555,13 @@ no-route = 192.168.5.0/255.255.255.0
+ # Also explicit addresses, are only allowed when they are odd. In that
+ # case the next even address will be used as the remote address (in PtP).
+ 
+-#config-per-user = /etc/ocserv/config-per-user/
+-#config-per-group = /etc/ocserv/config-per-group/
++#config-per-user = /usr/local/etc/ocserv/config-per-user/
++#config-per-group = /usr/local/etc/ocserv/config-per-group/
+ 
+ # When config-per-xxx is specified and there is no group or user that
+ # matches, then utilize the following configuration.
+-#default-user-config = /etc/ocserv/defaults/user.conf
+-#default-group-config = /etc/ocserv/defaults/group.conf
++#default-user-config = /usr/local/etc/ocserv/defaults/user.conf
++#default-group-config = /usr/local/etc/ocserv/defaults/group.conf
+ 
+ # The system command to use to setup a route. %{R} will be replaced with the
+ # route/mask and %{D} with the (tun) device.
diff --git a/net/ocserv/pkg-descr b/net/ocserv/pkg-descr
new file mode 100644
index 000000000000..52919d5d5a15
--- /dev/null
+++ b/net/ocserv/pkg-descr
@@ -0,0 +1,20 @@
+OpenConnect server (ocserv) is an SSL VPN server. Its purpose is
+to be a secure, small, fast and configurable VPN server. It implements
+the OpenConnect SSL VPN protocol, and has also (currently experimental)
+compatibility with clients using the AnyConnect SSL VPN protocol.
+The OpenConnect protocol provides a dual TCP/UDP VPN channel, and
+uses the standard IETF security protocols to secure it. Both IPv4
+and IPv6 are supported.
+
+Ocserv's main features are security through provilege separation
+and sandboxing, accounting, and resilience due to a combined use
+of TCP and UDP.  Authentication occurs in an isolated security
+module process, and each user is assigned an unprivileged worker
+process, and a networking (tun) device. That not only eases the
+control of the resources of each user or group of users, but also
+prevents data leak (e.g., heartbleed-style attacks), and privilege
+escalation due to any bug on the VPN handling (worker) process. A
+management interface allows for viewing and querying logged-in
+users.
+
+WWW: http://www.infradead.org/ocserv/
diff --git a/net/ocserv/pkg-plist b/net/ocserv/pkg-plist
new file mode 100644
index 000000000000..6d66f42193d5
--- /dev/null
+++ b/net/ocserv/pkg-plist
@@ -0,0 +1,8 @@
+bin/occtl
+bin/ocpasswd
+man/man8/occtl.8.gz
+man/man8/ocpasswd.8.gz
+man/man8/ocserv.8.gz
+@sample etc/ocserv/conf.sample
+sbin/ocserv
+@dir /var/run/ocserv