Merge branch 'udp-listen-host' into 'master'

Add `udp-listen-host` option for DTLS

See merge request openconnect/ocserv!107

doc/sample.config

@@ -77,6 +77,10 @@ auth = "plain[passwd=./sample.passwd]"
 # hostname.
 #listen-host = [IP|HOSTNAME]
 
+# Use udp-listen-host to limit udp to specific IPs or to the IPs of a provided
+# hostname. if not set, listen-host will be used
+#udp-listen-host = [IP|HOSTNAME]
+
 # When the server has a dynamic DNS address (that may change),
 # should set that to true to ask the client to resolve again on
 # reconnects.

src/config.c

@@ -720,6 +720,8 @@ static int cfg_ini_handler(void *_ctx, const char *section, const char *name, co
 			vhost->acct = talloc_strdup(pool, value);
 		} else if (strcmp(name, "listen-host") == 0) {
 			PREAD_STRING(pool, vhost->perm_config.listen_host);
+		} else if (strcmp(name, "udp-listen-host") == 0) {
+			PREAD_STRING(pool, vhost->perm_config.udp_listen_host);
 		} else if (strcmp(name, "listen-clear-file") == 0) {
 			if (!PWARN_ON_VHOST_STRDUP(vhost->name, "listen-clear-file", unix_conn_file))
 				PREAD_STRING(pool, vhost->perm_config.unix_conn_file);
@@ -785,7 +787,6 @@ static int cfg_ini_handler(void *_ctx, const char *section, const char *name, co
 		} else {
 			stage1_found = 0;
 		}
-
 		if (stage1_found)
 			goto exit;
 	}
@@ -1328,6 +1329,11 @@ static void check_cfg(vhost_cfg_st *vhost, vhost_cfg_st *defvhost, unsigned sile
 	if (config->no_compress_limit < MIN_NO_COMPRESS_LIMIT)
 		config->no_compress_limit = MIN_NO_COMPRESS_LIMIT;
 
+	/* use tcp listen host by default */
+	if (vhost->perm_config.udp_listen_host ==  NULL) {
+		vhost->perm_config.udp_listen_host = vhost->perm_config.listen_host;
+	}
+
 #if !defined(HAVE_LIBSECCOMP)
 	if (config->isolate != 0 && !silent) {
 		fprintf(stderr, ERRSTR"%s'isolate-workers' is set to true, but not compiled with seccomp or Linux namespaces support\n", PREFIX_VHOST(vhost));

src/main.c

@@ -419,7 +419,7 @@ listen_ports(void *pool, struct perm_cfg_st* config,
 #endif
 		    ;
 
-		ret = getaddrinfo(config->listen_host, portname, &hints, &res);
+		ret = getaddrinfo(config->udp_listen_host, portname, &hints, &res);
 		if (ret != 0) {
 			fprintf(stderr, "getaddrinfo() failed: %s\n",
 				gai_strerror(ret));

src/vpn.h

@@ -385,6 +385,7 @@ struct perm_cfg_st {
 	char *dh_params_file;
 
 	char *listen_host;
+	char *udp_listen_host;
 	char* unix_conn_file;
 	unsigned int port;
 	unsigned int udp_port;

tests/Makefile.am

@@ -33,7 +33,8 @@ EXTRA_DIST = certs/ca-key.pem certs/ca.pem ns.sh common.sh certs/server-cert.pem
 	data/raddb/access_reject data/raddb/accounting_response data/raddb/access_challenge data/raddb/acct_users \
 	data/raddb/clients.conf data/raddb/radiusd.conf data/raddb/users \
 	data/radiusclient/dictionary data/radiusclient/radiusclient.conf \
-	data/radiusclient/servers data/radius.config data/radius-group.config data/radius-otp.config
+	data/radiusclient/servers data/radius.config data/radius-group.config data/radius-otp.config \
+	data/test-udp-listen-host.config
 
