GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 08:46:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

Simplified per-user/group configuration handling

Browse Source 
We now use a common structure in SESSION_REPLY and AUTH_REP
messages. That structure is generated by sec-mod and forwarded
by main to worker, thus eliminating the need to create passing
code for each new user-config variable being added.
This commit is contained in:
Nikos Mavrogiannopoulos
2015-11-26 15:03:08 +01:00
parent f86fb99b50
commit cefd77b633
17 changed files with 433 additions and 723 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
src/ip-lease.c
View File

@@ -163,9 +163,9 @@ int get_ipv4_lease(main_server_st* s, struct proc_st* proc)
char buf[64];
/* Our IP accounting */
if (proc->config.ipv4_network && proc->config.ipv4_netmask) {
c_network = proc->config.ipv4_network;
c_netmask = proc->config.ipv4_netmask;
if (proc->config->ipv4_net && proc->config->ipv4_netmask) {
c_network = proc->config->ipv4_net;
c_netmask = proc->config->ipv4_netmask;
} else {
c_network = s->config->network.ipv4;
c_netmask = s->config->network.ipv4_netmask;
@@ -196,15 +196,15 @@ int get_ipv4_lease(main_server_st* s, struct proc_st* proc)
((struct sockaddr_in*)&network)->sin_family = AF_INET;
((struct sockaddr_in*)&network)->sin_port = 0;
if (proc->config.explicit_ipv4) {
if (proc->config->explicit_ipv4) {
/* if an explicit IP is given for that client, then
* do implicit IP accounting. Require the address
* to be odd, so we use the next even address as PtP. */
ret =
inet_pton(AF_INET, proc->config.explicit_ipv4, SA_IN_P(&tmp));
inet_pton(AF_INET, proc->config->explicit_ipv4, SA_IN_P(&tmp));
if (ret != 1) {
mslog(s, NULL, LOG_ERR, "error reading explicit IP: %s", proc->config.explicit_ipv4);
mslog(s, NULL, LOG_ERR, "error reading explicit IP: %s", proc->config->explicit_ipv4);
return -1;
}
@@ -232,7 +232,7 @@ int get_ipv4_lease(main_server_st* s, struct proc_st* proc)
SA_IN_U8_P(&proc->ipv4->lip)[3] |= 1;
if (ip_cmp(&proc->ipv4->lip, &proc->ipv4->rip) == 0) {
mslog(s, NULL, LOG_ERR, "cannot assign explicit IP %s; network: %s", proc->config.explicit_ipv4, c_network);
mslog(s, NULL, LOG_ERR, "cannot assign explicit IP %s; network: %s", proc->config->explicit_ipv4, c_network);
ret = ERR_NO_IP;
goto fail;
}
@@ -325,10 +325,10 @@ int get_ipv6_lease(main_server_st* s, struct proc_st* proc)
int ret;
char buf[64];
if (proc->config.ipv6_network && proc->config.ipv6_subnet_prefix) {
c_network = proc->config.ipv6_network;
prefix = proc->config.ipv6_prefix;
subnet_prefix = proc->config.ipv6_subnet_prefix;
if (proc->config->ipv6_net && proc->config->ipv6_subnet_prefix) {
c_network = proc->config->ipv6_net;
prefix = proc->config->ipv6_prefix;
subnet_prefix = proc->config->ipv6_subnet_prefix;
} else {
c_network = s->config->network.ipv6;
prefix = s->config->network.ipv6_prefix;
@@ -365,15 +365,15 @@ int get_ipv6_lease(main_server_st* s, struct proc_st* proc)
SA_IN6_U8_P(&network)[i] &= (SA_IN6_U8_P(&mask)[i]);
if (proc->config.explicit_ipv6) {
if (proc->config->explicit_ipv6) {
/* if an explicit IP is given for that client, then
* do implicit IP accounting. Require the address
* to be odd, so we use the next even address as PtP. */
ret =
inet_pton(AF_INET6, proc->config.explicit_ipv6, SA_IN6_P(&tmp));
inet_pton(AF_INET6, proc->config->explicit_ipv6, SA_IN6_P(&tmp));
if (ret != 1) {
mslog(s, NULL, LOG_ERR, "error reading explicit IP %s", proc->config.explicit_ipv6);
mslog(s, NULL, LOG_ERR, "error reading explicit IP %s", proc->config->explicit_ipv6);
return -1;
}

96
src/ipc.proto
View File

@@ -13,6 +13,44 @@ message auth_cookie_request_msg
required bytes cookie = 1;
}
/* This is a structure for per-user/group supplemental configuration.
*/
message group_cfg_st
{
/* sup - config, to add values, ensure we
* apply a reasonable default in apply_default_config() */
optional uint32 interim_update_secs = 2;
optional uint32 session_timeout_secs = 3;
optional bool no_udp = 10;
optional bool deny_roaming = 11;
repeated string routes = 13;
repeated string iroutes = 14;
repeated string dns = 15;
repeated string nbns = 16;
optional string ipv4_net = 17;
optional string ipv4_netmask = 18;
optional string ipv6_net = 19;
optional uint32 ipv6_prefix = 20;
optional string cgroup = 21;
optional string xml_config_file = 22;
optional uint32 rx_per_sec = 23;
optional uint32 tx_per_sec = 24;
optional uint32 net_priority = 25;
optional string explicit_ipv4 = 26;
optional string explicit_ipv6 = 27;
repeated string no_routes = 28;
optional uint32 ipv6_subnet_prefix = 29;
optional uint32 dpd = 30;
optional uint32 mobile_dpd = 31;
optional uint32 keepalive = 32;
optional uint32 max_same_clients = 33;
optional uint32 tunnel_all_dns = 34;
optional bool restrict_user_to_routes = 35;
optional uint32 mtu = 36;
optional uint32 idle_timeout = 37;
optional uint32 mobile_idle_timeout = 38;
}
/* AUTH_REP */
message auth_reply_msg
{
@@ -20,7 +58,7 @@ message auth_reply_msg
optional bytes session_id = 3; /* dtls */
optional string vname = 4;
optional string user_name = 5;
optional string group_name = 25;
optional string group_name = 6;
/* the ips of the tun device */
optional string ipv4 = 7;
@@ -28,29 +66,10 @@ message auth_reply_msg
optional string ipv4_local = 9;
optional string ipv6_local = 10;
required bytes sid = 11;
/* additional config */
optional string ipv4_netmask = 15;
optional string ipv6_netmask = 16;
optional uint32 ipv6_prefix = 17;
optional uint32 rx_per_sec = 18;
optional uint32 tx_per_sec = 19;
optional uint32 net_priority = 20;
repeated string routes = 21;
repeated string dns = 22;
repeated string nbns = 23;
optional bool no_udp = 24 [default = false];
optional string xml_config_file = 26;
optional string ipv4_network = 27;
optional string ipv6_network = 28;
repeated string no_routes = 29;
required bytes sid = 30;
optional uint32 interim_update_secs = 31;
optional uint32 session_timeout_secs = 32;
optional uint32 ipv6_subnet_prefix = 33;
optional uint32 dpd = 34;
optional uint32 mobile_dpd = 35;
optional uint32 keepalive = 36;
optional uint32 tunnel_all_dns = 37;
optional group_cfg_st config = 20;
}
/* RESUME_FETCH_REQ + RESUME_DELETE_REQ */
@@ -231,38 +250,11 @@ message sec_auth_session_msg
optional string ipv6 = 7;
}
message sec_auth_session_reply_msg
{
required AUTH_REP reply = 1;
optional uint32 interim_update_secs = 2;
optional uint32 session_timeout_secs = 3;
/* sup - config */
optional bool no_udp = 10;
optional bool deny_roaming = 11;
repeated string routes = 13;
repeated string iroutes = 14;
repeated string dns = 15;
repeated string nbns = 16;
optional string ipv4_net = 17;
optional string ipv4_netmask = 18;
optional string ipv6_net = 19;
optional uint32 ipv6_prefix = 20;
optional string cgroup = 21;
optional string xml_config_file = 22;
optional uint32 rx_per_sec = 23;
optional uint32 tx_per_sec = 24;
optional uint32 net_priority = 25;
optional string explicit_ipv4 = 26;
optional string explicit_ipv6 = 27;
repeated string no_routes = 28;
optional uint32 ipv6_subnet_prefix = 29;
optional uint32 dpd = 30;
optional uint32 mobile_dpd = 31;
optional uint32 keepalive = 32;
optional uint32 max_same_clients = 33;
optional uint32 tunnel_all_dns = 34;
optional bool restrict_user_to_routes = 35;
required group_cfg_st config = 2;
}
message sec_refresh_cookie_key

