diff --git a/src/ip-lease.c b/src/ip-lease.c index caf6a786..4980c289 100644 --- a/src/ip-lease.c +++ b/src/ip-lease.c @@ -163,9 +163,9 @@ int get_ipv4_lease(main_server_st* s, struct proc_st* proc) char buf[64]; /* Our IP accounting */ - if (proc->config.ipv4_network && proc->config.ipv4_netmask) { - c_network = proc->config.ipv4_network; - c_netmask = proc->config.ipv4_netmask; + if (proc->config->ipv4_net && proc->config->ipv4_netmask) { + c_network = proc->config->ipv4_net; + c_netmask = proc->config->ipv4_netmask; } else { c_network = s->config->network.ipv4; c_netmask = s->config->network.ipv4_netmask; @@ -196,15 +196,15 @@ int get_ipv4_lease(main_server_st* s, struct proc_st* proc) ((struct sockaddr_in*)&network)->sin_family = AF_INET; ((struct sockaddr_in*)&network)->sin_port = 0; - if (proc->config.explicit_ipv4) { + if (proc->config->explicit_ipv4) { /* if an explicit IP is given for that client, then * do implicit IP accounting. Require the address * to be odd, so we use the next even address as PtP. */ ret = - inet_pton(AF_INET, proc->config.explicit_ipv4, SA_IN_P(&tmp)); + inet_pton(AF_INET, proc->config->explicit_ipv4, SA_IN_P(&tmp)); if (ret != 1) { - mslog(s, NULL, LOG_ERR, "error reading explicit IP: %s", proc->config.explicit_ipv4); + mslog(s, NULL, LOG_ERR, "error reading explicit IP: %s", proc->config->explicit_ipv4); return -1; } @@ -232,7 +232,7 @@ int get_ipv4_lease(main_server_st* s, struct proc_st* proc) SA_IN_U8_P(&proc->ipv4->lip)[3] |= 1; if (ip_cmp(&proc->ipv4->lip, &proc->ipv4->rip) == 0) { - mslog(s, NULL, LOG_ERR, "cannot assign explicit IP %s; network: %s", proc->config.explicit_ipv4, c_network); + mslog(s, NULL, LOG_ERR, "cannot assign explicit IP %s; network: %s", proc->config->explicit_ipv4, c_network); ret = ERR_NO_IP; goto fail; } @@ -325,10 +325,10 @@ int get_ipv6_lease(main_server_st* s, struct proc_st* proc) int ret; char buf[64]; - if (proc->config.ipv6_network && proc->config.ipv6_subnet_prefix) { - c_network = proc->config.ipv6_network; - prefix = proc->config.ipv6_prefix; - subnet_prefix = proc->config.ipv6_subnet_prefix; + if (proc->config->ipv6_net && proc->config->ipv6_subnet_prefix) { + c_network = proc->config->ipv6_net; + prefix = proc->config->ipv6_prefix; + subnet_prefix = proc->config->ipv6_subnet_prefix; } else { c_network = s->config->network.ipv6; prefix = s->config->network.ipv6_prefix; @@ -365,15 +365,15 @@ int get_ipv6_lease(main_server_st* s, struct proc_st* proc) SA_IN6_U8_P(&network)[i] &= (SA_IN6_U8_P(&mask)[i]); - if (proc->config.explicit_ipv6) { + if (proc->config->explicit_ipv6) { /* if an explicit IP is given for that client, then * do implicit IP accounting. Require the address * to be odd, so we use the next even address as PtP. */ ret = - inet_pton(AF_INET6, proc->config.explicit_ipv6, SA_IN6_P(&tmp)); + inet_pton(AF_INET6, proc->config->explicit_ipv6, SA_IN6_P(&tmp)); if (ret != 1) { - mslog(s, NULL, LOG_ERR, "error reading explicit IP %s", proc->config.explicit_ipv6); + mslog(s, NULL, LOG_ERR, "error reading explicit IP %s", proc->config->explicit_ipv6); return -1; } diff --git a/src/ipc.proto b/src/ipc.proto index cea255d1..9ad12b7e 100644 --- a/src/ipc.proto +++ b/src/ipc.proto @@ -13,6 +13,44 @@ message auth_cookie_request_msg required bytes cookie = 1; } +/* This is a structure for per-user/group supplemental configuration. + */ +message group_cfg_st +{ + /* sup - config, to add values, ensure we + * apply a reasonable default in apply_default_config() */ + optional uint32 interim_update_secs = 2; + optional uint32 session_timeout_secs = 3; + optional bool no_udp = 10; + optional bool deny_roaming = 11; + repeated string routes = 13; + repeated string iroutes = 14; + repeated string dns = 15; + repeated string nbns = 16; + optional string ipv4_net = 17; + optional string ipv4_netmask = 18; + optional string ipv6_net = 19; + optional uint32 ipv6_prefix = 20; + optional string cgroup = 21; + optional string xml_config_file = 22; + optional uint32 rx_per_sec = 23; + optional uint32 tx_per_sec = 24; + optional uint32 net_priority = 25; + optional string explicit_ipv4 = 26; + optional string explicit_ipv6 = 27; + repeated string no_routes = 28; + optional uint32 ipv6_subnet_prefix = 29; + optional uint32 dpd = 30; + optional uint32 mobile_dpd = 31; + optional uint32 keepalive = 32; + optional uint32 max_same_clients = 33; + optional uint32 tunnel_all_dns = 34; + optional bool restrict_user_to_routes = 35; + optional uint32 mtu = 36; + optional uint32 idle_timeout = 37; + optional uint32 mobile_idle_timeout = 38; +} + /* AUTH_REP */ message auth_reply_msg { @@ -20,7 +58,7 @@ message auth_reply_msg optional bytes session_id = 3; /* dtls */ optional string vname = 4; optional string user_name = 5; - optional string group_name = 25; + optional string group_name = 6; /* the ips of the tun device */ optional string ipv4 = 7; @@ -28,29 +66,10 @@ message auth_reply_msg optional string ipv4_local = 9; optional string ipv6_local = 10; + required bytes sid = 11; + /* additional config */ - optional string ipv4_netmask = 15; - optional string ipv6_netmask = 16; - optional uint32 ipv6_prefix = 17; - optional uint32 rx_per_sec = 18; - optional uint32 tx_per_sec = 19; - optional uint32 net_priority = 20; - repeated string routes = 21; - repeated string dns = 22; - repeated string nbns = 23; - optional bool no_udp = 24 [default = false]; - optional string xml_config_file = 26; - optional string ipv4_network = 27; - optional string ipv6_network = 28; - repeated string no_routes = 29; - required bytes sid = 30; - optional uint32 interim_update_secs = 31; - optional uint32 session_timeout_secs = 32; - optional uint32 ipv6_subnet_prefix = 33; - optional uint32 dpd = 34; - optional uint32 mobile_dpd = 35; - optional uint32 keepalive = 36; - optional uint32 tunnel_all_dns = 37; + optional group_cfg_st config = 20; } /* RESUME_FETCH_REQ + RESUME_DELETE_REQ */ @@ -231,38 +250,11 @@ message sec_auth_session_msg optional string ipv6 = 7; } + message sec_auth_session_reply_msg { required AUTH_REP reply = 1; - optional uint32 interim_update_secs = 2; - optional uint32 session_timeout_secs = 3; - - /* sup - config */ - optional bool no_udp = 10; - optional bool deny_roaming = 11; - repeated string routes = 13; - repeated string iroutes = 14; - repeated string dns = 15; - repeated string nbns = 16; - optional string ipv4_net = 17; - optional string ipv4_netmask = 18; - optional string ipv6_net = 19; - optional uint32 ipv6_prefix = 20; - optional string cgroup = 21; - optional string xml_config_file = 22; - optional uint32 rx_per_sec = 23; - optional uint32 tx_per_sec = 24; - optional uint32 net_priority = 25; - optional string explicit_ipv4 = 26; - optional string explicit_ipv6 = 27; - repeated string no_routes = 28; - optional uint32 ipv6_subnet_prefix = 29; - optional uint32 dpd = 30; - optional uint32 mobile_dpd = 31; - optional uint32 keepalive = 32; - optional uint32 max_same_clients = 33; - optional uint32 tunnel_all_dns = 34; - optional bool restrict_user_to_routes = 35; + required group_cfg_st config = 2; } message sec_refresh_cookie_key diff --git a/src/main-auth.c b/src/main-auth.c index a8fb97e1..78373017 100644 --- a/src/main-auth.c +++ b/src/main-auth.c @@ -50,7 +50,6 @@ int