 SUBDIRS = docker-ocserv docker-kerberos
 
@@ -57,7 +58,7 @@ endif
 dist_check_SCRIPTS += test-iroute test-multi-cookie test-pass-script \
 	test-cookie-timeout test-cookie-timeout-2 test-explicit-ip \
 	test-cookie-invalidation test-user-config test-append-routes test-ban \
-	multiple-routes haproxy-connect radius-group radius-otp json
+	multiple-routes haproxy-connect radius-group radius-otp json test-udp-listen-host
 
 #other tests requiring nuttcp for traffic
 if ENABLE_NUTTCP_TESTS

tests/data/test-udp-listen-host.config

@@ -0,0 +1,196 @@
+# User authentication method. Could be set multiple times and in that case
+# all should succeed.
+# Options: certificate, pam. 
+#auth = "certificate"
+auth = "plain[@SRCDIR@/data/test1.passwd]"
+#auth = "pam"
+
+isolate-workers = @ISOLATE_WORKERS@
+
+max-ban-score = 0
+
+# A banner to be displayed on clients
+#banner = "Welcome"
+
+# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
+#listen-host = @ADDRESS@
+udp-listen-host = @ADDRESS@
+
+use-dbus = no
+
+# Limit the number of clients. Unset or set to zero for unlimited.
+#max-clients = 1024
+max-clients = 16
+
+listen-proxy-proto = true
+
+# Limit the number of client connections to one every X milliseconds 
+# (X is the provided value). Set to zero for no limit.
+#rate-limit-ms = 100
+
+# Limit the number of identical clients (i.e., users connecting multiple times)
+# Unset or set to zero for unlimited.
+max-same-clients = 2
+
+# TCP and UDP port number
+tcp-port = @PORT@
+udp-port = @PORT@
+
+# Keepalive in seconds
+keepalive = 32400
+
+# Dead peer detection in seconds
+dpd = 440
+
+# MTU discovery (DPD must be enabled)
+try-mtu-discovery = false
+
+# The key and the certificates of the server
+# The key may be a file, or any URL supported by GnuTLS (e.g., 
+# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
+# or pkcs11:object=my-vpn-key;object-type=private)
+#
+# There may be multiple certificate and key pairs and each key
+# should correspond to the preceding certificate.
+server-cert = @SRCDIR@/certs/server-cert.pem
+server-key = @SRCDIR@/certs/server-key.pem
+
+# Diffie-Hellman parameters. Only needed if you require support
+# for the DHE ciphersuites (by default this server supports ECDHE).
+# Can be generated using:
+# certtool --generate-dh-params --outfile /path/to/dh.pem
+#dh-params = /path/to/dh.pem
+
+# If you have a certificate from a CA that provides an OCSP
+# service you may provide a fresh OCSP status response within
+# the TLS handshake. That will prevent the client from connecting
+# independently on the OCSP server.
+# You can update this response periodically using:
+# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
+# Make sure that you replace the following file in an atomic way.
+#ocsp-response = /path/to/ocsp.der
+
+# In case PKCS #11 or TPM keys are used the PINs should be available
+# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
+# root key).
+#pin-file = /path/to/pin.txt
+#srk-pin-file = /path/to/srkpin.txt
+
+# The Certificate Authority that will be used
+# to verify clients if certificate authentication
+# is set.
+#ca-cert = /path/to/ca.pem
+
+# The object identifier that will be used to read the user ID in the client certificate.
+# The object identifier should be part of the certificate's DN
+# Useful OIDs are: 
+#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
