From 5cf457b425b68040a92a2333be1dde87be3d3b69 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 1 Dec 2020 21:02:17 +0100 Subject: [PATCH] Removed the listen-clear-file config option This option was almost impossible to use in general and worked with very few clients only (not including openconnect). That also meant that it could not be tested. Removed to reduce maintenance to parameters that are used in practice. Resolves: #376 Signed-off-by: Nikos Mavrogiannopoulos --- NEWS | 2 ++ doc/sample.config | 14 --------- src/config.c | 22 ++------------ src/main.c | 73 +---------------------------------------------- src/vpn.h | 1 - 5 files changed, 6 insertions(+), 106 deletions(-) diff --git a/NEWS b/NEWS index 646db844..de3bfd2a 100644 --- a/NEWS +++ b/NEWS @@ -7,6 +7,8 @@ sent (#357) - Increased the maximum configuration line; this allows banner messages longer than 200 characters (#364) +- Removed the listen-clear-file config option. This option was incompatible + with several clients, and thus is unusable for a generic server (#376) * Version 1.1.1 (released 2020-09-21) diff --git a/doc/sample.config b/doc/sample.config index ad37893a..6a677c9d 100644 --- a/doc/sample.config +++ b/doc/sample.config @@ -93,20 +93,6 @@ auth = "plain[passwd=./sample.passwd]" tcp-port = 443 udp-port = 443 -# Accept connections using a socket file. It accepts HTTP -# connections (i.e., without SSL/TLS unlike its TCP counterpart), -# and uses it as the primary channel. That option is experimental -# and it has many known issues. -# * It can only be combined with certificate authentication, when receiving -# channel information through proxy protocol (see listen-proxy-proto) -# * It cannot derive any keys needed for the DTLS session (hence no support for dtls-psk) -# * It cannot enforce the framing of the SSL/TLS packets, and that -# breaks assumptions held by several openconnect clients. -# This option is not recommended for use, and may be removed -# in the future. -# -#listen-clear-file = /var/run/ocserv-conn.socket - # The user the worker processes will be run as. This should be a dedicated # unprivileged user (e.g., 'ocserv') and no other services should run as this # user. diff --git a/src/config.c b/src/config.c index 63d96271..05dd24db 100644 --- a/src/config.c +++ b/src/config.c @@ -760,8 +760,8 @@ static int cfg_ini_handler(void *_ctx, const char *section, const char *name, co } else if (strcmp(name, "udp-listen-host") == 0) { PREAD_STRING(pool, vhost->perm_config.udp_listen_host); } else if (strcmp(name, "listen-clear-file") == 0) { - if (!PWARN_ON_VHOST_STRDUP(vhost->name, "listen-clear-file", unix_conn_file)) - PREAD_STRING(pool, vhost->perm_config.unix_conn_file); + fprintf(stderr, ERRSTR"the 'listen-clear-file' option was removed in ocserv 1.1.2\n"); + return 0; } else if (strcmp(name, "listen-netns") == 0) { vhost->perm_config.listen_netns_name = talloc_strdup(pool, value); } else if (strcmp(name, "tcp-port") == 0) { @@ -1347,12 +1347,10 @@ static void check_cfg(vhost_cfg_st *vhost, vhost_cfg_st *defvhost, unsigned sile } } - if (vhost->perm_config.port == 0 && vhost->perm_config.unix_conn_file == NULL) { + if (vhost->perm_config.port == 0) { if (defvhost) { if (vhost->perm_config.port) vhost->perm_config.port = defvhost->perm_config.port; - else if (vhost->perm_config.unix_conn_file) - vhost->perm_config.unix_conn_file = talloc_strdup(vhost, defvhost->perm_config.unix_conn_file); } else { fprintf(stderr, ERRSTR"%sthe tcp-port option is mandatory!