send_cookie_auth_reply(main_server_st* s, struct proc_st* proc, AUTHREP r) { AuthReplyMsg msg = AUTH_REPLY_MSG__INIT; - unsigned i; int ret; if (r == AUTH__REP__OK && proc->tun_lease.name[0] != 0) { @@ -87,94 +86,7 @@ int send_cookie_auth_reply(main_server_st* s, struct proc_st* proc, ipv6_local, sizeof(ipv6_local), 0); } - msg.ipv4_netmask = proc->config.ipv4_netmask; - - msg.ipv4_network = proc->config.ipv4_network; - msg.ipv6_network = proc->config.ipv6_network; - msg.ipv6_subnet_prefix = proc->config.ipv6_subnet_prefix; - - if (proc->ipv6) { - msg.ipv6_prefix = proc->ipv6->prefix; - msg.has_ipv6_prefix = 1; - } - - if (proc->config.interim_update_secs) { - msg.has_interim_update_secs = 1; - msg.interim_update_secs = proc->config.interim_update_secs; - } - - if (proc->config.session_timeout_secs) { - msg.has_session_timeout_secs = 1; - msg.session_timeout_secs = proc->config.session_timeout_secs; - } - - if (proc->config.dpd != 0) { - msg.has_dpd = 1; - msg.dpd = proc->config.dpd; - } - - if (proc->config.keepalive != 0) { - msg.has_keepalive = 1; - msg.keepalive = proc->config.keepalive; - } - - if (proc->config.mobile_dpd != 0) { - msg.has_mobile_dpd = 1; - msg.mobile_dpd = proc->config.mobile_dpd; - } - - if (proc->config.rx_per_sec != 0) { - msg.has_rx_per_sec = 1; - msg.rx_per_sec = proc->config.rx_per_sec; - } - - if (proc->config.tx_per_sec != 0) { - msg.has_tx_per_sec = 1; - msg.tx_per_sec = proc->config.tx_per_sec; - } - - if (proc->config.net_priority != 0) { - msg.has_net_priority = 1; - msg.net_priority = proc->config.net_priority; - } - - if (proc->config.no_udp != 0) { - msg.has_no_udp = 1; - msg.no_udp = proc->config.no_udp; - } - - if (proc->config.tunnel_all_dns != 0) { - msg.has_tunnel_all_dns = 1; - msg.tunnel_all_dns = proc->config.tunnel_all_dns; - } - - if (proc->config.xml_config_file != NULL) { - msg.xml_config_file = proc->config.xml_config_file; - } - - msg.n_dns = proc->config.dns_size; - for (i=0;iconfig.dns_size;i++) { - mslog(s, proc, LOG_DEBUG, "sending dns '%s'", proc->config.dns[i]); - msg.dns = proc->config.dns; - } - - msg.n_nbns = proc->config.nbns_size; - for (i=0;iconfig.nbns_size;i++) { - mslog(s, proc, LOG_DEBUG, "sending nbns '%s'", proc->config.nbns[i]); - msg.nbns = proc->config.nbns; - } - - msg.n_routes = proc->config.routes_size; - for (i=0;iconfig.routes_size;i++) { - mslog(s, proc, LOG_DEBUG, "sending route '%s'", proc->config.routes[i]); - msg.routes = proc->config.routes; - } - - msg.n_no_routes = proc->config.no_routes_size; - for (i=0;iconfig.no_routes_size;i++) { - mslog(s, proc, LOG_DEBUG, "sending no-route '%s'", proc->config.no_routes[i]); - msg.no_routes = proc->config.no_routes; - } + msg.config = proc->config; ret = send_socket_msg_to_worker(s, proc, AUTH_COOKIE_REP, proc->tun_lease.fd, &msg, @@ -198,12 +110,6 @@ int send_cookie_auth_reply(main_server_st* s, struct proc_st* proc, return 0; } -static void apply_default_sup_config(struct perm_cfg_st *config, struct proc_st *proc) -{ - proc->config.deny_roaming = config->config->deny_roaming; - proc->config.no_udp = (config->udp_port!=0)?0:1; -} - int handle_auth_cookie_req(main_server_st* s, struct proc_st* proc, const AuthCookieRequestMsg * req) { @@ -255,11 +161,6 @@ struct proc_st *old_proc; if (cmsg->groupname) strlcpy(proc->groupname, cmsg->groupname, sizeof(proc->groupname)); - /* cookie is good so far, now read config (in order to know - * whether roaming is allowed or not */ - memset(&proc->config, 0, sizeof(proc->config)); - apply_default_sup_config(s->perm_config, proc); - /* loads sup config */ ret = session_open(s, proc, req->cookie.data, req->cookie.len); if (ret < 0) { @@ -270,12 +171,12 @@ struct proc_st *old_proc; proc->active_sid = 1; /* Put into right cgroup */ - if (proc->config.cgroup != NULL) { - put_into_cgroup(s, proc->config.cgroup, proc->pid); + if (proc->config->cgroup != NULL) { + put_into_cgroup(s, proc->config->cgroup, proc->pid); } /* check whether the cookie IP matches */ - if (proc->config.deny_roaming != 0) { + if (proc->config->deny_roaming != 0) { if (cmsg->ip == NULL) { return -1; } @@ -342,7 +243,7 @@ struct proc_st *ctmp = NULL, *cpos; unsigned int entries = 1; /* that one */ unsigned max; - if (s->config->max_same_clients == 0 && proc->config.max_same_clients == 0) + if (proc->config->max_same_clients == 0) return 0; list_for_each_safe(&s->proc_list.head, ctmp, cpos, list) { @@ -353,10 +254,7 @@ unsigned max; } } - if (proc->config.max_same_clients > 0) - max = proc->config.max_same_clients; - else - max = s->config->max_same_clients; + max = proc->config->max_same_clients; if (max && entries > max) return -1; diff --git a/src/main-ctl-unix.c b/src/main-ctl-unix.c index 7867bb7b..5dc5ca85 100644 --- a/src/main-ctl-unix.c +++ b/src/main-ctl-unix.c @@ -336,7 +336,7 @@ static int append_user_info(method_ctx *ctx, rep->conn_time = ctmp->conn_time; rep->hostname = ctmp->hostname; rep->user_agent = ctmp->user_agent; - rep->restrict_to_routes = ctmp->config.restrict_user_to_routes; + rep->restrict_to_routes = ctmp->config->restrict_user_to_routes; if (ctmp->status == PS_AUTH_COMPLETED) strtmp = "connected"; @@ -360,71 +360,35 @@ static int append_user_info(method_ctx *ctx, rep->has_mtu = 1; } - if (ctmp->config.rx_per_sec > 0) - tmp = ctmp->config.rx_per_sec; - else - tmp = ctx->s->config->rx_per_sec; + tmp = ctmp->config->rx_per_sec; tmp *= 1000; rep->rx_per_sec = tmp; - if (ctmp->config.tx_per_sec > 0) - tmp = ctmp->config.tx_per_sec; - else - tmp = ctx->s->config->tx_per_sec; + tmp = ctmp->config->tx_per_sec; tmp *= 1000; rep->tx_per_sec = tmp; - if (ctmp->config.dpd) - rep->dpd = ctmp->config.dpd; - else - rep->dpd = ctx->s->config->dpd; + rep->dpd = ctmp->config->dpd; - if (ctmp->config.keepalive) - rep->keepalive = ctmp->config.keepalive; - else - rep->dpd = ctx->s->config->dpd; + rep->keepalive = ctmp->config->keepalive; rep->domains = ctx->s->config->split_dns; rep->n_domains = ctx->s->config->split_dns_size; - if (ctmp->config.dns_size > 0) { - rep->dns = ctmp->config.dns; - rep->n_dns = ctmp->config.dns_size; - } else { - rep->dns = ctx->s->config->network.dns; - rep->n_dns = ctx->s->config->network.dns_size; - } + rep->dns = ctmp->config->dns; + rep->n_dns = ctmp->config->n_dns; - if (ctmp->config.nbns_size > 0) { - rep->nbns = ctmp->config.nbns; - rep->n_nbns = ctmp->config.nbns_size; - } else { - rep->nbns = ctx->s->config->network.nbns; - rep->n_nbns = ctx->s->config->network.nbns_size; - } + rep->nbns = ctmp->config->nbns; + rep->n_nbns = ctmp->config->n_nbns; - rep->n_routes = ctmp->config.routes_size + ctx->s->config->network.routes_size; - rep->routes = talloc_size(rep, sizeof(char*)*rep->n_routes); - if (rep->routes != NULL) { - memcpy(rep->routes, ctmp->config.routes, sizeof(char*)*ctmp->config.routes_size); - memcpy(&rep->routes[ctmp->config.routes_size], ctx->s->config->network.routes, sizeof(char*)*ctx->s->config->network.routes_size); - } else { - rep->n_routes = 0; - } + rep->n_routes = ctmp->config->n_routes; + rep->routes = ctmp->config->routes; - rep->n_no_routes = ctmp->config.no_routes_size + ctx->s->config->network.no_routes_size; - rep->no_routes = talloc_size(rep, sizeof(char*)*rep->n_no_routes); - if (rep->no_routes != NULL) { - memcpy(rep->no_routes, ctmp->config.no_routes, sizeof(char*)*ctmp->config.no_routes_size); - memcpy(&rep->no_routes[ctmp->config.no_routes_size], ctx->s->config->network.no_routes, sizeof(char*)*ctx->s->config->network.no_routes_size); - } else { - rep->n_no_routes = 0; - } + rep->n_no_routes = ctmp->config->n_no_routes; + rep->no_routes = ctmp->config->no_routes; - if (ctmp->config.iroutes_size > 0) { - rep->iroutes = ctmp->config.iroutes; - rep->n_iroutes = ctmp->config.iroutes_size; - } + rep->iroutes = ctmp->config->iroutes; + rep->n_iroutes = ctmp->config->n_iroutes; return 0; } diff --git a/src/main-sec-mod-cmd.c b/src/main-sec-mod-cmd.c index 29e99a9b..9e125e72 100644 --- a/src/main-sec-mod-cmd.c +++ b/src/main-sec-mod-cmd.c @@ -194,13 +194,181 @@ int handle_sec_mod_commands(main_server_st * s) return ret; } +static +void apply_default_config(main_server_st *s, proc_st *proc, GroupCfgSt *gc) +{ + if (!gc->has_no_udp) { + gc->no_udp = (s->perm_config->udp_port!