2026-02-10 08:46:58 +08:00 · 2020-12-03 09:50:18 +00:00
parent 6c9615618d 5cf457b425
commit 2f0b1bba0d
5 changed files with 6 additions and 106 deletions
							
							
								
							
							
						
@@ -7,6 +7,8 @@
  sent (#357)
- Increased the maximum configuration line; this allows banner
  messages longer than 200 characters (#364)
- Removed the listen-clear-file config option. This option was incompatible
  with several clients, and thus is unusable for a generic server (#376)
* Version 1.1.1 (released 2020-09-21)
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -93,20 +93,6 @@ auth = "plain[passwd=./sample.passwd]"
tcp-port = 443
udp-port = 443
# Accept connections using a socket file. It accepts HTTP
# connections (i.e., without SSL/TLS unlike its TCP counterpart),
# and uses it as the primary channel. That option is experimental
# and it has many known issues.
#  * It can only be combined with certificate authentication, when receiving
#    channel information through proxy protocol (see listen-proxy-proto)
#  * It cannot derive any keys needed for the DTLS session (hence no support for dtls-psk)
#  * It cannot enforce the framing of the SSL/TLS packets, and that
#    breaks assumptions held by several openconnect clients.
# This option is not recommended for use, and may be removed
# in the future.
#
#listen-clear-file = /var/run/ocserv-conn.socket
# The user the worker processes will be run as. This should be a dedicated
# unprivileged user (e.g., 'ocserv') and no other services should run as this
# user.
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -760,8 +760,8 @@ static int cfg_ini_handler(void *_ctx, const char *section, const char *name, co
		} else if (strcmp(name, "udp-listen-host") == 0) {
			PREAD_STRING(pool, vhost->perm_config.udp_listen_host);
		} else if (strcmp(name, "listen-clear-file") == 0) {
			if (!PWARN_ON_VHOST_STRDUP(vhost->name, "listen-clear-file", unix_conn_file))
				PREAD_STRING(pool, vhost->perm_config.unix_conn_file);
			fprintf(stderr, ERRSTR"the 'listen-clear-file' option was removed in ocserv 1.1.2\n");
			return 0;
		} else if (strcmp(name, "listen-netns") == 0) {
			vhost->perm_config.listen_netns_name = talloc_strdup(pool, value);
		} else if (strcmp(name, "tcp-port") == 0) {
							
								
							
							
								
							
							
						
@@ -1347,12 +1347,10 @@ static void check_cfg(vhost_cfg_st *vhost, vhost_cfg_st *defvhost, unsigned sile
		}
	}
	if (vhost->perm_config.port == 0 && vhost->perm_config.unix_conn_file == NULL) {
	if (vhost->perm_config.port == 0) {
		if (defvhost) {
			if (vhost->perm_config.port)
				vhost->perm_config.port = defvhost->perm_config.port;
			else if (vhost->perm_config.unix_conn_file)
				vhost->perm_config.unix_conn_file = talloc_strdup(vhost, defvhost->perm_config.unix_conn_file);
		} else {
			fprintf(stderr, ERRSTR"%sthe tcp-port option is mandatory!\n", PREFIX_VHOST(vhost));
			exit(1);
							
								
							
							
								
							
							
						
@@ -1416,13 +1414,6 @@ static void check_cfg(vhost_cfg_st *vhost, vhost_cfg_st *defvhost, unsigned sile
		}
	}
	if (vhost->perm_config.unix_conn_file != NULL && (config->cert_req != 0)) {
		if (config->listen_proxy_proto == 0) {
			fprintf(stderr, ERRSTR"%sthe option 'listen-clear-file' cannot be combined with 'auth=certificate'\n", PREFIX_VHOST(vhost));
			exit(1);
		}
	}
#ifdef ANYCONNECT_CLIENT_COMPAT
	if (vhost->perm_config.cert && vhost->perm_config.cert_hash == NULL) {
		vhost->perm_config.cert_hash = calc_sha1_hash(vhost->pool, vhost->perm_config.cert[0], 1);
							
								
							
							
								
							
							