114
src/main-auth.c
View File

@@ -50,7 +50,6 @@ int send_cookie_auth_reply(main_server_st* s, struct proc_st* proc,
AUTHREP r)
{
AuthReplyMsg msg = AUTH_REPLY_MSG__INIT;
unsigned i;
int ret;
if (r == AUTH__REP__OK && proc->tun_lease.name[0] != 0) {
@@ -87,94 +86,7 @@ int send_cookie_auth_reply(main_server_st* s, struct proc_st* proc,
ipv6_local, sizeof(ipv6_local), 0);
}
msg.ipv4_netmask = proc->config.ipv4_netmask;
msg.ipv4_network = proc->config.ipv4_network;
msg.ipv6_network = proc->config.ipv6_network;
msg.ipv6_subnet_prefix = proc->config.ipv6_subnet_prefix;
if (proc->ipv6) {
msg.ipv6_prefix = proc->ipv6->prefix;
msg.has_ipv6_prefix = 1;
}
if (proc->config.interim_update_secs) {
msg.has_interim_update_secs = 1;
msg.interim_update_secs = proc->config.interim_update_secs;
}
if (proc->config.session_timeout_secs) {
msg.has_session_timeout_secs = 1;
msg.session_timeout_secs = proc->config.session_timeout_secs;
}
if (proc->config.dpd != 0) {
msg.has_dpd = 1;
msg.dpd = proc->config.dpd;
}
if (proc->config.keepalive != 0) {
msg.has_keepalive = 1;
msg.keepalive = proc->config.keepalive;
}
if (proc->config.mobile_dpd != 0) {
msg.has_mobile_dpd = 1;
msg.mobile_dpd = proc->config.mobile_dpd;
}
if (proc->config.rx_per_sec != 0) {
msg.has_rx_per_sec = 1;
msg.rx_per_sec = proc->config.rx_per_sec;
}
if (proc->config.tx_per_sec != 0) {
msg.has_tx_per_sec = 1;
msg.tx_per_sec = proc->config.tx_per_sec;
}
if (proc->config.net_priority != 0) {
msg.has_net_priority = 1;
msg.net_priority = proc->config.net_priority;
}
if (proc->config.no_udp != 0) {
msg.has_no_udp = 1;
msg.no_udp = proc->config.no_udp;
}
if (proc->config.tunnel_all_dns != 0) {
msg.has_tunnel_all_dns = 1;
msg.tunnel_all_dns = proc->config.tunnel_all_dns;
}
if (proc->config.xml_config_file != NULL) {
msg.xml_config_file = proc->config.xml_config_file;
}
msg.n_dns = proc->config.dns_size;
for (i=0;i<proc->config.dns_size;i++) {
mslog(s, proc, LOG_DEBUG, "sending dns '%s'", proc->config.dns[i]);
msg.dns = proc->config.dns;
}
msg.n_nbns = proc->config.nbns_size;
for (i=0;i<proc->config.nbns_size;i++) {
mslog(s, proc, LOG_DEBUG, "sending nbns '%s'", proc->config.nbns[i]);
msg.nbns = proc->config.nbns;
}
msg.n_routes = proc->config.routes_size;
for (i=0;i<proc->config.routes_size;i++) {
mslog(s, proc, LOG_DEBUG, "sending route '%s'", proc->config.routes[i]);
msg.routes = proc->config.routes;
}
msg.n_no_routes = proc->config.no_routes_size;
for (i=0;i<proc->config.no_routes_size;i++) {
mslog(s, proc, LOG_DEBUG, "sending no-route '%s'", proc->config.no_routes[i]);
msg.no_routes = proc->config.no_routes;
}
msg.config = proc->config;
ret = send_socket_msg_to_worker(s, proc, AUTH_COOKIE_REP, proc->tun_lease.fd,
&msg,
@@ -198,12 +110,6 @@ int send_cookie_auth_reply(main_server_st* s, struct proc_st* proc,
return 0;
}
static void apply_default_sup_config(struct perm_cfg_st *config, struct proc_st *proc)
{
proc->config.deny_roaming = config->config->deny_roaming;
proc->config.no_udp = (config->udp_port!=0)?0:1;
}
int handle_auth_cookie_req(main_server_st* s, struct proc_st* proc,
const AuthCookieRequestMsg * req)
{
@@ -255,11 +161,6 @@ struct proc_st *old_proc;
if (cmsg->groupname)
strlcpy(proc->groupname, cmsg->groupname, sizeof(proc->groupname));
/* cookie is good so far, now read config (in order to know
* whether roaming is allowed or not */
memset(&proc->config, 0, sizeof(proc->config));
apply_default_sup_config(s->perm_config, proc);
/* loads sup config */
ret = session_open(s, proc, req->cookie.data, req->cookie.len);
if (ret < 0) {
@@ -270,12 +171,12 @@ struct proc_st *old_proc;
proc->active_sid = 1;
/* Put into right cgroup */
if (proc->config.cgroup != NULL) {
put_into_cgroup(s, proc->config.cgroup, proc->pid);
if (proc->config->cgroup != NULL) {
put_into_cgroup(s, proc->config->cgroup, proc->pid);
}
/* check whether the cookie IP matches */
if (proc->config.deny_roaming != 0) {
if (proc->config->deny_roaming != 0) {
if (cmsg->ip == NULL) {
return -1;
}
@@ -342,7 +243,7 @@ struct proc_st *ctmp = NULL, *cpos;
unsigned int entries = 1; /* that one */
unsigned max;
if (s->config->max_same_clients == 0 && proc->config.max_same_clients == 0)
if (proc->config->max_same_clients == 0)
return 0;
list_for_each_safe(&s->proc_list.head, ctmp, cpos, list) {
@@ -353,10 +254,7 @@ unsigned max;
}
}
if (proc->config.max_same_clients > 0)
max = proc->config.max_same_clients;
else
max = s->config->max_same_clients;
max = proc->config->max_same_clients;
if (max && entries > max)
return -1;

66
src/main-ctl-unix.c
View File

@@ -336,7 +336,7 @@ static int append_user_info(method_ctx *ctx,
rep->conn_time = ctmp->conn_time;
rep->hostname = ctmp->hostname;
rep->user_agent = ctmp->user_agent;
rep->restrict_to_routes = ctmp->config.restrict_user_to_routes;
rep->restrict_to_routes = ctmp->config->restrict_user_to_routes;
if (ctmp->status == PS_AUTH_COMPLETED)
strtmp = "connected";
@@ -360,71 +360,35 @@ static int append_user_info(method_ctx *ctx,
rep->has_mtu = 1;
}
if (ctmp->config.rx_per_sec > 0)
tmp = ctmp->config.rx_per_sec;
else
tmp = ctx->s->config->rx_per_sec;
tmp = ctmp->config->rx_per_sec;
tmp *= 1000;
rep->rx_per_sec = tmp;
if (ctmp->config.tx_per_sec > 0)
tmp = ctmp->config.tx_per_sec;
else
tmp = ctx->s->config->tx_per_sec;
tmp = ctmp->config->tx_per_sec;
tmp *= 1000;
rep->tx_per_sec = tmp;
if (ctmp->config.dpd)
rep->dpd = ctmp->config.dpd;
else
rep->dpd = ctx->s->config->dpd;
rep->dpd = ctmp->config->dpd;
if (ctmp->config.keepalive)
rep->keepalive = ctmp->config.keepalive;
else
rep->dpd = ctx->s->config->dpd;
rep->keepalive = ctmp->config->keepalive;
rep->domains = ctx->s->config->split_dns;
rep->n_domains = ctx->s->config->split_dns_size;
if (ctmp->config.dns_size > 0) {
rep->dns = ctmp->config.dns;
rep->n_dns = ctmp->config.dns_size;
} else {
rep->dns = ctx->s->config->network.dns;
rep->n_dns = ctx->s->config->network.dns_size;
}
rep->dns = ctmp->config->dns;
rep->n_dns = ctmp->config->n_dns;
if (ctmp->config.nbns_size > 0) {
rep->nbns = ctmp->config.nbns;
rep->n_nbns = ctmp->config.nbns_size;
} else {
rep->nbns = ctx->s->config->network.nbns;
rep->n_nbns = ctx->s->config->network.nbns_size;
}
rep->nbns = ctmp->config->nbns;
rep->n_nbns = ctmp->config->n_nbns;
rep->n_routes = ctmp->config.routes_size + ctx->s->config->network.routes_size;
rep->routes = talloc_size(rep, sizeof(char*)*rep->n_routes);
if (rep->routes != NULL) {
memcpy(rep->routes, ctmp->config.routes, sizeof(char*)*ctmp->config.routes_size);
memcpy(&rep->routes[ctmp->config.routes_size], ctx->s->config->network.routes, sizeof(char*)*ctx->s->config->network.routes_size);
} else {
rep->n_routes = 0;
}
rep->n_routes = ctmp->config->n_routes;
rep->routes = ctmp->config->routes;
rep->n_no_routes = ctmp->config.no_routes_size + ctx->s->config->network.no_routes_size;
rep->no_routes = talloc_size(rep, sizeof(char*)*rep->n_no_routes);
if (rep->no_routes != NULL) {
memcpy(rep->no_routes, ctmp->config.no_routes, sizeof(char*)*ctmp->config.no_routes_size);
memcpy(&rep->no_routes[ctmp->config.no_routes_size], ctx->s->config->network.no_routes, sizeof(char*)*ctx->s->config->network.no_routes_size);
} else {
rep->n_no_routes = 0;
}
rep->n_no_routes = ctmp->config->n_no_routes;
rep->no_routes = ctmp->config->no_routes;
if (ctmp->config.iroutes_size > 0) {
rep->iroutes = ctmp->config.iroutes;
rep->n_iroutes = ctmp->config.iroutes_size;
}
rep->iroutes = ctmp->config->iroutes;
rep->n_iroutes = ctmp->config->n_iroutes;
return 0;
}