=0)?0:1; + gc->has_no_udp = 1; + } + + if (gc->routes == NULL) { + gc->routes = s->config->network.routes; + gc->n_routes = s->config->network.routes_size; + } + + /* if we have known_iroutes, we must append them to the routes list */ + if (s->config->known_iroutes_size > 0) { + char **old_routes = gc->routes; + unsigned old_routes_size = gc->n_routes; + unsigned i, j, append; + + gc->n_routes = 0; + gc->routes = talloc_size(proc, sizeof(char*)*(old_routes_size+s->config->known_iroutes_size)); + + for (i=0;iroutes[i] = talloc_strdup(proc, old_routes[i]); + if (gc->routes[i] == NULL) + break; + gc->n_routes++; + } + + if (gc->routes) { + /* Append any iroutes that are known and don't match the client's */ + for (i=0;iconfig->known_iroutes_size;i++) { + append = 1; + for (j=0;jn_iroutes;j++) { + if (strcmp(gc->iroutes[j], s->config->known_iroutes[i]) == 0) { + append = 0; + break; + } + } + + if (append) { + gc->routes[gc->n_routes] = talloc_strdup(proc, s->config->known_iroutes[i]); + if (gc->routes[gc->n_routes] == NULL) + break; + gc->n_routes++; + } + } + } + } + + if (gc->no_routes == NULL) { + gc->no_routes = s->config->network.no_routes; + gc->n_no_routes = s->config->network.no_routes_size; + } + + if (gc->dns == NULL) { + gc->dns = s->config->network.dns; + gc->n_dns = s->config->network.dns_size; + } + + if (gc->nbns == NULL) { + gc->nbns = s->config->network.nbns; + gc->n_nbns = s->config->network.nbns_size; + } + + if (!gc->has_interim_update_secs) { + gc->interim_update_secs = s->config->stats_report_time; + gc->has_interim_update_secs = 1; + } + + if (!gc->has_session_timeout_secs) { + gc->session_timeout_secs = s->config->session_timeout; + gc->has_session_timeout_secs = 1; + } + + if (!gc->has_deny_roaming) { + gc->deny_roaming = s->config->deny_roaming; + gc->has_deny_roaming = 1; + } + + if (!gc->ipv4_net) { + gc->ipv4_net = s->config->network.ipv4_network; + } + + if (!gc->ipv4_netmask) { + gc->ipv4_netmask = s->config->network.ipv4_netmask; + } + + if (!gc->ipv6_net) { + gc->ipv6_net = s->config->network.ipv6_network; + } + + if (!gc->has_ipv6_prefix) { + gc->ipv6_prefix = s->config->network.ipv6_prefix; + gc->has_ipv6_prefix = 1; + } + + if (!gc->has_ipv6_subnet_prefix) { + gc->ipv6_subnet_prefix = s->config->network.ipv6_subnet_prefix; + gc->has_ipv6_subnet_prefix = 1; + } + + if (!gc->cgroup) { + gc->cgroup = s->config->cgroup; + } + + if (!gc->xml_config_file) { + gc->xml_config_file = s->config->xml_config_file; + } + + if (!gc->has_rx_per_sec) { + gc->rx_per_sec = s->config->rx_per_sec; + gc->has_rx_per_sec = 1; + } + + if (!gc->has_tx_per_sec) { + gc->tx_per_sec = s->config->tx_per_sec; + gc->has_tx_per_sec = 1; + } + + if (!gc->has_net_priority) { + gc->net_priority = s->config->net_priority; + gc->has_net_priority = 1; + } + + if (!gc->has_keepalive) { + gc->keepalive = s->config->keepalive; + gc->has_keepalive = 1; + } + + if (!gc->has_dpd) { + gc->dpd = s->config->dpd; + gc->has_dpd = 1; + } + + if (!gc->has_mobile_dpd) { + gc->mobile_dpd = s->config->mobile_dpd; + gc->has_mobile_dpd = 1; + } + + if (!gc->has_max_same_clients) { + gc->max_same_clients = s->config->max_same_clients; + gc->has_max_same_clients = 1; + } + + if (!gc->has_tunnel_all_dns) { + gc->tunnel_all_dns = s->config->tunnel_all_dns; + gc->has_tunnel_all_dns = 1; + } + + if (!gc->has_restrict_user_to_routes) { + gc->restrict_user_to_routes = s->config->restrict_user_to_routes; + gc->has_restrict_user_to_routes = 1; + } + + if (!gc->has_mtu) { + gc->mtu = s->config->network.mtu; + gc->has_mtu = 1; + } + + if (!gc->has_idle_timeout) { + gc->idle_timeout = s->config->idle_timeout; + gc->has_idle_timeout = 1; + } + + if (!gc->has_mobile_idle_timeout) { + gc->mobile_idle_timeout = s->config->mobile_idle_timeout; + gc->has_mobile_idle_timeout = 1; + } +} int session_open(main_server_st * s, struct proc_st *proc, const uint8_t *cookie, unsigned cookie_size) { int ret, e; SecAuthSessionMsg ireq = SEC_AUTH_SESSION_MSG__INIT; SecAuthSessionReplyMsg *msg = NULL; - unsigned i, j, append; - PROTOBUF_ALLOCATOR(pa, proc); char str_ipv4[MAX_IP_STR]; char str_ipv6[MAX_IP_STR]; @@ -255,142 +423,14 @@ int session_open(main_server_st * s, struct proc_st *proc, const uint8_t *cookie return -1; } - if (msg->has_interim_update_secs) - proc->config.interim_update_secs = msg->interim_update_secs; - - if (msg->has_session_timeout_secs) - proc->config.session_timeout_secs = msg->session_timeout_secs; - - /* fill in group_cfg_st */ - if (msg->has_no_udp) - proc->config.no_udp = msg->no_udp; - - if (msg->has_restrict_user_to_routes) - proc->config.restrict_user_to_routes = msg->restrict_user_to_routes; - else - proc->config.restrict_user_to_routes = s->config->restrict_user_to_routes; - - if (msg->has_max_same_clients) - proc->config.max_same_clients = msg->max_same_clients; - - if (msg->has_dpd) - proc->config.dpd = msg->dpd; - - if (msg->has_tunnel_all_dns) - proc->config.tunnel_all_dns = msg->tunnel_all_dns; - - if (msg->has_keepalive) - proc->config.keepalive = msg->keepalive; - - if (msg->has_mobile_dpd) - proc->config.mobile_dpd = msg->mobile_dpd; - - if (msg->has_deny_roaming) - proc->config.deny_roaming = msg->deny_roaming; - - if (msg->has_ipv6_prefix) - proc->config.ipv6_prefix = msg->ipv6_prefix; - - if (msg->rx_per_sec) - proc->config.rx_per_sec = msg->rx_per_sec; - if (msg->tx_per_sec) - proc->config.tx_per_sec = msg->tx_per_sec; - - if (msg->net_priority) - proc->config.net_priority = msg->net_priority; - - if (msg->ipv4_net) { - proc->config.ipv4_network = talloc_strdup(proc, msg->ipv4_net); - } - if (msg->ipv4_netmask) { - proc->config.ipv4_netmask = talloc_strdup(proc, msg->ipv4_netmask); - } - if (msg->ipv6_net) { - proc->config.ipv6_network = talloc_strdup(proc, msg->ipv6_net); + if (msg->config == NULL) { + mslog(s, proc, LOG_INFO, "received invalid configuration for '%s'; could not initiate session", proc->username); + return -1; } - if (msg->has_ipv6_subnet_prefix) { - if (msg->ipv6_subnet_prefix != proc->config.ipv6_subnet_prefix) { - mslog(s, proc, LOG_WARNING, "currently a subnet prefix (%u) cannot be different than the default (%u)", - msg->ipv6_subnet_prefix, proc->config.ipv6_prefix); - } else { - proc->config.ipv6_subnet_prefix = msg->ipv6_subnet_prefix; - } - } + proc->config = msg->config; - if (msg->cgroup) { - proc->config.cgroup = talloc_strdup(proc, msg->cgroup); - } - - if (msg->xml_config_file) { - proc->config.xml_config_file = talloc_strdup(proc, msg->xml_config_file); - } - - if (msg->explicit_ipv4) { - proc->config.explicit_ipv4 = talloc_strdup(proc, msg->explicit_ipv4); - } - - if (msg->explicit_ipv6) { - proc->config.explicit_ipv6 = talloc_strdup(proc, msg->explicit_ipv6); - } - - /* Append any custom routes for this user */ - if (msg->n_routes > 0 || s->config->known_iroutes_size > 0) { - proc->config.routes = talloc_size(proc, sizeof(char*)*(msg->n_routes+s->config->known_iroutes_size)); - for (i=0;in_routes;i++) { - proc->config.routes[i] = talloc_strdup(proc, msg->routes[i]); - } - proc->config.routes_size = msg->n_routes; - } - - /* Append any iroutes that are known and don't match the client's */ - for (i=0;iconfig->known_iroutes_size;i++) { - append = 1; - for (j=0;jn_iroutes;j++) { - if (strcmp(msg->iroutes[j], s->config->known_iroutes[i]) == 0) { - append = 0; - break; - } - } - - if (append) { - proc->config.routes[proc->config.routes_size] = talloc_strdup(proc, s->config->known_iroutes[i]); - proc->config.routes_size++; - } - } - - if (msg->n_no_routes > 0) { - proc->config.no_routes = talloc_size(proc, sizeof(char*)*msg->n_no_routes); - for (i=0;in_no_routes;i++) { - proc->config.no_routes[i] = talloc_strdup(proc, msg->no_routes[i]); - } - proc->config.no_routes_size = msg->n_no_routes; - } - - if (msg->n_iroutes > 0) { - proc->config.iroutes = talloc_size(proc, sizeof(char*)*msg->n_iroutes); - for (i=0;in_iroutes;i++) { - proc->config.iroutes[i] = talloc_strdup(proc, msg->iroutes[i]); - } - proc->config.iroutes_size = msg->n_iroutes; - } - - if (msg->n_dns > 0) { - proc->config.dns = talloc_size(proc, sizeof(char*)*msg->n_dns); - for (i=0;in_dns;i++) { - proc->config.dns[i] = talloc_strdup(proc, msg->dns[i]); - } - proc->config.dns_size = msg->n_dns; - } - - if (msg->n_nbns > 0) { - proc->config.nbns = talloc_size(proc, sizeof(char*)*msg->n_nbns); - for (i=0;in_nbns;i++) { - proc->config.nbns[i] = talloc_strdup(proc, msg->nbns[i]); - } - proc->config.nbns_size = msg->n_nbns; - } - sec_auth_session_reply_msg__free_unpacked(msg, &pa); + apply_default_config(s, proc, proc->config); return 0; } diff --git a/src/main-user.c b/src/main-user.c index 7c632ac1..8c1f1486 100644 --- a/src/main-user.c +++ b/src/main-user.c @@ -71,30 +71,16 @@ static void export_dns_route_info(main_server_st *s, struct proc_st* proc) /* We use different export strings for IPv4 and IPv6 to ease handling * with legacy software such as iptables and ip6tables. */ - /* append generic routes to str */ - for (i=0;iconfig->network.routes_size;i++) { - APPEND_TO_STR(&str_common, s->config->network.routes[i]); - APPEND_TO_STR(&str_common, " "); - - if (strchr(s->config->network.routes[i], ':') != 0) { - APPEND_TO_STR(&str6, s->config->network.routes[i]); - APPEND_TO_STR(&str6, " "); - } else { - APPEND_TO_STR(&str4, s->config->network.routes[i]); - APPEND_TO_STR(&str4, " "); - } - } - /* append custom routes to str */ - for (i=0;iconfig.routes_size;i++) { - APPEND_TO_STR(&str_common, proc->config.routes[i]); + for (i=0;iconfig->n_routes;i++) { + APPEND_TO_STR(&str_common, proc->config->routes[i]); APPEND_TO_STR(&str_common, " "); - if (strchr(proc->config.routes[i], ':') != 0) { - APPEND_TO_STR(&str6, proc->config.routes[i]); + if (strchr(proc->config->routes[i], ':') != 0) { + APPEND_TO_STR(&str6, proc->config->routes[i]); APPEND_TO_STR(&str6, " "); } else { - APPEND_TO_STR(&str4, proc->config.routes[i]); + APPEND_TO_STR(&str4, proc->config->routes[i]); APPEND_TO_STR(&str4, " "); } } @@ -120,30 +106,16 @@ static void export_dns_route_info(main_server_st *s, struct proc_st* proc) str_reset(&str6); str_reset(&str_common); - /* append generic no_routes to str */ - for (i=0;iconfig->network.no_routes_size;i++) { - APPEND_TO_STR(&str_common, s->config->network.no_routes[i]); - APPEND_TO_STR(&str_common, " "); - - if (strchr(s->config->network.no_routes[i], ':') != 0) { - APPEND_TO_STR(&str6, s->config->network.no_routes[i]); - APPEND_TO_STR(&str6, " "); - } else { - APPEND_TO_STR(&str4, s->config->network.no_routes[i]); - APPEND_TO_STR(&str4, " "); - } - } - /* append custom no_routes to str */ - for (i=0;iconfig.no_routes_size;i++) { - APPEND_TO_STR(&str_common, proc->config.no_routes[i]); + for (i=0;iconfig->n_no_routes;i++) { + APPEND_TO_STR(&str_common, proc->config->no_routes[i]); APPEND_TO_STR(&str_common, " "); - if (strchr(proc->config.no_routes[i], ':') != 0) { - APPEND_TO_STR(&str6, proc->config.no_routes[i]); + if (strchr(proc->config->no_routes[i], ':') != 0) { + APPEND_TO_STR(&str6, proc->config->no_routes[i]); APPEND_TO_STR(&str6, " "); } else { - APPEND_TO_STR(&str4, proc->config.no_routes[i]); + APPEND_TO_STR(&str4, proc->config->no_routes[i]); APPEND_TO_STR(&str4, " "); } } @@ -169,29 +141,16 @@ static void export_dns_route_info(main_server_st *s, struct proc_st* proc) str_reset(&str6); str_reset(&str_common); - if (proc->config.dns_size > 0) { - for (i=0;iconfig.dns_size;i++) { - APPEND_TO_STR(&str_common, proc->config.dns[i]); + if (proc->config->n_dns > 0) { + for (i=0;iconfig->n_dns;i++) { + APPEND_TO_STR(&str_common, proc->config->dns[i]); APPEND_TO_STR(&str_common, " "); - if (strchr(proc->config.dns[i], ':') != 0) { - APPEND_TO_STR(&str6, proc->config.dns[i]); + if (strchr(proc->config->dns[i], ':') != 0) { + APPEND_TO_STR(&str6, proc->config->dns[i]); APPEND_TO_STR(&str6, " "); } else { - APPEND_TO_STR(&str4, proc->config.dns[i]); - APPEND_TO_STR(&str4, " "); - } - } - } else { - for (i=0;iconfig->network.dns_size;i++) { - APPEND_TO_STR(&str_common, s->config->network.dns[i]); - APPEND_TO_STR(&str_common, " "); - - if (strchr(s->config->network.dns[i], ':') != 0) { - APPEND_TO_STR(&str6, s->config->network.dns[i]); - APPEND_TO_STR(&str6, " "); - } else { - APPEND_TO_STR(&str4, s->config->network.dns[i]); + APPEND_TO_STR(&str4, proc->config->dns[i]); APPEND_TO_STR(&str4, " "); } } @@ -229,7 +188,7 @@ const char* script, *next_script = NULL; else script = s->config->disconnect_script; - if (proc->config.restrict_user_to_routes) { + if (proc->config->restrict_user_to_routes) { next_script = script; script = OCSERV_FW_SCRIPT; } diff --git a/src/main.h b/src/main.h index 7fdebae5..84472096 100644 --- a/src/main.h +++ b/src/main.h @@ -144,7 +144,8 @@ typedef struct proc_st { uint64_t bytes_out; unsigned applied_iroutes; /* whether the iroutes in the config have been successfully applied */ - struct group_cfg_st config; /* custom user/group config */ + + GroupCfgSt *config; /* custom user/group config */ } proc_st; struct ip_lease_db_st { diff --git a/src/ocserv-args.def b/src/ocserv-args.def index 028d1cf4..1e1a78fe 100644 --- a/src/ocserv-args.def +++ b/src/ocserv-args.def @@ -590,15 +590,14 @@ no-route = 192.168.5.0/255.255.255.0 # explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp, # keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns, # restrict-user-to-routes, user-profile, cgroup, stats-report-time, -# and session-timeout. +# mtu, idle-timeout, mobile-idle-timeout, and session-timeout. # # Note that the 'iroute' option allows to add routes on the server # based on a user or group. The syntax depends