+#cert-user-oid = 0.9.2342.19200300.100.1.1
+
+# The object identifier that will be used to read the user group in the client 
+# certificate. The object identifier should be part of the certificate's DN
+# Useful OIDs are: 
+#  OU (organizational unit) = 2.5.4.11 
+#cert-group-oid = 2.5.4.11
+
+# A revocation list of ca-cert is set
+#crl = /path/to/crl.pem
+
+# GnuTLS priority string
+tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
+
+# To enforce perfect forward secrecy (PFS) on the main channel.
+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
+
+# The time (in seconds) that a client is allowed to stay connected prior
+# to authentication
+auth-timeout = 40
+
+# The time (in seconds) that a client is not allowed to reconnect after 
+# a failed authentication attempt.
+#min-reauth-time = 2
+
+# Cookie validity time (in seconds)
+# Once a client is authenticated he's provided a cookie with
+# which he can reconnect. This option sets the maximum lifetime
+# of that cookie.
+cookie-validity = 172800
+
+# Script to call when a client connects and obtains an IP
+# Parameters are passed on the environment.
+# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), 
+# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
+# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
+# may be "connect" or "disconnect".
+#connect-script = /usr/bin/myscript
+#disconnect-script = /usr/bin/myscript
+
+# UTMP
+use-utmp = true
+
+# PID file
+pid-file = ./ocserv.pid
+
+# The default server directory. Does not require any devices present.
+#chroot-dir = /path/to/chroot
+
+# socket file used for IPC, will be appended with .PID
+# It must be accessible within the chroot environment (if any)
+socket-file = ./ocserv-socket
+
+# The user the worker processes will be run as. It should be
+# unique (no other services run as this user).
+run-as-user = @USERNAME@
+run-as-group = @GROUP@
+
+# Network settings
+
+device = vpns
+
+# The default domain to be advertised
+default-domain = example.com
+
+ipv4-network = @VPNNET@
+# Use the keywork local to advertize the local P-t-P address as DNS server
+ipv4-dns = 192.168.1.1
+
+# The NBNS server (if any)
+#ipv4-nbns = 192.168.2.3
+
+#ipv6-address = 
+#ipv6-mask = 
+#ipv6-dns = 
+
+# Prior to leasing any IP from the pool ping it to verify that
+# it is not in use by another (unrelated to this server) host.
+ping-leases = false
+
+# Leave empty to assign the default MTU of the device
+# mtu = 
+
+#route = 192.168.1.0/255.255.255.0
+#route = 192.168.5.0/255.255.255.0
+
+#
+# The following options are for (experimental) AnyConnect client 
+# compatibility. They are only available if the server is built 
+# with --enable-anyconnect
+#
+
+# Client profile xml. A sample file exists in doc/profile.xml.
+# This file must be accessible from inside the worker's chroot. 
+# The profile is ignored by the openconnect client.
+#user-profile = profile.xml
+
+# Unless set to false it is required for clients to present their
+# certificate even if they are authenticating via a previously granted
+# cookie. Legacy CISCO clients do not do that, and thus this option
+# should be set for them.
+#always-require-cert = false
+
+# socket file used for IPC, will be appended with .PID
+# It must be accessible within the chroot environment (if any)
+socket-file = ./ocserv-socket
+
+occtl-socket-file = @OCCTL_SOCKET@
+use-occtl = true