						
@@ -1489,13 +1480,6 @@ static void check_cfg(vhost_cfg_st *vhost, vhost_cfg_st *defvhost, unsigned sile
		config->dtls_legacy = 1;
	}
	if (vhost->perm_config.unix_conn_file) {
		if (config->dtls_psk && !silent) {
			fprintf(stderr, NOTESTR"%s'dtls-psk' cannot be combined with unix socket file\n", PREFIX_VHOST(vhost));
		}
		config->dtls_psk = 0;
	}
	if (config->match_dtls_and_tls) {
		if (config->dtls_legacy) {
			fprintf(stderr, ERRSTR"%s'match-tls-dtls-ciphers' cannot be applied when 'dtls-legacy' or 'cisco-client-compat' is on\n", PREFIX_VHOST(vhost));
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -255,68 +255,6 @@ int _listen_ports(void *pool, struct perm_cfg_st* config, struct addrinfo *res,
	return 0;
}
static 
int _listen_unix_ports(void *pool, struct perm_cfg_st* config, 
		       struct listen_list_st *list)
{
	int s, e, ret;
	struct sockaddr_un sa;
	/* open the UNIX domain socket to accept connections */
	if (config->unix_conn_file) {
		memset(&sa, 0, sizeof(sa));
		sa.sun_family = AF_UNIX;
		strlcpy(sa.sun_path, config->unix_conn_file, sizeof(sa.sun_path));
		if (remove(sa.sun_path) != 0) {
			e = errno;
			fprintf(stderr, "could not remove unix domain socket['%s']: %s", sa.sun_path,
			       strerror(e));
			return -1;
		}
		if (config->foreground != 0)
			fprintf(stderr, "listening (UNIX) on %s...\n",
				sa.sun_path);
		s = socket(AF_UNIX, SOCK_STREAM, 0);
		if (s == -1) {
			e = errno;
			fprintf(stderr, "could not create socket '%s': %s", sa.sun_path,
			       strerror(e));
			return -1;
		}
		umask(006);
		ret = bind(s, (struct sockaddr *)&sa, SUN_LEN(&sa));
		if (ret == -1) {
			e = errno;
			fprintf(stderr, "could not bind socket '%s': %s", sa.sun_path,
			       strerror(e));
			close(s);
			return -1;
		}
		ret = chown(sa.sun_path, config->uid, config->gid);
		if (ret == -1) {
			e = errno;
			fprintf(stderr, "could not chown socket '%s': %s", sa.sun_path,
			       strerror(e));
		}
		ret = listen(s, 1024);
		if (ret == -1) {
			e = errno;
			fprintf(stderr, "could not listen to socket '%s': %s",
			       sa.sun_path, strerror(e));
			exit(1);
		}
		add_listener(pool, list, s, AF_UNIX, SOCK_TYPE_UNIX, 0, (struct sockaddr *)&sa, sizeof(sa));
	}
	fflush(stderr);
	return 0;
}
/* Returns 0 on success or negative value on error.
 */
static int
							
								
							
							
								
							
							
						
@@ -404,7 +342,7 @@ listen_ports(void *pool, struct perm_cfg_st* config,
	}
#endif
	if (config->port == 0 && config->unix_conn_file == NULL) {
	if (config->port == 0) {
		fprintf(stderr, "tcp-port option is mandatory!\n");
		return -1;
	}
							
								
							
							
								
							
							
						
@@ -436,11 +374,6 @@ listen_ports(void *pool, struct perm_cfg_st* config,
	}
	ret = _listen_unix_ports(pool, config, list);
	if (ret < 0) {
		return -1;
	}
	if (list->total == 0) {
		fprintf(stderr, "Could not listen to any TCP or UNIX ports\n");
		exit(1);
							
								
							
							
								
							
							
						
@@ -772,10 +705,6 @@ int sfd = -1;
		 * the IP address and forward the socket.
		 */
		match_ip_only = 1;
		/* don't bother IP matching when the listen-clear-file is in use */
		if (GETPCONFIG(s)->unix_conn_file)
			goto fail;
	} else {
		if (has_broken_random(s, s->msg_buffer, buffer_size)) {
			mslog(s, NULL, LOG_INFO, "%s: detected broken DTLS client hello (no randomness); ignoring",
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -393,7 +393,6 @@ struct perm_cfg_st {
	char *listen_host;
	char *udp_listen_host;
	char* unix_conn_file;
	char *listen_netns_name;
	unsigned int port;
	unsigned int udp_port;