2026-02-10 16:57:00 +08:00 · 2014-01-18 09:14:44 +01:00
parent bee6a99450
commit d454557649
6 changed files with 22 additions and 10 deletions
							
							
								
							
							
						
@@ -72,7 +72,9 @@ static struct cfg_options available_options[] = {
	{ .name = "pid-file", .type = OPTION_STRING, .mandatory = 0 },
	{ .name = "socket-file", .type = OPTION_STRING, .mandatory = 1 },
	{ .name = "banner", .type = OPTION_STRING, .mandatory = 0 },
	/* this is alias for cisco-client-compat */
	{ .name = "always-require-cert", .type = OPTION_BOOLEAN, .mandatory = 0 },
	{ .name = "cisco-client-compat", .type = OPTION_BOOLEAN, .mandatory = 0 },
	{ .name = "use-utmp", .type = OPTION_BOOLEAN, .mandatory = 0 },
	{ .name = "use-dbus", .type = OPTION_BOOLEAN, .mandatory = 1 },
	{ .name = "try-mtu-discovery", .type = OPTION_BOOLEAN, .mandatory = 0 },
							
								
							
							
								
							
							
						
@@ -231,6 +233,7 @@ unsigned j, mand;
char** auth = NULL;
unsigned auth_size = 0;
unsigned prefix = 0;
unsigned force_cert_auth;
	pov = configFileLoad(file);
	if (pov == NULL) {
							
								
							
							
								
							
							
						
@@ -328,7 +331,13 @@ unsigned prefix = 0;
	READ_STRING("socket-file", config->socket_file_prefix);
	READ_STRING("banner", config->banner);
	READ_TF("always-require-cert", config->force_cert_auth, 1);
	READ_TF("cisco-client-compat", config->cisco_client_compat, 0);
	READ_TF("always-require-cert", force_cert_auth, 1);
	if (force_cert_auth == 0) {
		fprintf(stderr, "note that 'always-require-cert' was replaced by 'cisco-client-compat'\n");
		config->cisco_client_compat = 1;
	}
	READ_TF("use-utmp", config->use_utmp, 1);
	READ_TF("use-dbus", config->use_dbus, 0);
	READ_TF("try-mtu-discovery", config->try_mtu, 0);
							
								
							
							
								
							
							
						
@@ -433,7 +442,7 @@ static void check_cfg( struct cfg_st *config)
	}
	if (config->auth_types & AUTH_TYPE_CERTIFICATE) {
		if (config->force_cert_auth)
		if (config->cisco_client_compat == 0)
			config->cert_req = GNUTLS_CERT_REQUIRE;
		else
			config->cert_req = GNUTLS_CERT_REQUEST;
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -168,7 +168,7 @@ static int check_user_group_status(main_server_st *s, struct proc_st* proc,
		     int tls_auth_ok, const char* cert_user, const char* cert_group)
{
	if (s->config->auth_types & AUTH_TYPE_CERTIFICATE) {
		if (tls_auth_ok == 0 && s->config->force_cert_auth != 0) {
		if (tls_auth_ok == 0 && s->config->cisco_client_compat == 0) {
			mslog(s, proc, LOG_INFO, "user '%s' presented no certificate", proc->username);
			return -1;
		}
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -331,9 +331,10 @@ route = 192.168.5.0/255.255.255.0
# Unless set to false it is required for clients to present their
# certificate even if they are authenticating via a previously granted
# cookie. Legacy CISCO clients do not do that, and thus this option
# should be set for them.
#always-require-cert = false
# cookie and complete their authentication in the same TCP connection.
# Legacy CISCO clients do not do that, and thus this option should be 
# set for them.
#cisco-client-compat = false
@end example
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -132,7 +132,7 @@ unsigned tls_has_session_cert(struct worker_st * ws)
	if (ws->cert_auth_ok)
		return 1;
	if (ws->config->force_cert_auth != 0) {
	if (ws->config->cisco_client_compat == 0) {
		return 0;
	}
							
								
							
							
								
							
							
						
@@ -283,7 +283,7 @@ static int verify_certificate_cb(gnutls_session_t session)
	/* notify gnutls to continue handshake normally */
	return 0;
fail:
	if (ws->config->force_cert_auth != 0)
	if (ws->config->cisco_client_compat == 0)
		return GNUTLS_E_CERTIFICATE_ERROR;
	else
		return 0;
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -185,7 +185,9 @@ struct cfg_st {
	unsigned use_utmp;
	unsigned use_dbus; /* whether the D-BUS service is registered */
	unsigned try_mtu; /* MTU discovery enabled */
	unsigned force_cert_auth; /* always require client certificate */
	unsigned cisco_client_compat; /* do not require client certificate, 
	                               * and allow auth to complete in different
	                               * TCP sessions. */
	unsigned rate_limit_ms; /* if non zero force a connection every rate_limit milliseconds */
	unsigned ping_leases; /* non zero if we need to ping prior to leasing */
	
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -383,7 +383,7 @@ int auth_cookie(worker_st * ws, void *cookie, size_t cookie_size)
	char tmp_group[MAX_USERNAME_SIZE];
	if ((ws->config->auth_types & AUTH_TYPE_CERTIFICATE)
	    && ws->config->force_cert_auth != 0) {
	    && ws->config->cisco_client_compat == 0) {
		if (ws->cert_auth_ok == 0) {
			oclog(ws, LOG_INFO,
			      "no certificate provided for cookie authentication");