310
src/main-sec-mod-cmd.c
View File

@@ -194,13 +194,181 @@ int handle_sec_mod_commands(main_server_st * s)
return ret;
}
static
void apply_default_config(main_server_st *s, proc_st *proc, GroupCfgSt *gc)
{
if (!gc->has_no_udp) {
gc->no_udp = (s->perm_config->udp_port!=0)?0:1;
gc->has_no_udp = 1;
}
if (gc->routes == NULL) {
gc->routes = s->config->network.routes;
gc->n_routes = s->config->network.routes_size;
}
/* if we have known_iroutes, we must append them to the routes list */
if (s->config->known_iroutes_size > 0) {
char **old_routes = gc->routes;
unsigned old_routes_size = gc->n_routes;
unsigned i, j, append;
gc->n_routes = 0;
gc->routes = talloc_size(proc, sizeof(char*)*(old_routes_size+s->config->known_iroutes_size));
for (i=0;i<old_routes_size;i++) {
gc->routes[i] = talloc_strdup(proc, old_routes[i]);
if (gc->routes[i] == NULL)
break;
gc->n_routes++;
}
if (gc->routes) {
/* Append any iroutes that are known and don't match the client's */
for (i=0;i<s->config->known_iroutes_size;i++) {
append = 1;
for (j=0;j<gc->n_iroutes;j++) {
if (strcmp(gc->iroutes[j], s->config->known_iroutes[i]) == 0) {
append = 0;
break;
}
}
if (append) {
gc->routes[gc->n_routes] = talloc_strdup(proc, s->config->known_iroutes[i]);
if (gc->routes[gc->n_routes] == NULL)
break;
gc->n_routes++;
}
}
}
}
if (gc->no_routes == NULL) {
gc->no_routes = s->config->network.no_routes;
gc->n_no_routes = s->config->network.no_routes_size;
}
if (gc->dns == NULL) {
gc->dns = s->config->network.dns;
gc->n_dns = s->config->network.dns_size;
}
if (gc->nbns == NULL) {
gc->nbns = s->config->network.nbns;
gc->n_nbns = s->config->network.nbns_size;
}
if (!gc->has_interim_update_secs) {
gc->interim_update_secs = s->config->stats_report_time;
gc->has_interim_update_secs = 1;
}
if (!gc->has_session_timeout_secs) {
gc->session_timeout_secs = s->config->session_timeout;
gc->has_session_timeout_secs = 1;
}
if (!gc->has_deny_roaming) {
gc->deny_roaming = s->config->deny_roaming;
gc->has_deny_roaming = 1;
}
if (!gc->ipv4_net) {
gc->ipv4_net = s->config->network.ipv4_network;
}
if (!gc->ipv4_netmask) {
gc->ipv4_netmask = s->config->network.ipv4_netmask;
}
if (!gc->ipv6_net) {
gc->ipv6_net = s->config->network.ipv6_network;
}
if (!gc->has_ipv6_prefix) {
gc->ipv6_prefix = s->config->network.ipv6_prefix;
gc->has_ipv6_prefix = 1;
}
if (!gc->has_ipv6_subnet_prefix) {
gc->ipv6_subnet_prefix = s->config->network.ipv6_subnet_prefix;
gc->has_ipv6_subnet_prefix = 1;
}
if (!gc->cgroup) {
gc->cgroup = s->config->cgroup;
}
if (!gc->xml_config_file) {
gc->xml_config_file = s->config->xml_config_file;
}
if (!gc->has_rx_per_sec) {
gc->rx_per_sec = s->config->rx_per_sec;
gc->has_rx_per_sec = 1;
}
if (!gc->has_tx_per_sec) {
gc->tx_per_sec = s->config->tx_per_sec;
gc->has_tx_per_sec = 1;
}
if (!gc->has_net_priority) {
gc->net_priority = s->config->net_priority;
gc->has_net_priority = 1;
}
if (!gc->has_keepalive) {
gc->keepalive = s->config->keepalive;
gc->has_keepalive = 1;
}
if (!gc->has_dpd) {
gc->dpd = s->config->dpd;
gc->has_dpd = 1;
}
if (!gc->has_mobile_dpd) {
gc->mobile_dpd = s->config->mobile_dpd;
gc->has_mobile_dpd = 1;
}
if (!gc->has_max_same_clients) {
gc->max_same_clients = s->config->max_same_clients;
gc->has_max_same_clients = 1;
}
if (!gc->has_tunnel_all_dns) {
gc->tunnel_all_dns = s->config->tunnel_all_dns;
gc->has_tunnel_all_dns = 1;
}
if (!gc->has_restrict_user_to_routes) {
gc->restrict_user_to_routes = s->config->restrict_user_to_routes;
gc->has_restrict_user_to_routes = 1;
}
if (!gc->has_mtu) {
gc->mtu = s->config->network.mtu;
gc->has_mtu = 1;
}
if (!gc->has_idle_timeout) {
gc->idle_timeout = s->config->idle_timeout;
gc->has_idle_timeout = 1;
}
if (!gc->has_mobile_idle_timeout) {
gc->mobile_idle_timeout = s->config->mobile_idle_timeout;
gc->has_mobile_idle_timeout = 1;
}
}
int session_open(main_server_st * s, struct proc_st *proc, const uint8_t *cookie, unsigned cookie_size)
{
int ret, e;
SecAuthSessionMsg ireq = SEC_AUTH_SESSION_MSG__INIT;
SecAuthSessionReplyMsg *msg = NULL;
unsigned i, j, append;
PROTOBUF_ALLOCATOR(pa, proc);
char str_ipv4[MAX_IP_STR];
char str_ipv6[MAX_IP_STR];
@@ -255,142 +423,14 @@ int session_open(main_server_st * s, struct proc_st *proc, const uint8_t *cookie
return -1;
}
if (msg->has_interim_update_secs)
proc->config.interim_update_secs = msg->interim_update_secs;
if (msg->has_session_timeout_secs)
proc->config.session_timeout_secs = msg->session_timeout_secs;
/* fill in group_cfg_st */
if (msg->has_no_udp)
proc->config.no_udp = msg->no_udp;
if (msg->has_restrict_user_to_routes)
proc->config.restrict_user_to_routes = msg->restrict_user_to_routes;
else
proc->config.restrict_user_to_routes = s->config->restrict_user_to_routes;
if (msg->has_max_same_clients)
proc->config.max_same_clients = msg->max_same_clients;
if (msg->has_dpd)
proc->config.dpd = msg->dpd;
if (msg->has_tunnel_all_dns)
proc->config.tunnel_all_dns = msg->tunnel_all_dns;
if (msg->has_keepalive)
proc->config.keepalive = msg->keepalive;
if (msg->has_mobile_dpd)
proc->config.mobile_dpd = msg->mobile_dpd;
if (msg->has_deny_roaming)
proc->config.deny_roaming = msg->deny_roaming;
if (msg->has_ipv6_prefix)
proc->config.ipv6_prefix = msg->ipv6_prefix;
if (msg->rx_per_sec)
proc->config.rx_per_sec = msg->rx_per_sec;
if (msg->tx_per_sec)
proc->config.tx_per_sec = msg->tx_per_sec;
if (msg->net_priority)
proc->config.net_priority = msg->net_priority;
if (msg->ipv4_net) {
proc->config.ipv4_network = talloc_strdup(proc, msg->ipv4_net);
}
if (msg->ipv4_netmask) {
proc->config.ipv4_netmask = talloc_strdup(proc, msg->ipv4_netmask);
}
if (msg->ipv6_net) {
proc->config.ipv6_network = talloc_strdup(proc, msg->ipv6_net);
if (msg->config == NULL) {
mslog(s, proc, LOG_INFO, "received invalid configuration for '%s'; could not initiate session", proc->username);
return -1;
}
if (msg->has_ipv6_subnet_prefix) {
if (msg->ipv6_subnet_prefix != proc->config.ipv6_subnet_prefix) {
mslog(s, proc, LOG_WARNING, "currently a subnet prefix (%u) cannot be different than the default (%u)",
msg->ipv6_subnet_prefix, proc->config.ipv6_prefix);
} else {
proc->config.ipv6_subnet_prefix = msg->ipv6_subnet_prefix;
}
}
proc->config = msg->config;
if (msg->cgroup) {
proc->config.cgroup = talloc_strdup(proc, msg->cgroup);
}
if (msg->xml_config_file) {
proc->config.xml_config_file = talloc_strdup(proc, msg->xml_config_file);
}
if (msg->explicit_ipv4) {
proc->config.explicit_ipv4 = talloc_strdup(proc, msg->explicit_ipv4);
}
if (msg->explicit_ipv6) {
proc->config.explicit_ipv6 = talloc_strdup(proc, msg->explicit_ipv6);
}
/* Append any custom routes for this user */
if (msg->n_routes > 0 || s->config->known_iroutes_size > 0) {
proc->config.routes = talloc_size(proc, sizeof(char*)*(msg->n_routes+s->config->known_iroutes_size));
for (i=0;i<msg->n_routes;i++) {
proc->config.routes[i] = talloc_strdup(proc, msg->routes[i]);
}
proc->config.routes_size = msg->n_routes;
}
/* Append any iroutes that are known and don't match the client's */
for (i=0;i<s->config->known_iroutes_size;i++) {
append = 1;
for (j=0;j<msg->n_iroutes;j++) {
if (strcmp(msg->iroutes[j], s->config->known_iroutes[i]) == 0) {
append = 0;
break;
}
}
if (append) {
proc->config.routes[proc->config.routes_size] = talloc_strdup(proc, s->config->known_iroutes[i]);
proc->config.routes_size++;
}
}
if (msg->n_no_routes > 0) {
proc->config.no_routes = talloc_size(proc, sizeof(char*)*msg->n_no_routes);
for (i=0;i<msg->n_no_routes;i++) {
proc->config.no_routes[i] = talloc_strdup(proc, msg->no_routes[i]);
}
proc->config.no_routes_size = msg->n_no_routes;
}
if (msg->n_iroutes > 0) {
proc->config.iroutes = talloc_size(proc, sizeof(char*)*msg->n_iroutes);
for (i=0;i<msg->n_iroutes;i++) {
proc->config.iroutes[i] = talloc_strdup(proc, msg->iroutes[i]);
}
proc->config.iroutes_size = msg->n_iroutes;
}
if (msg->n_dns > 0) {
proc->config.dns = talloc_size(proc, sizeof(char*)*msg->n_dns);
for (i=0;i<msg->n_dns;i++) {
proc->config.dns[i] = talloc_strdup(proc, msg->dns[i]);
}
proc->config.dns_size = msg->n_dns;
}
if (msg->n_nbns > 0) {
proc->config.nbns = talloc_size(proc, sizeof(char*)*msg->n_nbns);
for (i=0;i<msg->n_nbns;i++) {
proc->config.nbns[i] = talloc_strdup(proc, msg->nbns[i]);
}
proc->config.nbns_size = msg->n_nbns;
}
sec_auth_session_reply_msg__free_unpacked(msg, &pa);
apply_default_config(s, proc, proc->config);
return 0;
}