\n", PREFIX_VHOST(vhost)); exit(1); @@ -1416,13 +1414,6 @@ static void check_cfg(vhost_cfg_st *vhost, vhost_cfg_st *defvhost, unsigned sile } } - if (vhost->perm_config.unix_conn_file != NULL && (config->cert_req != 0)) { - if (config->listen_proxy_proto == 0) { - fprintf(stderr, ERRSTR"%sthe option 'listen-clear-file' cannot be combined with 'auth=certificate'\n", PREFIX_VHOST(vhost)); - exit(1); - } - } - #ifdef ANYCONNECT_CLIENT_COMPAT if (vhost->perm_config.cert && vhost->perm_config.cert_hash == NULL) { vhost->perm_config.cert_hash = calc_sha1_hash(vhost->pool, vhost->perm_config.cert[0], 1); @@ -1489,13 +1480,6 @@ static void check_cfg(vhost_cfg_st *vhost, vhost_cfg_st *defvhost, unsigned sile config->dtls_legacy = 1; } - if (vhost->perm_config.unix_conn_file) { - if (config->dtls_psk && !silent) { - fprintf(stderr, NOTESTR"%s'dtls-psk' cannot be combined with unix socket file\n", PREFIX_VHOST(vhost)); - } - config->dtls_psk = 0; - } - if (config->match_dtls_and_tls) { if (config->dtls_legacy) { fprintf(stderr, ERRSTR"%s'match-tls-dtls-ciphers' cannot be applied when 'dtls-legacy' or 'cisco-client-compat' is on\n", PREFIX_VHOST(vhost)); diff --git a/src/main.c b/src/main.c index d6c01a5c..67c847d4 100644 --- a/src/main.c +++ b/src/main.c @@ -255,68 +255,6 @@ int _listen_ports(void *pool, struct perm_cfg_st* config, struct addrinfo *res, return 0; } -static -int _listen_unix_ports(void *pool, struct perm_cfg_st* config, - struct listen_list_st *list) -{ - int s, e, ret; - struct sockaddr_un sa; - - /* open the UNIX domain socket to accept connections */ - if (config->unix_conn_file) { - memset(&sa, 0, sizeof(sa)); - sa.sun_family = AF_UNIX; - strlcpy(sa.sun_path, config->unix_conn_file, sizeof(sa.sun_path)); - if (remove(sa.sun_path) != 0) { - e = errno; - fprintf(stderr, "could not remove unix domain socket['%s']: %s", sa.sun_path, - strerror(e)); - return -1; - } - - if (config->foreground != 0) - fprintf(stderr, "listening (UNIX) on %s...\n", - sa.sun_path); - - s = socket(AF_UNIX, SOCK_STREAM, 0); - if (s == -1) { - e = errno; - fprintf(stderr, "could not create socket '%s': %s", sa.sun_path, - strerror(e)); - return -1; - } - - umask(006); - ret = bind(s, (struct sockaddr *)&sa, SUN_LEN(&sa)); - if (ret == -1) { - e = errno; - fprintf(stderr, "could not bind socket '%s': %s", sa.sun_path, - strerror(e)); - close(s); - return -1; - } - - ret = chown(sa.sun_path, config->uid, config->gid); - if (ret == -1) { - e = errno; - fprintf(stderr, "could not chown socket '%s': %s", sa.sun_path, - strerror(e)); - } - - ret = listen(s, 1024); - if (ret == -1) { - e = errno; - fprintf(stderr, "could not listen to socket '%s': %s", - sa.sun_path, strerror(e)); - exit(1); - } - add_listener(pool, list, s, AF_UNIX, SOCK_TYPE_UNIX, 0, (struct sockaddr *)&sa, sizeof(sa)); - } - fflush(stderr); - - return 0; -} - /* Returns 0 on success or negative value on error. */ static int @@ -404,7 +342,7 @@ listen_ports(void *pool, struct perm_cfg_st* config, } #endif - if (config->port == 0 && config->unix_conn_file == NULL) { + if (config->port == 0) { fprintf(stderr, "tcp-port option is mandatory!\n"); return -1; } @@ -436,11 +374,6 @@ listen_ports(void *pool, struct perm_cfg_st* config, } - ret = _listen_unix_ports(pool, config, list); - if (ret < 0) { - return -1; - } - if (list->total == 0) { fprintf(stderr, "Could not listen to any TCP or UNIX ports\n"); exit(1); @@ -772,10 +705,6 @@ int sfd = -1; * the IP address and forward the socket. */ match_ip_only = 1; - - /* don't bother IP matching when the listen-clear-file is in use */ - if (GETPCONFIG(s)->unix_conn_file) - goto fail; } else { if (has_broken_random(s, s->msg_buffer, buffer_size)) { mslog(s, NULL, LOG_INFO, "%s: detected broken DTLS client hello (no randomness); ignoring", diff --git a/src/vpn.h b/src/vpn.h index 7b7e082d..31e1dbd9 100644 --- a/src/vpn.h +++ b/src/vpn.h @@ -393,7 +393,6 @@ struct perm_cfg_st { char *listen_host; char *udp_listen_host; - char* unix_conn_file; char *listen_netns_name; unsigned int port; unsigned int udp_port;