on the input accepted # by the commands route-add-cmd and route-del-cmd (see below). The no-udp # is a boolean option (e.g., no-udp = true), and will prevent a UDP session -# for that specific user or group. Note also, that, any DNS or NBNS servers -# present will overwrite the global ones, while any routes or no-routes set -# will be appended to the default set. +# for that specific user or group. Note also, that, any routes, no-routes, +# DNS or NBNS servers present will overwrite the global ones. # # Also explicit addresses, are only allowed when they are odd. In that # case the next even address will be used as the remote address (in PtP). diff --git a/src/route-add.c b/src/route-add.c index 44ccca18..4ebd113a 100644 --- a/src/route-add.c +++ b/src/route-add.c @@ -163,11 +163,11 @@ int apply_iroutes(struct main_server_st* s, struct proc_st *proc) unsigned i, j; int ret; - if (proc->config.iroutes_size == 0) + if (proc->config->n_iroutes == 0) return 0; - for (i=0;iconfig.iroutes_size;i++) { - ret = route_add(s, proc, proc->config.iroutes[i], proc->tun_lease.name); + for (i=0;iconfig->n_iroutes;i++) { + ret = route_add(s, proc, proc->config->iroutes[i], proc->tun_lease.name); if (ret < 0) goto fail; } @@ -176,7 +176,7 @@ int ret; return 0; fail: for (j=0;jconfig.iroutes[j], proc->tun_lease.name); + route_del(s, proc, proc->config->iroutes[j], proc->tun_lease.name); return -1; } @@ -188,11 +188,11 @@ void remove_iroutes(struct main_server_st* s, struct proc_st *proc) { unsigned i; - if (proc->config.iroutes_size == 0 || proc->applied_iroutes == 0) + if (proc->config == NULL || proc->config->n_iroutes == 0 || proc->applied_iroutes == 0) return; - for (i=0;iconfig.iroutes_size;i++) { - route_del(s, proc, proc->config.iroutes[i], proc->tun_lease.name); + for (i=0;iconfig->n_iroutes;i++) { + route_del(s, proc, proc->config->iroutes[i], proc->tun_lease.name); } proc->applied_iroutes = 0; diff --git a/src/sec-mod-auth.c b/src/sec-mod-auth.c index db115614..338df973 100644 --- a/src/sec-mod-auth.c +++ b/src/sec-mod-auth.c @@ -408,6 +408,9 @@ int handle_sec_auth_session_open(sec_mod_st *sec, int fd, const SecAuthSessionMs void *lpool; int ret; SecAuthSessionReplyMsg rep = SEC_AUTH_SESSION_REPLY_MSG__INIT; + GroupCfgSt _cfg = GROUP_CFG_ST__INIT; + + rep.config = &_cfg; if (req->sid.len != SID_SIZE) { seclog(sec, LOG_ERR, "auth session open but with illegal sid size (%d)!", diff --git a/src/sup-config/file.c b/src/sup-config/file.c index f4400aa4..cad2ffb5 100644 --- a/src/sup-config/file.c +++ b/src/sup-config/file.c @@ -67,8 +67,11 @@ static struct cfg_options available_options[] = { { .name = "rx-data-per-sec", .type = OPTION_NUMERIC }, { .name = "tx-data-per-sec", .type = OPTION_NUMERIC }, { .name = "net-priority", .type = OPTION_STRING }, + { .name = "mtu", .type = OPTION_NUMERIC }, { .name = "dpd", .type = OPTION_NUMERIC }, { .name = "mobile-dpd", .type = OPTION_NUMERIC }, + { .name = "idle-timeout", .type = OPTION_NUMERIC }, + { .name = "mobile-idle-timeout", .type = OPTION_NUMERIC }, { .name = "keepalive", .type = OPTION_NUMERIC }, { .name = "cgroup", .type = OPTION_STRING }, { .name = "user-profile", .type = OPTION_STRING }, @@ -181,90 +184,93 @@ unsigned j; prev = val; } while((val = optionNextValue(pov, prev)) != NULL); - READ_TF("no-udp", msg->no_udp, msg->has_no_udp); - READ_TF("restrict-user-to-routes", msg->restrict_user_to_routes, msg->has_restrict_user_to_routes); - READ_TF("tunnel_all_dns", msg->tunnel_all_dns, msg->has_tunnel_all_dns); - READ_TF("deny-roaming", msg->deny_roaming, msg->has_deny_roaming); + READ_TF("no-udp", msg->config->no_udp, msg->config->has_no_udp); + READ_TF("restrict-user-to-routes", msg->config->restrict_user_to_routes, msg->config->has_restrict_user_to_routes); + READ_TF("tunnel_all_dns", msg->config->tunnel_all_dns, msg->config->has_tunnel_all_dns); + READ_TF("deny-roaming", msg->config->deny_roaming, msg->config->has_deny_roaming); - READ_RAW_MULTI_LINE("route", msg->routes, msg->n_routes); - READ_RAW_MULTI_LINE("no-route", msg->no_routes, msg->n_no_routes); - READ_RAW_MULTI_LINE("iroute", msg->iroutes, msg->n_iroutes); + READ_RAW_MULTI_LINE("route", msg->config->routes, msg->config->n_routes); + READ_RAW_MULTI_LINE("no-route", msg->config->no_routes, msg->config->n_no_routes); + READ_RAW_MULTI_LINE("iroute", msg->config->iroutes, msg->config->n_iroutes); - for (j=0;jn_routes;j++) { - if (ip_route_sanity_check(msg->routes, &msg->routes[j]) != 0) { + for (j=0;jconfig->n_routes;j++) { + if (ip_route_sanity_check(msg->config->routes, &msg->config->routes[j]) != 0) { ret = ERR_READ_CONFIG; goto fail; } } - for (j=0;jn_iroutes;j++) { - if (ip_route_sanity_check(msg->iroutes, &msg->iroutes[j]) != 0) { + for (j=0;jconfig->n_iroutes;j++) { + if (ip_route_sanity_check(msg->config->iroutes, &msg->config->iroutes[j]) != 0) { ret = ERR_READ_CONFIG; goto fail; } } - for (j=0;jn_no_routes;j++) { - if (ip_route_sanity_check(msg->no_routes, &msg->no_routes[j]) != 0) { + for (j=0;jconfig->n_no_routes;j++) { + if (ip_route_sanity_check(msg->config->no_routes, &msg->config->no_routes[j]) != 0) { ret = ERR_READ_CONFIG; goto fail; } } - READ_RAW_MULTI_LINE("dns", msg->dns, msg->n_dns); - if (msg->n_dns == 0) { + READ_RAW_MULTI_LINE("dns", msg->config->dns, msg->config->n_dns); + if (msg->config->n_dns == 0) { /* try aliases */ - READ_RAW_MULTI_LINE("ipv6-dns", msg->dns, msg->n_dns); - READ_RAW_MULTI_LINE("ipv4-dns", msg->dns, msg->n_dns); + READ_RAW_MULTI_LINE("ipv6-dns", msg->config->dns, msg->config->n_dns); + READ_RAW_MULTI_LINE("ipv4-dns", msg->config->dns, msg->config->n_dns); } - READ_RAW_MULTI_LINE("nbns", msg->nbns, msg->n_nbns); - if (msg->n_nbns == 0) { + READ_RAW_MULTI_LINE("nbns", msg->config->nbns, msg->config->n_nbns); + if (msg->config->n_nbns == 0) { /* try aliases */ - READ_RAW_MULTI_LINE("ipv6-nbns", msg->nbns, msg->n_nbns); - READ_RAW_MULTI_LINE("ipv4-nbns", msg->nbns, msg->n_nbns); + READ_RAW_MULTI_LINE("ipv6-nbns", msg->config->nbns, msg->config->n_nbns); + READ_RAW_MULTI_LINE("ipv4-nbns", msg->config->nbns, msg->config->n_nbns); } - READ_RAW_STRING("cgroup", msg->cgroup); - READ_RAW_STRING("ipv4-network", msg->ipv4_net); - READ_RAW_STRING("ipv6-network", msg->ipv6_net); - READ_RAW_STRING("ipv4-netmask", msg->ipv4_netmask); - READ_RAW_STRING("explicit-ipv4", msg->explicit_ipv4); - READ_RAW_STRING("explicit-ipv6", msg->explicit_ipv6); + READ_RAW_STRING("cgroup", msg->config->cgroup); + READ_RAW_STRING("ipv4-network", msg->config->ipv4_net); + READ_RAW_STRING("ipv6-network", msg->config->ipv6_net); + READ_RAW_STRING("ipv4-netmask", msg->config->ipv4_netmask); + READ_RAW_STRING("explicit-ipv4", msg->config->explicit_ipv4); + READ_RAW_STRING("explicit-ipv6", msg->config->explicit_ipv6); - READ_RAW_NUMERIC("ipv6-subnet-prefix", msg->ipv6_subnet_prefix, msg->has_ipv6_subnet_prefix); + READ_RAW_NUMERIC("ipv6-subnet-prefix", msg->config->ipv6_subnet_prefix, msg->config->has_ipv6_subnet_prefix); - msg->ipv6_prefix = extract_prefix(msg->ipv6_net); - if (msg->ipv6_prefix == 0) { - READ_RAW_NUMERIC("ipv6-prefix", msg->ipv6_prefix, msg->has_ipv6_prefix); + msg->config->ipv6_prefix = extract_prefix(msg->config->ipv6_net); + if (msg->config->ipv6_prefix == 