75
src/main-user.c
View File

@@ -71,30 +71,16 @@ static void export_dns_route_info(main_server_st *s, struct proc_st* proc)
/* We use different export strings for IPv4 and IPv6 to ease handling
* with legacy software such as iptables and ip6tables. */
/* append generic routes to str */
for (i=0;i<s->config->network.routes_size;i++) {
APPEND_TO_STR(&str_common, s->config->network.routes[i]);
APPEND_TO_STR(&str_common, " ");
if (strchr(s->config->network.routes[i], ':') != 0) {
APPEND_TO_STR(&str6, s->config->network.routes[i]);
APPEND_TO_STR(&str6, " ");
} else {
APPEND_TO_STR(&str4, s->config->network.routes[i]);
APPEND_TO_STR(&str4, " ");
}
}
/* append custom routes to str */
for (i=0;i<proc->config.routes_size;i++) {
APPEND_TO_STR(&str_common, proc->config.routes[i]);
for (i=0;i<proc->config->n_routes;i++) {
APPEND_TO_STR(&str_common, proc->config->routes[i]);
APPEND_TO_STR(&str_common, " ");
if (strchr(proc->config.routes[i], ':') != 0) {
APPEND_TO_STR(&str6, proc->config.routes[i]);
if (strchr(proc->config->routes[i], ':') != 0) {
APPEND_TO_STR(&str6, proc->config->routes[i]);
APPEND_TO_STR(&str6, " ");
} else {
APPEND_TO_STR(&str4, proc->config.routes[i]);
APPEND_TO_STR(&str4, proc->config->routes[i]);
APPEND_TO_STR(&str4, " ");
}
}
@@ -120,30 +106,16 @@ static void export_dns_route_info(main_server_st *s, struct proc_st* proc)
str_reset(&str6);
str_reset(&str_common);
/* append generic no_routes to str */
for (i=0;i<s->config->network.no_routes_size;i++) {
APPEND_TO_STR(&str_common, s->config->network.no_routes[i]);
APPEND_TO_STR(&str_common, " ");
if (strchr(s->config->network.no_routes[i], ':') != 0) {
APPEND_TO_STR(&str6, s->config->network.no_routes[i]);
APPEND_TO_STR(&str6, " ");
} else {
APPEND_TO_STR(&str4, s->config->network.no_routes[i]);
APPEND_TO_STR(&str4, " ");
}
}
/* append custom no_routes to str */
for (i=0;i<proc->config.no_routes_size;i++) {
APPEND_TO_STR(&str_common, proc->config.no_routes[i]);
for (i=0;i<proc->config->n_no_routes;i++) {
APPEND_TO_STR(&str_common, proc->config->no_routes[i]);
APPEND_TO_STR(&str_common, " ");
if (strchr(proc->config.no_routes[i], ':') != 0) {
APPEND_TO_STR(&str6, proc->config.no_routes[i]);
if (strchr(proc->config->no_routes[i], ':') != 0) {
APPEND_TO_STR(&str6, proc->config->no_routes[i]);
APPEND_TO_STR(&str6, " ");
} else {
APPEND_TO_STR(&str4, proc->config.no_routes[i]);
APPEND_TO_STR(&str4, proc->config->no_routes[i]);
APPEND_TO_STR(&str4, " ");
}
}
@@ -169,29 +141,16 @@ static void export_dns_route_info(main_server_st *s, struct proc_st* proc)
str_reset(&str6);
str_reset(&str_common);
if (proc->config.dns_size > 0) {
for (i=0;i<proc->config.dns_size;i++) {
APPEND_TO_STR(&str_common, proc->config.dns[i]);
if (proc->config->n_dns > 0) {
for (i=0;i<proc->config->n_dns;i++) {
APPEND_TO_STR(&str_common, proc->config->dns[i]);
APPEND_TO_STR(&str_common, " ");
if (strchr(proc->config.dns[i], ':') != 0) {
APPEND_TO_STR(&str6, proc->config.dns[i]);
if (strchr(proc->config->dns[i], ':') != 0) {
APPEND_TO_STR(&str6, proc->config->dns[i]);
APPEND_TO_STR(&str6, " ");
} else {
APPEND_TO_STR(&str4, proc->config.dns[i]);
APPEND_TO_STR(&str4, " ");
}
}
} else {
for (i=0;i<s->config->network.dns_size;i++) {
APPEND_TO_STR(&str_common, s->config->network.dns[i]);
APPEND_TO_STR(&str_common, " ");
if (strchr(s->config->network.dns[i], ':') != 0) {
APPEND_TO_STR(&str6, s->config->network.dns[i]);
APPEND_TO_STR(&str6, " ");
} else {
APPEND_TO_STR(&str4, s->config->network.dns[i]);
APPEND_TO_STR(&str4, proc->config->dns[i]);
APPEND_TO_STR(&str4, " ");
}
}
@@ -229,7 +188,7 @@ const char* script, *next_script = NULL;
else
script = s->config->disconnect_script;
if (proc->config.restrict_user_to_routes) {
if (proc->config->restrict_user_to_routes) {
next_script = script;
script = OCSERV_FW_SCRIPT;
}

3
src/main.h
View File

@@ -144,7 +144,8 @@ typedef struct proc_st {
uint64_t bytes_out;
unsigned applied_iroutes; /* whether the iroutes in the config have been successfully applied */
struct group_cfg_st config; /* custom user/group config */
GroupCfgSt *config; /* custom user/group config */
} proc_st;
struct ip_lease_db_st {

7
src/ocserv-args.def
View File

@@ -590,15 +590,14 @@ no-route = 192.168.5.0/255.255.255.0
# explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp,
# keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns,
# restrict-user-to-routes, user-profile, cgroup, stats-report-time,
# and session-timeout.
# mtu, idle-timeout, mobile-idle-timeout, and session-timeout.
#
# Note that the 'iroute' option allows to add routes on the server
# based on a user or group. The syntax depends on the input accepted
# by the commands route-add-cmd and route-del-cmd (see below). The no-udp
# is a boolean option (e.g., no-udp = true), and will prevent a UDP session
# for that specific user or group. Note also, that, any DNS or NBNS servers
# present will overwrite the global ones, while any routes or no-routes set
# will be appended to the default set.
# for that specific user or group. Note also, that, any routes, no-routes,
# DNS or NBNS servers present will overwrite the global ones.
#
# Also explicit addresses, are only allowed when they are odd. In that
# case the next even address will be used as the remote address (in PtP).