tests/radius-config

@@ -150,7 +150,7 @@ fi
 echo "Transferred ${OCTETS} bytes"
 
 echo "Waiting for disconnection report"
-sleep 50
+sleep 60
 
 DISC=$(cat ${RADIUSLOG}|grep "Acct-Status-Type = Start"|tail -1)
 if test -z "$DISC";then

tests/test-udp-listen-host

@@ -0,0 +1,130 @@
+#!/bin/bash
+#
+# Copyright (C) 2019 Lele Long
+#
+# This file is part of ocserv.
+#
+# ocserv is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# ocserv is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+OCCTL="${OCCTL:-../src/occtl/occtl}"
+OUTFILE=occtl-show-user.$$.tmp
+CLIPID="${srcdir:-.}/ci$$-1.pid.tmp"
+CLIPID2="${srcdir:-.}/ci$$-2.pid.tmp"
+SERV="${SERV:-../src/ocserv}"
+srcdir=${srcdir:-.}
+PORT=4566
+HAPORT=4567
+PIDFILE=ocserv-pid.$$.tmp
+CONFIG_UDP_LISTEN_LOCAL=ocserv_udp_listen_local.conf.$$.tmp
+HACONFIG=haproxy.conf.$$.tmp
+PATH=${PATH}:/usr/sbin
+HAPROXY=$(command -v haproxy)
+IP=$(command -v ip)
+
+. "$(dirname "$0")/common.sh"
+
+if test -z "${HAPROXY}";then
+	echo "no haproxy present"
+	exit 77
+fi
+
+if test -z "${IP}";then
+	echo "no IP tool is present"
+	exit 77
+fi
+
+echo "Testing ocserv udp-listen-host"
+
+function finish {
+  set +e
+  echo " * Cleaning up..."
+  test -n "${CONFIG}" && rm -f "${CONFIG}" >/dev/null 2>&1
+  test -n "${HACONFIG}" && rm -f "${HACONFIG}" >/dev/null 2>&1
+  test -n "${HAPID}" && kill "${HAPID}" >/dev/null 2>&1
+  test -n "${PID}" && kill "${PID}" >/dev/null 2>&1
+
+  rm "${OUTFILE}" "${CONFIG_UDP_LISTEN_LOCAL}"
+  # first openconnect cli will exit after ocserv is killed/restarted
+  kill "$(cat "${CLIPID2}")"
+  rm "${CLIPID2}"
+}
+trap finish EXIT
+
+# server address
+ADDRESS=10.200.2.1
+CLI_ADDRESS=10.200.1.1
+VPNNET=192.168.1.0/24
+VPNADDR=192.168.1.1
+OCCTL_SOCKET=./occtl-udp-listen-host-$$.socket
+USERNAME=test
+
+. "$(dirname "$0")/ns.sh"
+
+# Run servers
+update_config test-udp-listen-host.config
+if test "$VERBOSE" = 1;then
+  DEBUG="-d 3"
+fi
+
+${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$!
+
+sleep 1
+
+rm -f ${HACONFIG}
+sed -e 's|@HAPORT@|'${HAPORT}'|g' -e 's|@PORT@|'${PORT}'|g' -e 's|@ADDRESS@|'${ADDRESS}'|g' ${srcdir}/data/haproxy-connect.cfg >${HACONFIG}
+${CMDNS2} ${HAPROXY} -f ${HACONFIG} -d & HAPID=$!
+
+sleep 3
+
+echo " * Connecting to haproxy and using dtls ... "
+echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} --user test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${CLIPID}" --background
+
+${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} >${OUTFILE}
+
+sleep 3
+
+grep "DTLS cipher:" ${OUTFILE}
+if test $? != 0;then
+	echo "occtl show user didn't find DTLS cipher!"
+	exit 1
+fi
+
+test -n "${PID}" && kill "${PID}" >/dev/null 2>&1
+sed -e "s/^udp-listen-host = ${ADDRESS}/udp-listen-host = 127.0.0.1/" "${CONFIG}" >${CONFIG_UDP_LISTEN_LOCAL}
+kill -9 "${PID}" >/dev/null
+sleep 1
+echo "restart ocsev with udp-listen-host set to 127.0.0.1"
+${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG_UDP_LISTEN_LOCAL} ${DEBUG} & PID=$!
+
+echo " * Connecting to haproxy and using dtls again ... "
+echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} --user test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${CLIPID2}" --background
+
+sleep 3
+
+${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} >${OUTFILE}
+
+grep "Username: ${USERNAME}" ${OUTFILE}
+if test $? != 0;then
+	echo "occtl show user didn't find user ${USERNAME} connected"
+	exit 1
+fi
+
+grep "DTLS cipher:" ${OUTFILE}
+if test $? == 0;then
+	echo "occtl show user find DTLS cipher!"
+	exit 1
+fi
+
+exit 0