0) { + READ_RAW_NUMERIC("ipv6-prefix", msg->config->ipv6_prefix, msg->config->has_ipv6_prefix); } else { - msg->has_ipv6_prefix = 1; + msg->config->has_ipv6_prefix = 1; } - if (msg->has_ipv6_prefix != 0) { - if (valid_ipv6_prefix(msg->ipv6_prefix) == 0) { + if (msg->config->has_ipv6_prefix != 0) { + if (valid_ipv6_prefix(msg->config->ipv6_prefix) == 0) { syslog(LOG_ERR, "unknown ipv6-prefix '%u' in %s", prefix, file); } } - READ_RAW_NUMERIC("rx-data-per-sec", msg->rx_per_sec, msg->has_rx_per_sec); - READ_RAW_NUMERIC("tx-data-per-sec", msg->tx_per_sec, msg->has_tx_per_sec); - msg->rx_per_sec /= 1000; /* in kb */ - msg->tx_per_sec /= 1000; /* in kb */ + READ_RAW_NUMERIC("rx-data-per-sec", msg->config->rx_per_sec, msg->config->has_rx_per_sec); + READ_RAW_NUMERIC("tx-data-per-sec", msg->config->tx_per_sec, msg->config->has_tx_per_sec); + msg->config->rx_per_sec /= 1000; /* in kb */ + msg->config->tx_per_sec /= 1000; /* in kb */ - READ_RAW_NUMERIC("stats-report-time", msg->interim_update_secs, msg->has_interim_update_secs); - READ_RAW_NUMERIC("session-timeout", msg->session_timeout_secs, msg->has_session_timeout_secs); + READ_RAW_NUMERIC("stats-report-time", msg->config->interim_update_secs, msg->config->has_interim_update_secs); + READ_RAW_NUMERIC("session-timeout", msg->config->session_timeout_secs, msg->config->has_session_timeout_secs); - READ_RAW_NUMERIC("dpd", msg->dpd, msg->has_dpd); - READ_RAW_NUMERIC("mobile-dpd", msg->mobile_dpd, msg->has_mobile_dpd); - READ_RAW_NUMERIC("keepalive", msg->keepalive, msg->has_keepalive); - READ_RAW_NUMERIC("max-same-clients", msg->max_same_clients, msg->has_max_same_clients); + READ_RAW_NUMERIC("mtu", msg->config->mtu, msg->config->has_mtu); + READ_RAW_NUMERIC("dpd", msg->config->dpd, msg->config->has_dpd); + READ_RAW_NUMERIC("mobile-dpd", msg->config->mobile_dpd, msg->config->has_mobile_dpd); + READ_RAW_NUMERIC("idle-timeout", msg->config->idle_timeout, msg->config->has_idle_timeout); + READ_RAW_NUMERIC("mobile-idle-timeout", msg->config->mobile_idle_timeout, msg->config->has_mobile_idle_timeout); + READ_RAW_NUMERIC("keepalive", msg->config->keepalive, msg->config->has_keepalive); + READ_RAW_NUMERIC("max-same-clients", msg->config->max_same_clients, msg->config->has_max_same_clients); /* net-priority will contain the actual priority + 1, * to allow having zero as uninitialized. */ - READ_RAW_PRIO_TOS("net-priority", msg->net_priority, msg->has_net_priority); + READ_RAW_PRIO_TOS("net-priority", msg->config->net_priority, msg->config->has_net_priority); - READ_RAW_STRING("user-profile", msg->xml_config_file); + READ_RAW_STRING("user-profile", msg->config->xml_config_file); ret = 0; fail: diff --git a/src/sup-config/radius.c b/src/sup-config/radius.c index 59498901..63730300 100644 --- a/src/sup-config/radius.c +++ b/src/sup-config/radius.c @@ -48,34 +48,34 @@ static int get_sup_config(struct cfg_st *cfg, client_entry_st *entry, if (pctx == NULL) return 0; - msg->interim_update_secs = pctx->interim_interval_secs; - if (msg->interim_update_secs > 0) - msg->has_interim_update_secs = 1; + msg->config->interim_update_secs = pctx->interim_interval_secs; + if (msg->config->interim_update_secs > 0) + msg->config->has_interim_update_secs = 1; - msg->session_timeout_secs = pctx->session_timeout_secs; - if (msg->session_timeout_secs > 0) - msg->has_session_timeout_secs = 1; + msg->config->session_timeout_secs = pctx->session_timeout_secs; + if (msg->config->session_timeout_secs > 0) + msg->config->has_session_timeout_secs = 1; if (pctx->ipv4[0] != 0) { - msg->explicit_ipv4 = talloc_strdup(pool, pctx->ipv4); + msg->config->explicit_ipv4 = talloc_strdup(pool, pctx->ipv4); } if (pctx->ipv4_mask[0] != 0) { - msg->ipv4_netmask = talloc_strdup(pool, pctx->ipv4_mask); + msg->config->ipv4_netmask = talloc_strdup(pool, pctx->ipv4_mask); } if (pctx->routes_size > 0) { - msg->routes = talloc_size(pool, pctx->routes_size*sizeof(char*)); - if (msg->routes != NULL) { + msg->config->routes = talloc_size(pool, pctx->routes_size*sizeof(char*)); + if (msg->config->routes != NULL) { for (i=0;iroutes_size;i++) { - msg->routes[i] = talloc_strdup(pool, pctx->routes[i]); + msg->config->routes[i] = talloc_strdup(pool, pctx->routes[i]); } - msg->n_routes = pctx->routes_size; + msg->config->n_routes = pctx->routes_size; } } - for (i=0;in_routes;i++) { - ip_route_sanity_check(msg->routes, &msg->routes[i]); + for (i=0;iconfig->n_routes;i++) { + ip_route_sanity_check(msg->config->routes, &msg->config->routes[i]); } if (pctx->ipv4_dns1[0] != 0) @@ -88,33 +88,33 @@ static int get_sup_config(struct cfg_st *cfg, client_entry_st *entry, dns++; if (dns > 0) { - msg->dns = talloc_size(pool, dns*sizeof(char*)); - if (msg->dns != NULL) { + msg->config->dns = talloc_size(pool, dns*sizeof(char*)); + if (msg->config->dns != NULL) { unsigned pos = 0; if (pctx->ipv4_dns1[0] != 0) - msg->dns[pos++] = talloc_strdup(pool, pctx->ipv4_dns1); + msg->config->dns[pos++] = talloc_strdup(pool, pctx->ipv4_dns1); if (pctx->ipv4_dns2[0] != 0) - msg->dns[pos++] = talloc_strdup(pool, pctx->ipv4_dns2); + msg->config->dns[pos++] = talloc_strdup(pool, pctx->ipv4_dns2); if (pctx->ipv6_dns1[0] != 0) - msg->dns[pos++] = talloc_strdup(pool, pctx->ipv6_dns1); + msg->config->dns[pos++] = talloc_strdup(pool, pctx->ipv6_dns1); if (pctx->ipv6_dns2[0] != 0) - msg->dns[pos++] = talloc_strdup(pool, pctx->ipv6_dns2); + msg->config->dns[pos++] = talloc_strdup(pool, pctx->ipv6_dns2); - msg->n_dns = dns; + msg->config->n_dns = dns; } } if (pctx->ipv6[0] != 0) { - msg->explicit_ipv6 = talloc_strdup(pool, pctx->ipv6); + msg->config->explicit_ipv6 = talloc_strdup(pool, pctx->ipv6); } if (pctx->ipv6_net[0] != 0) { - msg->ipv6_net = talloc_strdup(pool, pctx->ipv6_net); + msg->config->ipv6_net = talloc_strdup(pool, pctx->ipv6_net); } if (pctx->ipv6_subnet_prefix != 0) { - msg->ipv6_subnet_prefix = pctx->ipv6_subnet_prefix; - msg->has_ipv6_subnet_prefix = 1; + msg->config->ipv6_subnet_prefix = pctx->ipv6_subnet_prefix; + msg->config->has_ipv6_subnet_prefix = 1; } return 0; diff --git a/src/worker-auth.c b/src/worker-auth.c index 4972e43e..ceb37026 100644 --- a/src/worker-auth.c +++ b/src/worker-auth.c @@ -507,10 +507,23 @@ int get_cert_names(worker_st * ws, const gnutls_datum_t * raw) } +static +unsigned check_if_default_route(char **routes, unsigned routes_size) +{ + unsigned i; + + for (i=0;itun_fd = socketfd; - if (msg->vname == NULL || msg->user_name == NULL || msg->sid.len != sizeof(ws->sid)) { + if (msg->vname == NULL || msg->config == NULL || msg->user_name == NULL || msg->sid.len != sizeof(ws->sid)) { ret = ERR_AUTH_FAIL; goto cleanup; } @@ -554,17 +567,7 @@ static int recv_cookie_auth_reply(worker_st * ws) memcpy(ws->session_id, msg->session_id.data, msg->session_id.len); - if (msg->has_interim_update_secs) { - oclog(ws, LOG_DEBUG, "overriding stats-report-time with auth server's value (%u)", - (unsigned)msg->interim_update_secs); - ws->config->stats_report_time = msg->interim_update_secs; - } - - if (msg->has_session_timeout_secs) { - oclog(ws, LOG_DEBUG, "overriding session-timeout with auth server's value (%u)", - (unsigned)msg->session_timeout_secs); - ws->config->session_timeout = msg->session_timeout_secs; - } + ws->user_config = msg->config; if (msg->ipv4 != NULL) { talloc_free(ws->vinfo.ipv4); @@ -602,107 +605,12 @@ static int recv_cookie_auth_reply(worker_st * ws) talloc_strdup(ws, msg->ipv6_local); } - /* Read any additional data */ - if (msg->ipv4_netmask != NULL) { - talloc_free(ws->config->network.ipv4_netmask); - ws->config->network.ipv4_netmask = - talloc_strdup(ws, msg->ipv4_netmask); - } - - if (msg->ipv4_network != NULL) { - talloc_free(ws->config->network.ipv4_network); - ws->config->network.ipv4_network = - talloc_strdup(ws, msg->ipv4_network); - } - - if (msg->ipv6_network != NULL) { - talloc_free(ws->config->network.ipv6_network); - ws->config->network.ipv6_network = - talloc_strdup(ws, msg->ipv6_network); - } - - if (msg->has_ipv6_prefix) { - ws->config->network.ipv6_prefix = msg->ipv6_prefix; - } - - if (msg->has_ipv6_subnet_prefix) { - ws->config->network.ipv6_subnet_prefix = msg->ipv6_subnet_prefix; - } - - if (msg->has_dpd) - ws->config->dpd = msg->dpd; - - if (msg->has_keepalive) - ws->config->keepalive = msg->keepalive; - - if (msg->has_mobile_dpd) - ws->config->mobile_dpd = msg->mobile_dpd; - - if (msg->has_rx_per_sec) - ws->config->rx_per_sec = msg->rx_per_sec; - - if (msg->has_tx_per_sec) - ws->config->tx_per_sec = msg->tx_per_sec; - - if (msg->has_net_priority) - ws->config->net_priority = msg->net_priority; - - if (msg->has_no_udp && msg->no_udp != 0) + if (msg->config->no_udp != 0) ws->perm_config->udp_port = 0; - if (msg->xml_config_file) { - talloc_free(ws->config->xml_config_file); - ws->config->xml_config_file = talloc_strdup(ws, msg->xml_config_file); - } - /* routes */ - ws->routes = talloc_size(ws, msg->n_routes*sizeof(char*)); - if (ws->routes != NULL) { - ws->routes_size = msg->n_routes; - for (i = 0; i < ws->routes_size; i++) { - ws->routes[i] = - talloc_strdup(ws, msg->routes[i]); - - /* If a default route is detected */ - if (ws->routes[i] != NULL && - (strcmp(ws->routes[i], "default") == 0 || - strcmp(ws->routes[i], "0.0.0.0/0") == 0)) { - - /* disable all routes */ - ws->routes_size = 0; - ws->default_route = 1; - break; - } - } - } - - if (check_if_default_route(ws->routes, ws->routes_size)) + if (check_if_default_route(msg->config->routes, msg->config->n_routes)) ws->default_route = 1; - - ws->no_routes = talloc_size(ws, msg->n_no_routes*sizeof(char*)); - if (ws->no_routes != NULL) { - ws->no_routes_size = msg->n_no_routes; - for (i = 0; i < ws->no_routes_size; i++) { - ws->no_routes[i] = - talloc_strdup(ws, msg->no_routes[i]); - } - } - - ws->dns = talloc_size(ws, msg->n_dns*sizeof(char*)); - if (ws->dns != NULL) { - ws->dns_size = msg->n_dns; - for (i = 0; i < ws->dns_size; i++) { - ws->dns[i] = talloc_strdup(ws, msg->dns[i]); - } - } - - ws->nbns = talloc_size(ws, msg->n_nbns*sizeof(char*)); - if (ws->nbns != NULL) { - ws->nbns_size = msg->n_nbns; - for (i = 0; i < ws->nbns_size; i++) { - ws->nbns[i] = talloc_strdup(ws, msg->nbns[i]); - } - } } else { oclog(ws, LOG_ERR, "error in received message"); ret = ERR_AUTH_FAIL; @@ -720,7 +628,12 @@ static int recv_cookie_auth_reply(worker_st * ws) ret = 0; cleanup: - auth_reply_msg__free_unpacked(msg, &pa); + if (ret < 0) { + /* we only release on error, as the user configuration + * remains. */ + auth_reply_msg__free_unpacked(msg, &pa); + ws->user_config = NULL; + } return ret; } diff --git a/src/worker-http-handlers.c b/src/worker-http-handlers.c index 8166d9c2..02281db5 100644 --- a/src/worker-http-handlers.c +++ b/src/worker-http-handlers.c @@ -48,15 +48,15 @@ int ret; struct stat st; oclog(ws, LOG_HTTP_DEBUG, "requested config: %s", ws->req.url); - if (ws->config->xml_config_file == NULL) { + if (ws->user_config->xml_config_file == NULL) { oclog(ws, LOG_INFO, "requested config but no config file is set"); cstp_printf(ws, "HTTP/1.%u 404 Not found\r\n", http_ver); return -1; } - ret = stat( ws->config->xml_config_file, &st); + ret = stat( ws->user_config->xml_config_file, &st); if (ret == -1) { - oclog(ws, LOG_INFO, "cannot load config file '%s'", ws->config->xml_config_file); + oclog(ws, LOG_INFO, "cannot load config file '%s'", ws->user_config->xml_config_file); cstp_printf(ws, "HTTP/1.%u 404 Not found\r\n", http_ver); return -1; } @@ -90,9 +90,9 @@ struct stat st; if (ret < 0) return -1; - ret = cstp_send_file(ws, ws->config->xml_config_file); + ret = cstp_send_file(ws, ws->user_config->xml_config_file); if (ret < 0) { - oclog(ws, LOG_ERR, "error sending file '%s': %s", ws->config->xml_config_file, gnutls_strerror(ret)); + oclog(ws, LOG_ERR, "error sending file '%s': %s", ws->user_config->xml_config_file, gnutls_strerror(ret)); return -1; } diff --git a/src/worker-misc.c b/src/worker-misc.c index 6e933137..72530348 100644 --- a/src/worker-misc.c +++ b/src/worker-misc.c @@ -180,19 +180,6 @@ udp_fd_fail: return -1; } -unsigned check_if_default_route(char **routes, unsigned routes_size) -{ - unsigned i; - - for (i=0;idns_size > 0) { - vinfo->dns_size = ws->dns_size; - vinfo->dns = ws->dns; - } else { - vinfo->dns_size = ws->config->network.dns_size; - if (ws->config->network.dns_size > 0) - vinfo->dns = ws->config->network.dns; - } - - if (ws->nbns_size > 0) { - vinfo->nbns_size = ws->nbns_size; - vinfo->nbns = ws->nbns; - } else { - vinfo->nbns_size = ws->config->network.nbns_size; - if (ws->config->network.nbns_size > 0) - vinfo->nbns = ws->config->network.nbns; - } - - vinfo->routes_size = ws->config->network.routes_size; - if (ws->config->network.routes_size > 0) - vinfo->routes = ws->config->network.routes; - - if (check_if_default_route(vinfo->routes, vinfo->routes_size)) - ws->default_route = 1; - - vinfo->no_routes_size = ws->config->network.no_routes_size; - if (ws->config->network.no_routes_size > 0) - vinfo->no_routes = ws->config->network.no_routes; - - vinfo->ipv4_network = ws->config->network.ipv4_network; - vinfo->ipv6_network = ws->config->network.ipv6_network; - - vinfo->ipv4_netmask = ws->config->network.ipv4_netmask; - vinfo->ipv6_prefix = ws->config->network.ipv6_prefix; - vinfo->ipv6_subnet_prefix = ws->config->network.ipv6_subnet_prefix; - if (ws->config->network.mtu != 0) { vinfo->mtu = ws->config->network.mtu; } else { diff --git a/src/worker-vpn.c b/src/worker-vpn.c index a0c21a60..72d73424 100644 --- a/src/worker-vpn.c +++ b/src/worker-vpn.c @@ -784,8 +784,8 @@ int periodic_check(worker_st * ws, unsigned mtu_overhead, struct timespec *tnow, } } - if (ws->config->session_timeout > 0) { - if (now - ws->session_start_time > ws->config->session_timeout) { + if (ws->user_config->session_timeout_secs > 0) { + if (now - ws->session_start_time > ws->user_config->session_timeout_secs) { oclog(ws, LOG_ERR, "session timeout reached for process (%d secs)", (int)(now - ws->session_start_time)); @@ -795,8 +795,8 @@ int periodic_check(worker_st * ws, unsigned mtu_overhead, struct timespec *tnow, } } - if (ws->config->stats_report_time > 0 && - now - ws->last_stats_msg >= ws->config->stats_report_time && + if (ws->user_config->interim_update_secs > 0 && + now - ws->last_stats_msg >= ws->user_config->interim_update_secs && ws->sid_set) { send_stats_to_secmod(ws, now, 0); } @@ -885,7 +885,7 @@ static void set_net_priority(worker_st * ws, int fd, int priority) #ifdef SO_PRIORITY if (priority != 0 && priority <= 7) { - t = ws->config->net_priority - 1; + t = ws->user_config->net_priority - 1; ret = setsockopt(fd, SOL_SOCKET, SO_PRIORITY, &t, sizeof(t)); if (ret == -1) oclog(ws, LOG_DEBUG, @@ -1404,7 +1404,7 @@ static int connect_handler(worker_st * ws) return -1; } - FUZZ(ws->config->stats_report_time, 5, rnd); + FUZZ(ws->user_config->interim_update_secs, 5, rnd); FUZZ(ws->config->rekey_time, 30, rnd); /* Connected. Turn of the alarm */ @@ -1423,15 +1423,15 @@ static int connect_handler(worker_st * ws) SEND_ERR(ret); if (req->is_mobile) { - ws->config->dpd = ws->config->mobile_dpd; + ws->user_config->dpd = ws->user_config->mobile_dpd; ws->config->idle_timeout = ws->config->mobile_idle_timeout; } - oclog(ws, LOG_INFO, "suggesting DPD of %d secs", ws->config->dpd); - if (ws->config->dpd > 0) { + oclog(ws, LOG_INFO, "suggesting DPD of %d secs", ws->user_config->dpd); + if (ws->user_config->dpd > 0) { ret = cstp_printf(ws, "X-CSTP-DPD: %u\r\n", - ws->config->dpd); + ws->user_config->dpd); SEND_ERR(ret); } @@ -1451,8 +1451,8 @@ static int connect_handler(worker_st * ws) } /* calculate base MTU */ - if (ws->config->default_mtu > 0) { - ws->vinfo.mtu = ws->config->default_mtu; + if (ws->user_config->mtu > 0) { + ws->vinfo.mtu = ws->user_config->mtu; } if (req->base_mtu > 0) { @@ -1509,21 +1509,21 @@ static int connect_handler(worker_st * ws) ws->vinfo.ipv4); SEND_ERR(ret); - if (ws->vinfo.ipv4_netmask) { + if (ws->user_config->ipv4_netmask) { ret = cstp_printf(ws, "X-CSTP-Netmask: %s\r\n", - ws->vinfo.ipv4_netmask); + ws->user_config->ipv4_netmask); SEND_ERR(ret); } } - if (ws->vinfo.ipv6 && req->no_ipv6 == 0 && ws->vinfo.ipv6_prefix != 0) { - oclog(ws, LOG_INFO, "sending IPv6 %s/%u", ws->vinfo.ipv6, ws->vinfo.ipv6_prefix); - if (ws->full_ipv6 && ws->vinfo.ipv6_prefix) { + if (ws->vinfo.ipv6 && req->no_ipv6 == 0 && ws->user_config->ipv6_prefix != 0) { + oclog(ws, LOG_INFO, "sending IPv6 %s/%u", ws->vinfo.ipv6, ws->user_config->ipv6_prefix); + if (ws->full_ipv6 && ws->user_config->ipv6_prefix) { ret = cstp_printf(ws, "X-CSTP-Address-IP6: %s/%u\r\n", - ws->vinfo.ipv6, ws->vinfo.ipv6_prefix); + ws->vinfo.ipv6, ws->user_config->ipv6_prefix); SEND_ERR(ret); } else { const char *net; @@ -1533,13 +1533,13 @@ static int connect_handler(worker_st * ws) ws->vinfo.ipv6); SEND_ERR(ret); - net = ws->vinfo.ipv6_network; + net = ws->user_config->ipv6_net; if (net == NULL) net = ws->vinfo.ipv6; ret = cstp_printf(ws, "X-CSTP-Netmask: %s/%u\r\n", - net, ws->vinfo.ipv6_prefix); + net, ws->user_config->ipv6_prefix); SEND_ERR(ret); } } @@ -1550,8 +1550,8 @@ static int connect_handler(worker_st * ws) if (ws->full_ipv6 == 0 || req->user_agent_type != AGENT_OPENCONNECT) req->no_ipv6 = 1; - for (i = 0; i < ws->vinfo.dns_size; i++) { - if (strchr(ws->vinfo.dns[i], ':') != 0) + for (i = 0; i < ws->user_config->n_dns; i++) { + if (strchr(ws->user_config->dns[i], ':') != 0) ip6 = 1; else ip6 = 0; @@ -1561,15 +1561,15 @@ static int connect_handler(worker_st * ws) if (req->no_ipv4 != 0 && ip6 == 0) continue; - oclog(ws, LOG_INFO, "adding DNS %s", ws->vinfo.dns[i]); + oclog(ws, LOG_INFO, "adding DNS %s", ws->user_config->dns[i]); ret = cstp_printf(ws, "X-CSTP-DNS: %s\r\n", - ws->vinfo.dns[i]); + ws->user_config->dns[i]); SEND_ERR(ret); } - for (i = 0; i < ws->vinfo.nbns_size; i++) { - if (strchr(ws->vinfo.nbns[i], ':') != 0) + for (i = 0; i < ws->user_config->n_nbns; i++) { + if (strchr(ws->user_config->nbns[i], ':') != 0) ip6 = 1; else ip6 = 0; @@ -1579,10 +1579,10 @@ static int connect_handler(worker_st * ws) if (req->no_ipv4 != 0 && ip6 == 0) continue; - oclog(ws, LOG_INFO, "adding NBNS %s", ws->vinfo.nbns[i]); + oclog(ws, LOG_INFO, "adding NBNS %s", ws->user_config->nbns[i]); ret = cstp_printf(ws, "X-CSTP-NBNS: %s\r\n", - ws->vinfo.nbns[i]); + ws->user_config->nbns[i]); SEND_ERR(ret); } @@ -1606,10 +1606,7 @@ static int connect_handler(worker_st * ws) } if (ws->default_route == 0) { - ret = send_routes(ws, req, ws->vinfo.routes, ws->vinfo.routes_size, 1); - SEND_ERR(ret); - - ret = send_routes(ws, req, ws->routes, ws->routes_size, 1); + ret = send_routes(ws, req, ws->user_config->routes, ws->user_config->n_routes, 1); SEND_ERR(ret); } else { @@ -1624,15 +1621,12 @@ static int connect_handler(worker_st * ws) } SEND_ERR(ret); - ret = send_routes(ws, req, ws->vinfo.no_routes, ws->vinfo.no_routes_size, 0); - SEND_ERR(ret); - - ret = send_routes(ws, req, ws->no_routes, ws->no_routes_size, 0); + ret = send_routes(ws, req, ws->user_config->no_routes, ws->user_config->n_no_routes, 0); SEND_ERR(ret); ret = cstp_printf(ws, "X-CSTP-Keepalive: %u\r\n", - ws->config->keepalive); + ws->user_config->keepalive); SEND_ERR(ret); if (ws->config->idle_timeout > 0) { @@ -1724,7 +1718,7 @@ static int connect_handler(worker_st * ws) } set_non_block(ws->conn_fd); - set_net_priority(ws, ws->conn_fd, ws->config->net_priority); + set_net_priority(ws, ws->conn_fd, ws->user_config->net_priority); if (ws->udp_state != UP_DISABLED) { @@ -1738,10 +1732,10 @@ static int connect_handler(worker_st * ws) ws->buffer); SEND_ERR(ret); - if (ws->config->dpd > 0) { + if (ws->user_config->dpd > 0) { ret = cstp_printf(ws, "X-DTLS-DPD: %u\r\n", - ws->config->dpd); + ws->user_config->dpd); SEND_ERR(ret); } @@ -1767,7 +1761,7 @@ static int connect_handler(worker_st * ws) ret = cstp_printf(ws, "X-DTLS-Keepalive: %u\r\n", - ws->config->keepalive); + ws->user_config->keepalive); SEND_ERR(ret); oclog(ws, LOG_INFO, "DTLS ciphersuite: %s", @@ -1819,7 +1813,7 @@ static int connect_handler(worker_st * ws) t); } - set_net_priority(ws, ws->dtls_tptr.fd, ws->config->net_priority); + set_net_priority(ws, ws->dtls_tptr.fd, ws->user_config->net_priority); } /* hack for openconnect. It uses only a single MTU value */ @@ -1869,8 +1863,8 @@ static int connect_handler(worker_st * ws) gettime(&tnow); ws->last_msg_tcp = ws->last_msg_udp = ws->last_nc_msg = tnow.tv_sec; - bandwidth_init(&ws->b_rx, ws->config->rx_per_sec); - bandwidth_init(&ws->b_tx, ws->config->tx_per_sec); + bandwidth_init(&ws->b_rx, ws->user_config->rx_per_sec); + bandwidth_init(&ws->b_tx, ws->user_config->tx_per_sec); sigprocmask(SIG_BLOCK, &blockset, NULL); @@ -1944,7 +1938,7 @@ static int connect_handler(worker_st * ws) if (periodic_check (ws, ws->proto_overhead + ws->crypto_overhead, &tnow, - ws->config->dpd) < 0) { + ws->user_config->dpd) < 0) { terminate_reason = REASON_ERROR; goto exit; } diff --git a/src/worker.h b/src/worker.h index 542fbc80..42321e8c 100644 --- a/src/worker.h +++ b/src/worker.h @@ -257,6 +257,8 @@ typedef struct worker_st { unsigned int cookie_set; + GroupCfgSt *user_config; + uint8_t master_secret[TLS_MASTER_SIZE]; uint8_t session_id[GNUTLS_MAX_SESSION_ID]; unsigned cert_auth_ok; @@ -273,17 +275,6 @@ typedef struct worker_st { struct vpn_st vinfo; unsigned default_route; - /* additional data - received per user or per group */ - unsigned routes_size; - char** routes; - unsigned no_routes_size; - char** no_routes; - - unsigned dns_size; - char** dns; - unsigned nbns_size; - char** nbns; - void *main_pool; /* to be used only on deinitialization */ } worker_st; @@ -335,7 +326,6 @@ url_handler_fn http_post_url_handler(worker_st * ws, const char *url); int complete_vpn_info(worker_st * ws, struct vpn_st* vinfo); -unsigned check_if_default_route(char **routes, unsigned routes_size); int send_tun_mtu(worker_st *ws, unsigned int mtu); int handle_worker_commands(struct worker_st *ws);