14
src/route-add.c
View File

@@ -163,11 +163,11 @@ int apply_iroutes(struct main_server_st* s, struct proc_st *proc)
unsigned i, j;
int ret;
if (proc->config.iroutes_size == 0)
if (proc->config->n_iroutes == 0)
return 0;
for (i=0;i<proc->config.iroutes_size;i++) {
ret = route_add(s, proc, proc->config.iroutes[i], proc->tun_lease.name);
for (i=0;i<proc->config->n_iroutes;i++) {
ret = route_add(s, proc, proc->config->iroutes[i], proc->tun_lease.name);
if (ret < 0)
goto fail;
}
@@ -176,7 +176,7 @@ int ret;
return 0;
fail:
for (j=0;j<i;j++)
route_del(s, proc, proc->config.iroutes[j], proc->tun_lease.name);
route_del(s, proc, proc->config->iroutes[j], proc->tun_lease.name);
return -1;
}
@@ -188,11 +188,11 @@ void remove_iroutes(struct main_server_st* s, struct proc_st *proc)
{
unsigned i;
if (proc->config.iroutes_size == 0 || proc->applied_iroutes == 0)
if (proc->config == NULL || proc->config->n_iroutes == 0 || proc->applied_iroutes == 0)
return;
for (i=0;i<proc->config.iroutes_size;i++) {
route_del(s, proc, proc->config.iroutes[i], proc->tun_lease.name);
for (i=0;i<proc->config->n_iroutes;i++) {
route_del(s, proc, proc->config->iroutes[i], proc->tun_lease.name);
}
proc->applied_iroutes = 0;

3
src/sec-mod-auth.c
View File

@@ -408,6 +408,9 @@ int handle_sec_auth_session_open(sec_mod_st *sec, int fd, const SecAuthSessionMs
void *lpool;
int ret;
SecAuthSessionReplyMsg rep = SEC_AUTH_SESSION_REPLY_MSG__INIT;
GroupCfgSt _cfg = GROUP_CFG_ST__INIT;
rep.config = &_cfg;
if (req->sid.len != SID_SIZE) {
seclog(sec, LOG_ERR, "auth session open but with illegal sid size (%d)!",

98
src/sup-config/file.c
View File

@@ -67,8 +67,11 @@ static struct cfg_options available_options[] = {
{ .name = "rx-data-per-sec", .type = OPTION_NUMERIC },
{ .name = "tx-data-per-sec", .type = OPTION_NUMERIC },
{ .name = "net-priority", .type = OPTION_STRING },
{ .name = "mtu", .type = OPTION_NUMERIC },
{ .name = "dpd", .type = OPTION_NUMERIC },
{ .name = "mobile-dpd", .type = OPTION_NUMERIC },
{ .name = "idle-timeout", .type = OPTION_NUMERIC },
{ .name = "mobile-idle-timeout", .type = OPTION_NUMERIC },
{ .name = "keepalive", .type = OPTION_NUMERIC },
{ .name = "cgroup", .type = OPTION_STRING },
{ .name = "user-profile", .type = OPTION_STRING },
@@ -181,90 +184,93 @@ unsigned j;
prev = val;
} while((val = optionNextValue(pov, prev)) != NULL);
READ_TF("no-udp", msg->no_udp, msg->has_no_udp);
READ_TF("restrict-user-to-routes", msg->restrict_user_to_routes, msg->has_restrict_user_to_routes);
READ_TF("tunnel_all_dns", msg->tunnel_all_dns, msg->has_tunnel_all_dns);
READ_TF("deny-roaming", msg->deny_roaming, msg->has_deny_roaming);
READ_TF("no-udp", msg->config->no_udp, msg->config->has_no_udp);
READ_TF("restrict-user-to-routes", msg->config->restrict_user_to_routes, msg->config->has_restrict_user_to_routes);
READ_TF("tunnel_all_dns", msg->config->tunnel_all_dns, msg->config->has_tunnel_all_dns);
READ_TF("deny-roaming", msg->config->deny_roaming, msg->config->has_deny_roaming);
READ_RAW_MULTI_LINE("route", msg->routes, msg->n_routes);
READ_RAW_MULTI_LINE("no-route", msg->no_routes, msg->n_no_routes);
READ_RAW_MULTI_LINE("iroute", msg->iroutes, msg->n_iroutes);
READ_RAW_MULTI_LINE("route", msg->config->routes, msg->config->n_routes);
READ_RAW_MULTI_LINE("no-route", msg->config->no_routes, msg->config->n_no_routes);
READ_RAW_MULTI_LINE("iroute", msg->config->iroutes, msg->config->n_iroutes);
for (j=0;j<msg->n_routes;j++) {
if (ip_route_sanity_check(msg->routes, &msg->routes[j]) != 0) {
for (j=0;j<msg->config->n_routes;j++) {
if (ip_route_sanity_check(msg->config->routes, &msg->config->routes[j]) != 0) {
ret = ERR_READ_CONFIG;
goto fail;
}
}
for (j=0;j<msg->n_iroutes;j++) {
if (ip_route_sanity_check(msg->iroutes, &msg->iroutes[j]) != 0) {
for (j=0;j<msg->config->n_iroutes;j++) {
if (ip_route_sanity_check(msg->config->iroutes, &msg->config->iroutes[j]) != 0) {
ret = ERR_READ_CONFIG;
goto fail;
}
}
for (j=0;j<msg->n_no_routes;j++) {
if (ip_route_sanity_check(msg->no_routes, &msg->no_routes[j]) != 0) {
for (j=0;j<msg->config->n_no_routes;j++) {
if (ip_route_sanity_check(msg->config->no_routes, &msg->config->no_routes[j]) != 0) {
ret = ERR_READ_CONFIG;
goto fail;
}
}
READ_RAW_MULTI_LINE("dns", msg->dns, msg->n_dns);
if (msg->n_dns == 0) {
READ_RAW_MULTI_LINE("dns", msg->config->dns, msg->config->n_dns);
if (msg->config->n_dns == 0) {
/* try aliases */
READ_RAW_MULTI_LINE("ipv6-dns", msg->dns, msg->n_dns);
READ_RAW_MULTI_LINE("ipv4-dns", msg->dns, msg->n_dns);
READ_RAW_MULTI_LINE("ipv6-dns", msg->config->dns, msg->config->n_dns);
READ_RAW_MULTI_LINE("ipv4-dns", msg->config->dns, msg->config->n_dns);
}
READ_RAW_MULTI_LINE("nbns", msg->nbns, msg->n_nbns);
if (msg->n_nbns == 0) {
READ_RAW_MULTI_LINE("nbns", msg->config->nbns, msg->config->n_nbns);
if (msg->config->n_nbns == 0) {
/* try aliases */
READ_RAW_MULTI_LINE("ipv6-nbns", msg->nbns, msg->n_nbns);
READ_RAW_MULTI_LINE("ipv4-nbns", msg->nbns, msg->n_nbns);
READ_RAW_MULTI_LINE("ipv6-nbns", msg->config->nbns, msg->config->n_nbns);
READ_RAW_MULTI_LINE("ipv4-nbns", msg->config->nbns, msg->config->n_nbns);
}
READ_RAW_STRING("cgroup", msg->cgroup);
READ_RAW_STRING("ipv4-network", msg->ipv4_net);
READ_RAW_STRING("ipv6-network", msg->ipv6_net);
READ_RAW_STRING("ipv4-netmask", msg->ipv4_netmask);
READ_RAW_STRING("explicit-ipv4", msg->explicit_ipv4);
READ_RAW_STRING("explicit-ipv6", msg->explicit_ipv6);
READ_RAW_STRING("cgroup", msg->config->cgroup);
READ_RAW_STRING("ipv4-network", msg->config->ipv4_net);
READ_RAW_STRING("ipv6-network", msg->config->ipv6_net);
READ_RAW_STRING("ipv4-netmask", msg->config->ipv4_netmask);
READ_RAW_STRING("explicit-ipv4", msg->config->explicit_ipv4);
READ_RAW_STRING("explicit-ipv6", msg->config->explicit_ipv6);
READ_RAW_NUMERIC("ipv6-subnet-prefix", msg->ipv6_subnet_prefix, msg->has_ipv6_subnet_prefix);
READ_RAW_NUMERIC("ipv6-subnet-prefix", msg->config->ipv6_subnet_prefix, msg->config->has_ipv6_subnet_prefix);
msg->ipv6_prefix = extract_prefix(msg->ipv6_net);
if (msg->ipv6_prefix == 0) {
READ_RAW_NUMERIC("ipv6-prefix", msg->ipv6_prefix, msg->has_ipv6_prefix);
msg->config->ipv6_prefix = extract_prefix(msg->config->ipv6_net);
if (msg->config->ipv6_prefix == 0) {
READ_RAW_NUMERIC("ipv6-prefix", msg->config->ipv6_prefix, msg->config->has_ipv6_prefix);
} else {
msg->has_ipv6_prefix = 1;
msg->config->has_ipv6_prefix = 1;
}
if (msg->has_ipv6_prefix != 0) {
if (valid_ipv6_prefix(msg->ipv6_prefix) == 0) {
if (msg->config->has_ipv6_prefix != 0) {
if (valid_ipv6_prefix(msg->config->ipv6_prefix) == 0) {
syslog(LOG_ERR, "unknown ipv6-prefix '%u' in %s", prefix, file);
}
}
READ_RAW_NUMERIC("rx-data-per-sec", msg->rx_per_sec, msg->has_rx_per_sec);
READ_RAW_NUMERIC("tx-data-per-sec", msg->tx_per_sec, msg->has_tx_per_sec);
msg->rx_per_sec /= 1000; /* in kb */
msg->tx_per_sec /= 1000; /* in kb */
READ_RAW_NUMERIC("rx-data-per-sec", msg->config->rx_per_sec, msg->config->has_rx_per_sec);
READ_RAW_NUMERIC("tx-data-per-sec", msg->config->tx_per_sec, msg->config->has_tx_per_sec);
msg->config->rx_per_sec /= 1000; /* in kb */
msg->config->tx_per_sec /= 1000; /* in kb */
READ_RAW_NUMERIC("stats-report-time", msg->interim_update_secs, msg->has_interim_update_secs);
READ_RAW_NUMERIC("session-timeout", msg->session_timeout_secs, msg->has_session_timeout_secs);
READ_RAW_NUMERIC("stats-report-time", msg->config->interim_update_secs, msg->config->has_interim_update_secs);
READ_RAW_NUMERIC("session-timeout", msg->config->session_timeout_secs, msg->config->has_session_timeout_secs);
READ_RAW_NUMERIC("dpd", msg->dpd, msg->has_dpd);
READ_RAW_NUMERIC("mobile-dpd", msg->mobile_dpd, msg->has_mobile_dpd);
READ_RAW_NUMERIC("keepalive", msg->keepalive, msg->has_keepalive);
READ_RAW_NUMERIC("max-same-clients", msg->max_same_clients, msg->has_max_same_clients);
READ_RAW_NUMERIC("mtu", msg->config->mtu, msg->config->has_mtu);
READ_RAW_NUMERIC("dpd", msg->config->dpd, msg->config->has_dpd);
READ_RAW_NUMERIC("mobile-dpd", msg->config->mobile_dpd, msg->config->has_mobile_dpd);
READ_RAW_NUMERIC("idle-timeout", msg->config->idle_timeout, msg->config->has_idle_timeout);
READ_RAW_NUMERIC("mobile-idle-timeout", msg->config->mobile_idle_timeout, msg->config->has_mobile_idle_timeout);
READ_RAW_NUMERIC("keepalive", msg->config->keepalive, msg->config->has_keepalive);
READ_RAW_NUMERIC("max-same-clients", msg->config->max_same_clients, msg->config->has_max_same_clients);
/* net-priority will contain the actual priority + 1,
* to allow having zero as uninitialized. */
READ_RAW_PRIO_TOS("net-priority", msg->net_priority, msg->has_net_priority);
READ_RAW_PRIO_TOS("net-priority", msg->config->net_priority, msg->config->has_net_priority);
READ_RAW_STRING("user-profile", msg->xml_config_file);
READ_RAW_STRING("user-profile", msg->config->xml_config_file);
ret = 0;
fail:

50
src/sup-config/radius.c
View File

@@ -48,34 +48,34 @@ static int get_sup_config(struct cfg_st *cfg, client_entry_st *entry,
if (pctx == NULL)
return 0;
msg->interim_update_secs = pctx->interim_interval_secs;
if (msg->interim_update_secs > 0)
msg->has_interim_update_secs = 1;
msg->config->interim_update_secs = pctx->interim_interval_secs;
if (msg->config->interim_update_secs > 0)
msg->config->has_interim_update_secs = 1;
msg->session_timeout_secs = pctx->session_timeout_secs;
if (msg->session_timeout_secs > 0)
msg->has_session_timeout_secs = 1;
msg->config->session_timeout_secs = pctx->session_timeout_secs;
if (msg->config->session_timeout_secs > 0)
msg->config->has_session_timeout_secs = 1;
if (pctx->ipv4[0] != 0) {
msg->explicit_ipv4 = talloc_strdup(pool, pctx->ipv4);
msg->config->explicit_ipv4 = talloc_strdup(pool, pctx->ipv4);
}
if (pctx->ipv4_mask[0] != 0) {
msg->ipv4_netmask = talloc_strdup(pool, pctx->ipv4_mask);
msg->config->ipv4_netmask = talloc_strdup(pool, pctx->ipv4_mask);
}
if (pctx->routes_size > 0) {
msg->routes = talloc_size(pool, pctx->routes_size*sizeof(char*));
if (msg->routes != NULL) {
msg->config->routes = talloc_size(pool, pctx->routes_size*sizeof(char*));
if (msg->config->routes != NULL) {
for (i=0;i<pctx->routes_size;i++) {
msg->routes[i] = talloc_strdup(pool, pctx->routes[i]);
msg->config->routes[i] = talloc_strdup(pool, pctx->routes[i]);
}
msg->n_routes = pctx->routes_size;
msg->config->n_routes = pctx->routes_size;
}
}
for (i=0;i<msg->n_routes;i++) {
ip_route_sanity_check(msg->routes, &msg->routes[i]);
for (i=0;i<msg->config->n_routes;i++) {
ip_route_sanity_check(msg->config->routes, &msg->config->routes[i]);
}
if (pctx->ipv4_dns1[0] != 0)
@@ -88,33 +88,33 @@ static int get_sup_config(struct cfg_st *cfg, client_entry_st *entry,
dns++;
if (dns > 0) {
msg->dns = talloc_size(pool, dns*sizeof(char*));
if (msg->dns != NULL) {
msg->config->dns = talloc_size(pool, dns*sizeof(char*));
if (msg->config->dns != NULL) {
unsigned pos = 0;
if (pctx->ipv4_dns1[0] != 0)
msg->dns[pos++] = talloc_strdup(pool, pctx->ipv4_dns1);
msg->config->dns[pos++] = talloc_strdup(pool, pctx->ipv4_dns1);
if (pctx->ipv4_dns2[0] != 0)
msg->dns[pos++] = talloc_strdup(pool, pctx->ipv4_dns2);
msg->config->dns[pos++] = talloc_strdup(pool, pctx->ipv4_dns2);
if (pctx->ipv6_dns1[0] != 0)
msg->dns[pos++] = talloc_strdup(pool, pctx->ipv6_dns1);
msg->config->dns[pos++] = talloc_strdup(pool, pctx->ipv6_dns1);
if (pctx->ipv6_dns2[0] != 0)
msg->dns[pos++] = talloc_strdup(pool, pctx->ipv6_dns2);
msg->config->dns[pos++] = talloc_strdup(pool, pctx->ipv6_dns2);
msg->n_dns = dns;
msg->config->n_dns = dns;
}
}
if (pctx->ipv6[0] != 0) {
msg->explicit_ipv6 = talloc_strdup(pool, pctx->ipv6);
msg->config->explicit_ipv6 = talloc_strdup(pool, pctx->ipv6);
}
if (pctx->ipv6_net[0] != 0) {
msg->ipv6_net = talloc_strdup(pool, pctx->ipv6_net);
msg->config->ipv6_net = talloc_strdup(pool, pctx->ipv6_net);
}
if (pctx->ipv6_subnet_prefix != 0) {
msg->ipv6_subnet_prefix = pctx->ipv6_subnet_prefix;
msg->has_ipv6_subnet_prefix = 1;
msg->config->ipv6_subnet_prefix = pctx->ipv6_subnet_prefix;
msg->config->has_ipv6_subnet_prefix = 1;
}
return 0;

