mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2026-02-10 08:46:58 +08:00
occtl: print the TLS session information, even if no DTLS channel
This ensures that the main process receives the TLS channel information early and does not depend on DTLS channel establishment. Furthermore, we refactor to make setup_dtls_psk_keys() fail early when no TLS channel is available. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This commit is contained in:
Nikos Mavrogiannopoulos
2
NEWS
2
NEWS
@@ -1,5 +1,7 @@
|
||||
* Version 0.12.3 (unreleased)
|
||||
- Prevented crash when no DTLS ciphersuite is negotiated
|
||||
- occtl: print the TLS session information, even if the DTLS channel
|
||||
is not established.
|
||||
|
||||
|
||||
* Version 0.12.2 (released 2019-01-10)
|
||||
|
||||
@@ -226,18 +226,18 @@ static int setup_dtls_psk_keys(gnutls_session_t session, struct worker_st *ws)
|
||||
|
||||
gnutls_psk_set_server_credentials_function(WSCREDS(ws)->pskcred, get_psk_key);
|
||||
|
||||
if (ws->session && WSCONFIG(ws)->match_dtls_and_tls) {
|
||||
if (!ws->session) {
|
||||
oclog(ws, LOG_ERR, "cannot setup PSK keys without an encrypted CSTP channel");
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (WSCONFIG(ws)->match_dtls_and_tls) {
|
||||
cipher = gnutls_cipher_get(ws->session);
|
||||
mac = gnutls_mac_get(ws->session);
|
||||
|
||||
snprintf(prio_string, sizeof(prio_string), "%s:"VERS_STRING":-CIPHER-ALL:-MAC-ALL:-KX-ALL:+PSK:+VERS-DTLS-ALL:+%s:+%s",
|
||||
WSCONFIG(ws)->priorities, gnutls_mac_get_name(mac), gnutls_cipher_get_name(cipher));
|
||||
} else {
|
||||
if (WSCONFIG(ws)->match_dtls_and_tls) {
|
||||
oclog(ws, LOG_ERR, "cannot determine ciphersuite from CSTP channel (unset match-tls-dtls-ciphers)");
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* if we haven't an associated session, enable all ciphers we would have enabled
|
||||
* otherwise for TLS. */
|
||||
snprintf(prio_string, sizeof(prio_string), "%s:"VERS_STRING":-KX-ALL:+PSK:+VERS-DTLS-ALL",
|
||||
@@ -801,6 +801,8 @@ void vpn_server(struct worker_st *ws)
|
||||
oclog(ws, LOG_DEBUG, "Accepted unix connection");
|
||||
}
|
||||
|
||||
ws->session = session;
|
||||
|
||||
session_info_send(ws);
|
||||
|
||||
memset(&settings, 0, sizeof(settings));
|
||||
@@ -823,7 +825,6 @@ void vpn_server(struct worker_st *ws)
|
||||
oclog(ws, LOG_DEBUG, "proxy-hdr: peer is %s\n", ws->remote_ip_str);
|
||||
}
|
||||
|
||||
ws->session = session;
|
||||
ws->parser = &parser;
|
||||
|
||||
restart:
|
||||
|
||||
@@ -137,7 +137,7 @@ if test $? != 0;then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
grep "Username: ${USERNAME}" ${OUTFILE}
|
||||
grep "Username: ${USERNAME}" ${OUTFILE} >/dev/null
|
||||
if test $? != 0;then
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||
echo "occtl show user didn't find connected user!"
|
||||
@@ -145,14 +145,14 @@ if test $? != 0;then
|
||||
fi
|
||||
|
||||
if test -z "${GNUTLS_NAME}";then
|
||||
grep "DTLS cipher:" ${OUTFILE}
|
||||
grep "DTLS cipher:" ${OUTFILE} >/dev/null
|
||||
if test $? = 0;then
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||
echo "occtl show user did show a cipher!"
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
grep "DTLS cipher: ${GNUTLS_NAME}" ${OUTFILE}
|
||||
grep "DTLS cipher: ${GNUTLS_NAME}" ${OUTFILE} >/dev/null
|
||||
if test $? != 0;then
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||
echo "occtl show user didn't show cipher!"
|
||||
@@ -160,7 +160,14 @@ else
|
||||
fi
|
||||
fi
|
||||
|
||||
grep ${CLI_ADDRESS} ${OUTFILE}
|
||||
grep -E '[[:space:]]+TLS ciphersuite:' ${OUTFILE} >/dev/null
|
||||
if test $? != 0;then
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||
echo "occtl show user did not show a TLS cipher!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
grep ${CLI_ADDRESS} ${OUTFILE} >/dev/null
|
||||
if test $? != 0;then
|
||||
${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
|
||||
echo "occtl show user didn't find client address!"
|
||||
|
||||
Reference in New Issue
Block a user