From 3f9a215f539ba10ef604423d96c4349b75d04798 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 14 May 2014 13:00:11 +0200
Subject: [PATCH] Allow for random and for predictable IP assignment.

---
 src/config.c        |  2 ++
 src/ocserv-args.def |  4 ++++
 src/sec-mod-auth.c  | 10 ++++++++--
 src/vpn.h           |  1 +
 4 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/config.c b/src/config.c
index 82c1b81e..ef4c4fe3 100644
--- a/src/config.c
+++ b/src/config.c
@@ -78,6 +78,7 @@ static struct cfg_options available_options[] = {
 	{ .name = "socket-file", .type = OPTION_STRING, .mandatory = 1 },
 	{ .name = "occtl-socket-file", .type = OPTION_STRING, .mandatory = 0 },
 	{ .name = "banner", .type = OPTION_STRING, .mandatory = 0 },
+	{ .name = "predictable-ips", .type = OPTION_BOOLEAN, .mandatory = 0 },
 	/* this is alias for cisco-client-compat */
 	{ .name = "always-require-cert", .type = OPTION_BOOLEAN, .mandatory = 0 },
 	{ .name = "cisco-client-compat", .type = OPTION_BOOLEAN, .mandatory = 0 },
@@ -374,6 +375,7 @@ unsigned force_cert_auth;
 		config->cisco_client_compat = 1;
 	}
 
+	READ_TF("predictable-ips", config->predictable_ips, 1);
 	READ_TF("use-utmp", config->use_utmp, 1);
 	READ_TF("use-dbus", config->use_dbus, 0);
 	if (config->use_dbus != 0) {
diff --git a/src/ocserv-args.def b/src/ocserv-args.def
index 076fb6e6..17266f39 100644
--- a/src/ocserv-args.def
+++ b/src/ocserv-args.def
@@ -286,6 +286,10 @@ cgroup = "cpuset,cpu:test"
 # The name to use for the tun device
 device = vpns
 
+# Whether the generated IPs will be predictable, i.e., IP stays the
+# same for the same user when possible.
+predictable-ips = true
+
 # The default domain to be advertised
 default-domain = example.com
 
diff --git a/src/sec-mod-auth.c b/src/sec-mod-auth.c
index ac9a121d..2e13fb16 100644
--- a/src/sec-mod-auth.c
+++ b/src/sec-mod-auth.c
@@ -76,8 +76,14 @@ static int generate_cookie(sec_mod_st * sec, client_entry_st * entry)
 		return -1;
 
 	/* Fixme: possibly we should allow for completely random seeds */
-	t = hash_any(entry->username, strlen(entry->username), 0);
-	memcpy(sc.ipv4_seed, &t, 4);
+	if (sec->config->predictable_ips != 0) {
+		t = hash_any(entry->username, strlen(entry->username), 0);
+		memcpy(sc.ipv4_seed, &t, 4);
+	} else {
+		ret = gnutls_rnd(GNUTLS_RND_NONCE, sc.ipv4_seed, sizeof(sc.ipv4_seed));
+		if (ret < 0)
+			return -1;
+	}
 
 	memcpy(sc.username, entry->username, sizeof(entry->username));
 	memcpy(sc.groupname, entry->groupname, sizeof(entry->groupname));
diff --git a/src/vpn.h b/src/vpn.h
index 51900a03..3f5e3b6b 100644
--- a/src/vpn.h
+++ b/src/vpn.h
@@ -240,6 +240,7 @@ struct cfg_st {
 
 	unsigned output_buffer;
 	unsigned default_mtu;
+	unsigned predictable_ips; /* boolean */
 
 	char *route_add_cmd;
 	char *route_del_cmd;