135
src/worker-auth.c
View File

@@ -507,10 +507,23 @@ int get_cert_names(worker_st * ws, const gnutls_datum_t * raw)
}
static
unsigned check_if_default_route(char **routes, unsigned routes_size)
{
unsigned i;
for (i=0;i<routes_size;i++) {
if (strcmp(routes[i], "default") == 0 ||
strcmp(routes[i], "0.0.0.0/0") == 0)
return 1;
}
return 0;
}
/* auth reply from main process */
static int recv_cookie_auth_reply(worker_st * ws)
{
unsigned i;
int ret;
int socketfd = -1;
AuthReplyMsg *msg = NULL;
@@ -533,7 +546,7 @@ static int recv_cookie_auth_reply(worker_st * ws)
if (socketfd != -1) {
ws->tun_fd = socketfd;
if (msg->vname == NULL || msg->user_name == NULL || msg->sid.len != sizeof(ws->sid)) {
if (msg->vname == NULL || msg->config == NULL || msg->user_name == NULL || msg->sid.len != sizeof(ws->sid)) {
ret = ERR_AUTH_FAIL;
goto cleanup;
}
@@ -554,17 +567,7 @@ static int recv_cookie_auth_reply(worker_st * ws)
memcpy(ws->session_id, msg->session_id.data,
msg->session_id.len);
if (msg->has_interim_update_secs) {
oclog(ws, LOG_DEBUG, "overriding stats-report-time with auth server's value (%u)",
(unsigned)msg->interim_update_secs);
ws->config->stats_report_time = msg->interim_update_secs;
}
if (msg->has_session_timeout_secs) {
oclog(ws, LOG_DEBUG, "overriding session-timeout with auth server's value (%u)",
(unsigned)msg->session_timeout_secs);
ws->config->session_timeout = msg->session_timeout_secs;
}
ws->user_config = msg->config;
if (msg->ipv4 != NULL) {
talloc_free(ws->vinfo.ipv4);
@@ -602,107 +605,12 @@ static int recv_cookie_auth_reply(worker_st * ws)
talloc_strdup(ws, msg->ipv6_local);
}
/* Read any additional data */
if (msg->ipv4_netmask != NULL) {
talloc_free(ws->config->network.ipv4_netmask);
ws->config->network.ipv4_netmask =
talloc_strdup(ws, msg->ipv4_netmask);
}
if (msg->ipv4_network != NULL) {
talloc_free(ws->config->network.ipv4_network);
ws->config->network.ipv4_network =
talloc_strdup(ws, msg->ipv4_network);
}
if (msg->ipv6_network != NULL) {
talloc_free(ws->config->network.ipv6_network);
ws->config->network.ipv6_network =
talloc_strdup(ws, msg->ipv6_network);
}
if (msg->has_ipv6_prefix) {
ws->config->network.ipv6_prefix = msg->ipv6_prefix;
}
if (msg->has_ipv6_subnet_prefix) {
ws->config->network.ipv6_subnet_prefix = msg->ipv6_subnet_prefix;
}
if (msg->has_dpd)
ws->config->dpd = msg->dpd;
if (msg->has_keepalive)
ws->config->keepalive = msg->keepalive;
if (msg->has_mobile_dpd)
ws->config->mobile_dpd = msg->mobile_dpd;
if (msg->has_rx_per_sec)
ws->config->rx_per_sec = msg->rx_per_sec;
if (msg->has_tx_per_sec)
ws->config->tx_per_sec = msg->tx_per_sec;
if (msg->has_net_priority)
ws->config->net_priority = msg->net_priority;
if (msg->has_no_udp && msg->no_udp != 0)
if (msg->config->no_udp != 0)
ws->perm_config->udp_port = 0;
if (msg->xml_config_file) {
talloc_free(ws->config->xml_config_file);
ws->config->xml_config_file = talloc_strdup(ws, msg->xml_config_file);
}
/* routes */
ws->routes = talloc_size(ws, msg->n_routes*sizeof(char*));
if (ws->routes != NULL) {
ws->routes_size = msg->n_routes;
for (i = 0; i < ws->routes_size; i++) {
ws->routes[i] =
talloc_strdup(ws, msg->routes[i]);
/* If a default route is detected */
if (ws->routes[i] != NULL &&
(strcmp(ws->routes[i], "default") == 0 ||
strcmp(ws->routes[i], "0.0.0.0/0") == 0)) {
/* disable all routes */
ws->routes_size = 0;
ws->default_route = 1;
break;
}
}
}
if (check_if_default_route(ws->routes, ws->routes_size))
if (check_if_default_route(msg->config->routes, msg->config->n_routes))
ws->default_route = 1;
ws->no_routes = talloc_size(ws, msg->n_no_routes*sizeof(char*));
if (ws->no_routes != NULL) {
ws->no_routes_size = msg->n_no_routes;
for (i = 0; i < ws->no_routes_size; i++) {
ws->no_routes[i] =
talloc_strdup(ws, msg->no_routes[i]);
}
}
ws->dns = talloc_size(ws, msg->n_dns*sizeof(char*));
if (ws->dns != NULL) {
ws->dns_size = msg->n_dns;
for (i = 0; i < ws->dns_size; i++) {
ws->dns[i] = talloc_strdup(ws, msg->dns[i]);
}
}
ws->nbns = talloc_size(ws, msg->n_nbns*sizeof(char*));
if (ws->nbns != NULL) {
ws->nbns_size = msg->n_nbns;
for (i = 0; i < ws->nbns_size; i++) {
ws->nbns[i] = talloc_strdup(ws, msg->nbns[i]);
}
}
} else {
oclog(ws, LOG_ERR, "error in received message");
ret = ERR_AUTH_FAIL;
@@ -720,7 +628,12 @@ static int recv_cookie_auth_reply(worker_st * ws)
ret = 0;
cleanup:
auth_reply_msg__free_unpacked(msg, &pa);
if (ret < 0) {
/* we only release on error, as the user configuration
* remains. */
auth_reply_msg__free_unpacked(msg, &pa);
ws->user_config = NULL;
}
return ret;
}

10
src/worker-http-handlers.c
View File

@@ -48,15 +48,15 @@ int ret;
struct stat st;
oclog(ws, LOG_HTTP_DEBUG, "requested config: %s", ws->req.url);
if (ws->config->xml_config_file == NULL) {
if (ws->user_config->xml_config_file == NULL) {
oclog(ws, LOG_INFO, "requested config but no config file is set");
cstp_printf(ws, "HTTP/1.%u 404 Not found\r\n", http_ver);
return -1;
}
ret = stat( ws->config->xml_config_file, &st);
ret = stat( ws->user_config->xml_config_file, &st);
if (ret == -1) {
oclog(ws, LOG_INFO, "cannot load config file '%s'", ws->config->xml_config_file);
oclog(ws, LOG_INFO, "cannot load config file '%s'", ws->user_config->xml_config_file);
cstp_printf(ws, "HTTP/1.%u 404 Not found\r\n", http_ver);
return -1;
}
@@ -90,9 +90,9 @@ struct stat st;
if (ret < 0)
return -1;
ret = cstp_send_file(ws, ws->config->xml_config_file);
ret = cstp_send_file(ws, ws->user_config->xml_config_file);
if (ret < 0) {
oclog(ws, LOG_ERR, "error sending file '%s': %s", ws->config->xml_config_file, gnutls_strerror(ret));
oclog(ws, LOG_ERR, "error sending file '%s': %s", ws->user_config->xml_config_file, gnutls_strerror(ret));
return -1;
}

49
src/worker-misc.c
View File

@@ -180,19 +180,6 @@ udp_fd_fail:
return -1;
}
unsigned check_if_default_route(char **routes, unsigned routes_size)
{
unsigned i;
for (i=0;i<routes_size;i++) {
if (strcmp(routes[i], "default") == 0 ||
strcmp(routes[i], "0.0.0.0/0") == 0)
return 1;
}
return 0;
}
/* Completes the VPN device information.
*
* Returns 0 on success.
@@ -206,42 +193,6 @@ int complete_vpn_info(worker_st * ws, struct vpn_st *vinfo)
return -1;
}
if (ws->dns_size > 0) {
vinfo->dns_size = ws->dns_size;
vinfo->dns = ws->dns;
} else {
vinfo->dns_size = ws->config->network.dns_size;
if (ws->config->network.dns_size > 0)
vinfo->dns = ws->config->network.dns;
}
if (ws->nbns_size > 0) {
vinfo->nbns_size = ws->nbns_size;
vinfo->nbns = ws->nbns;
} else {
vinfo->nbns_size = ws->config->network.nbns_size;
if (ws->config->network.nbns_size > 0)
vinfo->nbns = ws->config->network.nbns;
}
vinfo->routes_size = ws->config->network.routes_size;
if (ws->config->network.routes_size > 0)
vinfo->routes = ws->config->network.routes;
if (check_if_default_route(vinfo->routes, vinfo->routes_size))
ws->default_route = 1;
vinfo->no_routes_size = ws->config->network.no_routes_size;
if (ws->config->network.no_routes_size > 0)
vinfo->no_routes = ws->config->network.no_routes;
vinfo->ipv4_network = ws->config->network.ipv4_network;
vinfo->ipv6_network = ws->config->network.ipv6_network;
vinfo->ipv4_netmask = ws->config->network.ipv4_netmask;
vinfo->ipv6_prefix = ws->config->network.ipv6_prefix;
vinfo->ipv6_subnet_prefix = ws->config->network.ipv6_subnet_prefix;
if (ws->config->network.mtu != 0) {
vinfo->mtu = ws->config->network.mtu;
} else {

