diff --git a/NEWS b/NEWS index 646db844..de3bfd2a 100644 --- a/NEWS +++ b/NEWS @@ -7,6 +7,8 @@ sent (#357) - Increased the maximum configuration line; this allows banner messages longer than 200 characters (#364) +- Removed the listen-clear-file config option. This option was incompatible + with several clients, and thus is unusable for a generic server (#376) * Version 1.1.1 (released 2020-09-21) diff --git a/doc/sample.config b/doc/sample.config index ad37893a..6a677c9d 100644 --- a/doc/sample.config +++ b/doc/sample.config @@ -93,20 +93,6 @@ auth = "plain[passwd=./sample.passwd]" tcp-port = 443 udp-port = 443 -# Accept connections using a socket file. It accepts HTTP -# connections (i.e., without SSL/TLS unlike its TCP counterpart), -# and uses it as the primary channel. That option is experimental -# and it has many known issues. -# * It can only be combined with certificate authentication, when receiving -# channel information through proxy protocol (see listen-proxy-proto) -# * It cannot derive any keys needed for the DTLS session (hence no support for dtls-psk) -# * It cannot enforce the framing of the SSL/TLS packets, and that -# breaks assumptions held by several openconnect clients. -# This option is not recommended for use, and may be removed -# in the future. -# -#listen-clear-file = /var/run/ocserv-conn.socket - # The user the worker processes will be run as. This should be a dedicated # unprivileged user (e.g., 'ocserv') and no other services should run as this # user. diff --git a/src/config.c b/src/config.c index 63d96271..05dd24db 100644 --- a/src/config.c +++ b/src/config.c @@ -760,8 +760,8 @@ static int cfg_ini_handler(void *_ctx, const char *section, const char *name, co } else if (strcmp(name, "udp-listen-host") == 0) { PREAD_STRING(pool, vhost->perm_config.udp_listen_host); } else if (strcmp(name, "listen-clear-file") == 0) { - if (!PWARN_ON_VHOST_STRDUP(vhost->name, "listen-clear-file", unix_conn_file)) - PREAD_STRING(pool, vhost->perm_config.unix_conn_file); + fprintf(stderr, ERRSTR"the 'listen-clear-file' option was removed in ocserv 1.1.2\n"); + return 0; } else if (strcmp(name, "listen-netns") == 0) { vhost->perm_config.listen_netns_name = talloc_strdup(pool, value); } else if (strcmp(name, "tcp-port") == 0) { @@ -1347,12 +1347,10 @@ static void check_cfg(vhost_cfg_st *vhost, vhost_cfg_st *defvhost, unsigned sile } } - if (vhost->perm_config.port == 0 && vhost->perm_config.unix_conn_file == NULL) { + if (vhost->perm_config.port == 0) { if (defvhost) { if (vhost->perm_config.port) vhost->perm_config.port = defvhost->perm_config.port; - else if (vhost->perm_config.unix_conn_file) - vhost->perm_config.unix_conn_file = talloc_strdup(vhost, defvhost->perm_config.unix_conn_file); } else { fprintf(stderr, ERRSTR"%sthe tcp-port option is mandatory!\n", PREFIX_VHOST(vhost)); exit(1); @@ -1416,13 +1414,6 @@ static void check_cfg(vhost_cfg_st *vhost, vhost_cfg_st *defvhost, unsigned sile } } - if (vhost->perm_config.unix_conn_file != NULL && (config->cert_req != 0)) { - if (config->listen_proxy_proto == 0) { - fprintf(stderr, ERRSTR"%sthe option 'listen-clear-file' cannot be combined with 'auth=certificate'\n", PREFIX_VHOST(vhost)); - exit(1); - } - } - #ifdef ANYCONNECT_CLIENT_COMPAT if (vhost->perm_config.cert && vhost->perm_config.cert_hash == NULL) { vhost->perm_config.cert_hash = calc_sha1_hash(vhost->pool, vhost->perm_config.cert[0], 1); @@ -1489,13 +1480,6 @@ static void check_cfg(vhost_cfg_st *vhost, vhost_cfg_st *defvhost, unsigned sile config->dtls_legacy = 1; } - if (vhost->perm_config.unix_conn_file) { - if (config->dtls_psk && !silent) { - fprintf(stderr, NOTESTR"%s'dtls-psk' cannot be combined with unix socket file\n", PREFIX_VHOST(vhost)); - } - config->dtls_psk = 0; - } - if (config->match_dtls_and_tls) { if (config->dtls_legacy) { fprintf(stderr, ERRSTR"%s'match-tls-dtls-ciphers' cannot be applied when 'dtls-legacy' or 'cisco-client-compat' is on\n", PREFIX_VHOST(vhost)); diff --git a/src/main.c b/src/main.c index d6c01a5c..67c847d4 100644 --- a/src/main.c +++ b/src/main.c @@ -255,68 +255,6 @@ int _listen_ports(void *pool, struct perm_cfg_st* config, struct addrinfo *res, return 0; } -static -int _listen_unix_ports(void *pool, struct perm_cfg_st* config, - struct listen_list_st *list) -{ - int s, e, ret; - struct sockaddr_un sa; - - /* open the UNIX domain socket to accept connections */ - if (config->unix_conn_file) { - memset(&sa, 0, sizeof(sa)); - sa.sun_family = AF_UNIX; - strlcpy(sa.sun_path, config->unix_conn_file, sizeof(sa.sun_path)); - if (remove(sa.sun_path) != 0) { - e = errno; - fprintf(stderr, "could not remove unix domain socket['%s']: %s", sa.sun_path, - strerror(e)); - return -1; - } - - if (config->foreground != 0) - fprintf(stderr, "listening (UNIX) on %s...\n", - sa.sun_path); - - s = socket(AF_UNIX, SOCK_STREAM, 0); - if (s == -1) { - e = errno; - fprintf(stderr, "could not create socket '%s': %s", sa.sun_path, - strerror(e)); - return -1; - } - - umask(006); - ret = bind(s, (struct sockaddr *)&sa, SUN_LEN(&sa)); - if (ret == -1) { - e = errno; - fprintf(stderr, "could not bind socket '%s': %s", sa.sun_path, - strerror(e)); - close(s); - return -1; - } - - ret = chown(sa.sun_path, config->uid, config->gid); - if (ret == -1) { - e = errno; - fprintf(stderr, "could not chown socket '%s': %s", sa.sun_path, - strerror(e)); - } - - ret = listen(s, 1024); - if (ret == -1) { - e = errno; - fprintf(stderr, "could not listen to socket '%s': %s", - sa.sun_path, strerror(e)); - exit(1); - } - add_listener(pool, list, s, AF_UNIX, SOCK_TYPE_UNIX, 0, (struct sockaddr *)&sa, sizeof(sa)); - } - fflush(stderr); - - return 0; -} - /* Returns 0 on success or negative value on error. */ static int @@ -404,7 +342,7 @@ listen_ports(void *pool, struct perm_cfg_st* config, } #endif - if (config->port == 0 && config->unix_conn_file == NULL) { + if (config->port == 0) { fprintf(stderr, "tcp-port option is mandatory!\n"); return -1; } @@ -436,11 +374,6 @@ listen_ports(void *pool, struct perm_cfg_st* config, } - ret = _listen_unix_ports(pool, config, list); - if (ret < 0) { - return -1; - } - if (list->total == 0) { fprintf(stderr, "Could not listen to any TCP or UNIX ports\n"); exit(1); @@ -772,10 +705,6 @@ int sfd = -1; * the IP address and forward the socket. */ match_ip_only = 1; - - /* don't bother IP matching when the listen-clear-file is in use */ - if (GETPCONFIG(s)->unix_conn_file) - goto fail; } else { if (has_broken_random(s, s->msg_buffer, buffer_size)) { mslog(s, NULL, LOG_INFO, "%s: detected broken DTLS client hello (no randomness); ignoring", diff --git a/src/vpn.h b/src/vpn.h index 7b7e082d..31e1dbd9 100644 --- a/src/vpn.h +++ b/src/vpn.h @@ -393,7 +393,6 @@ struct perm_cfg_st { char *listen_host; char *udp_listen_host; - char* unix_conn_file; char *listen_netns_name; unsigned int port; unsigned int udp_port;