84
src/worker-vpn.c
View File

@@ -784,8 +784,8 @@ int periodic_check(worker_st * ws, unsigned mtu_overhead, struct timespec *tnow,
}
}
if (ws->config->session_timeout > 0) {
if (now - ws->session_start_time > ws->config->session_timeout) {
if (ws->user_config->session_timeout_secs > 0) {
if (now - ws->session_start_time > ws->user_config->session_timeout_secs) {
oclog(ws, LOG_ERR,
"session timeout reached for process (%d secs)",
(int)(now - ws->session_start_time));
@@ -795,8 +795,8 @@ int periodic_check(worker_st * ws, unsigned mtu_overhead, struct timespec *tnow,
}
}
if (ws->config->stats_report_time > 0 &&
now - ws->last_stats_msg >= ws->config->stats_report_time &&
if (ws->user_config->interim_update_secs > 0 &&
now - ws->last_stats_msg >= ws->user_config->interim_update_secs &&
ws->sid_set) {
send_stats_to_secmod(ws, now, 0);
}
@@ -885,7 +885,7 @@ static void set_net_priority(worker_st * ws, int fd, int priority)
#ifdef SO_PRIORITY
if (priority != 0 && priority <= 7) {
t = ws->config->net_priority - 1;
t = ws->user_config->net_priority - 1;
ret = setsockopt(fd, SOL_SOCKET, SO_PRIORITY, &t, sizeof(t));
if (ret == -1)
oclog(ws, LOG_DEBUG,
@@ -1404,7 +1404,7 @@ static int connect_handler(worker_st * ws)
return -1;
}
FUZZ(ws->config->stats_report_time, 5, rnd);
FUZZ(ws->user_config->interim_update_secs, 5, rnd);
FUZZ(ws->config->rekey_time, 30, rnd);
/* Connected. Turn of the alarm */
@@ -1423,15 +1423,15 @@ static int connect_handler(worker_st * ws)
SEND_ERR(ret);
if (req->is_mobile) {
ws->config->dpd = ws->config->mobile_dpd;
ws->user_config->dpd = ws->user_config->mobile_dpd;
ws->config->idle_timeout = ws->config->mobile_idle_timeout;
}
oclog(ws, LOG_INFO, "suggesting DPD of %d secs", ws->config->dpd);
if (ws->config->dpd > 0) {
oclog(ws, LOG_INFO, "suggesting DPD of %d secs", ws->user_config->dpd);
if (ws->user_config->dpd > 0) {
ret =
cstp_printf(ws, "X-CSTP-DPD: %u\r\n",
ws->config->dpd);
ws->user_config->dpd);
SEND_ERR(ret);
}
@@ -1451,8 +1451,8 @@ static int connect_handler(worker_st * ws)
}
/* calculate base MTU */
if (ws->config->default_mtu > 0) {
ws->vinfo.mtu = ws->config->default_mtu;
if (ws->user_config->mtu > 0) {
ws->vinfo.mtu = ws->user_config->mtu;
}
if (req->base_mtu > 0) {
@@ -1509,21 +1509,21 @@ static int connect_handler(worker_st * ws)
ws->vinfo.ipv4);
SEND_ERR(ret);
if (ws->vinfo.ipv4_netmask) {
if (ws->user_config->ipv4_netmask) {
ret =
cstp_printf(ws, "X-CSTP-Netmask: %s\r\n",
ws->vinfo.ipv4_netmask);
ws->user_config->ipv4_netmask);
SEND_ERR(ret);
}
}
if (ws->vinfo.ipv6 && req->no_ipv6 == 0 && ws->vinfo.ipv6_prefix != 0) {
oclog(ws, LOG_INFO, "sending IPv6 %s/%u", ws->vinfo.ipv6, ws->vinfo.ipv6_prefix);
if (ws->full_ipv6 && ws->vinfo.ipv6_prefix) {
if (ws->vinfo.ipv6 && req->no_ipv6 == 0 && ws->user_config->ipv6_prefix != 0) {
oclog(ws, LOG_INFO, "sending IPv6 %s/%u", ws->vinfo.ipv6, ws->user_config->ipv6_prefix);
if (ws->full_ipv6 && ws->user_config->ipv6_prefix) {
ret =
cstp_printf(ws,
"X-CSTP-Address-IP6: %s/%u\r\n",
ws->vinfo.ipv6, ws->vinfo.ipv6_prefix);
ws->vinfo.ipv6, ws->user_config->ipv6_prefix);
SEND_ERR(ret);
} else {
const char *net;
@@ -1533,13 +1533,13 @@ static int connect_handler(worker_st * ws)
ws->vinfo.ipv6);
SEND_ERR(ret);
net = ws->vinfo.ipv6_network;
net = ws->user_config->ipv6_net;
if (net == NULL)
net = ws->vinfo.ipv6;
ret =
cstp_printf(ws, "X-CSTP-Netmask: %s/%u\r\n",
net, ws->vinfo.ipv6_prefix);
net, ws->user_config->ipv6_prefix);
SEND_ERR(ret);
}
}
@@ -1550,8 +1550,8 @@ static int connect_handler(worker_st * ws)
if (ws->full_ipv6 == 0 || req->user_agent_type != AGENT_OPENCONNECT)
req->no_ipv6 = 1;
for (i = 0; i < ws->vinfo.dns_size; i++) {
if (strchr(ws->vinfo.dns[i], ':') != 0)
for (i = 0; i < ws->user_config->n_dns; i++) {
if (strchr(ws->user_config->dns[i], ':') != 0)
ip6 = 1;
else
ip6 = 0;
@@ -1561,15 +1561,15 @@ static int connect_handler(worker_st * ws)
if (req->no_ipv4 != 0 && ip6 == 0)
continue;
oclog(ws, LOG_INFO, "adding DNS %s", ws->vinfo.dns[i]);
oclog(ws, LOG_INFO, "adding DNS %s", ws->user_config->dns[i]);
ret =
cstp_printf(ws, "X-CSTP-DNS: %s\r\n",
ws->vinfo.dns[i]);
ws->user_config->dns[i]);
SEND_ERR(ret);
}
for (i = 0; i < ws->vinfo.nbns_size; i++) {
if (strchr(ws->vinfo.nbns[i], ':') != 0)
for (i = 0; i < ws->user_config->n_nbns; i++) {
if (strchr(ws->user_config->nbns[i], ':') != 0)
ip6 = 1;
else
ip6 = 0;
@@ -1579,10 +1579,10 @@ static int connect_handler(worker_st * ws)
if (req->no_ipv4 != 0 && ip6 == 0)
continue;
oclog(ws, LOG_INFO, "adding NBNS %s", ws->vinfo.nbns[i]);
oclog(ws, LOG_INFO, "adding NBNS %s", ws->user_config->nbns[i]);
ret =
cstp_printf(ws, "X-CSTP-NBNS: %s\r\n",
ws->vinfo.nbns[i]);
ws->user_config->nbns[i]);
SEND_ERR(ret);
}
@@ -1606,10 +1606,7 @@ static int connect_handler(worker_st * ws)
}
if (ws->default_route == 0) {
ret = send_routes(ws, req, ws->vinfo.routes, ws->vinfo.routes_size, 1);
SEND_ERR(ret);
ret = send_routes(ws, req, ws->routes, ws->routes_size, 1);
ret = send_routes(ws, req, ws->user_config->routes, ws->user_config->n_routes, 1);
SEND_ERR(ret);
} else {
@@ -1624,15 +1621,12 @@ static int connect_handler(worker_st * ws)
}
SEND_ERR(ret);
ret = send_routes(ws, req, ws->vinfo.no_routes, ws->vinfo.no_routes_size, 0);
SEND_ERR(ret);
ret = send_routes(ws, req, ws->no_routes, ws->no_routes_size, 0);
ret = send_routes(ws, req, ws->user_config->no_routes, ws->user_config->n_no_routes, 0);
SEND_ERR(ret);
ret =
cstp_printf(ws, "X-CSTP-Keepalive: %u\r\n",
ws->config->keepalive);
ws->user_config->keepalive);
SEND_ERR(ret);
if (ws->config->idle_timeout > 0) {
@@ -1724,7 +1718,7 @@ static int connect_handler(worker_st * ws)
}
set_non_block(ws->conn_fd);
set_net_priority(ws, ws->conn_fd, ws->config->net_priority);
set_net_priority(ws, ws->conn_fd, ws->user_config->net_priority);
if (ws->udp_state != UP_DISABLED) {
@@ -1738,10 +1732,10 @@ static int connect_handler(worker_st * ws)
ws->buffer);
SEND_ERR(ret);
if (ws->config->dpd > 0) {
if (ws->user_config->dpd > 0) {
ret =
cstp_printf(ws, "X-DTLS-DPD: %u\r\n",
ws->config->dpd);
ws->user_config->dpd);
SEND_ERR(ret);
}
@@ -1767,7 +1761,7 @@ static int connect_handler(worker_st * ws)
ret =
cstp_printf(ws, "X-DTLS-Keepalive: %u\r\n",
ws->config->keepalive);
ws->user_config->keepalive);
SEND_ERR(ret);
oclog(ws, LOG_INFO, "DTLS ciphersuite: %s",
@@ -1819,7 +1813,7 @@ static int connect_handler(worker_st * ws)
t);
}
set_net_priority(ws, ws->dtls_tptr.fd, ws->config->net_priority);
set_net_priority(ws, ws->dtls_tptr.fd, ws->user_config->net_priority);
}
/* hack for openconnect. It uses only a single MTU value */
@@ -1869,8 +1863,8 @@ static int connect_handler(worker_st * ws)
gettime(&tnow);
ws->last_msg_tcp = ws->last_msg_udp = ws->last_nc_msg = tnow.tv_sec;
bandwidth_init(&ws->b_rx, ws->config->rx_per_sec);
bandwidth_init(&ws->b_tx, ws->config->tx_per_sec);
bandwidth_init(&ws->b_rx, ws->user_config->rx_per_sec);
bandwidth_init(&ws->b_tx, ws->user_config->tx_per_sec);
sigprocmask(SIG_BLOCK, &blockset, NULL);
@@ -1944,7 +1938,7 @@ static int connect_handler(worker_st * ws)
if (periodic_check
(ws, ws->proto_overhead + ws->crypto_overhead, &tnow,
ws->config->dpd) < 0) {
ws->user_config->dpd) < 0) {
terminate_reason = REASON_ERROR;
goto exit;
}

14
src/worker.h
View File

@@ -257,6 +257,8 @@ typedef struct worker_st {
unsigned int cookie_set;
GroupCfgSt *user_config;
uint8_t master_secret[TLS_MASTER_SIZE];
uint8_t session_id[GNUTLS_MAX_SESSION_ID];
unsigned cert_auth_ok;
@@ -273,17 +275,6 @@ typedef struct worker_st {
struct vpn_st vinfo;
unsigned default_route;
/* additional data - received per user or per group */
unsigned routes_size;
char** routes;
unsigned no_routes_size;
char** no_routes;
unsigned dns_size;
char** dns;
unsigned nbns_size;
char** nbns;
void *main_pool; /* to be used only on deinitialization */
} worker_st;
@@ -335,7 +326,6 @@ url_handler_fn http_post_url_handler(worker_st * ws, const char *url);
int complete_vpn_info(worker_st * ws,
struct vpn_st* vinfo);
unsigned check_if_default_route(char **routes, unsigned routes_size);
int send_tun_mtu(worker_st *ws, unsigned int mtu);
int handle_worker_commands(struct worker_st *ws);