GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-09 08:16:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

Cleanup of the logging subsystem; allow logging to stderr only

Browse Source 
Separated the logging logically from any remaining debugging
features. Introduced command line option for logging to stderr
only (for systemd and containers). The default log level is set
to (2) info.

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This commit is contained in:
Nikos Mavrogiannopoulos
2023-12-07 11:58:27 +01:00
parent 39f274fb01
commit f0067ae0ea
48 changed files with 481 additions and 338 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
NEWS
View File

@@ -1,10 +1,14 @@
* Version 1.2.3 (unreleased)
- Treat unknown clients as capable of IPv6 routes and DNS servers
- Introduced new ocserv options --log-stderr and --syslog that redirect
logging to stderr or syslog explicitly. The stderr option allows for better
integration with logging on containers or under systemd. The default remains
syslog.
- Warn when more than 2 DNS server IPv6 addresses are sent by Radius.
- Modified "Camouflage" functionality to allow AnyConnect clients (#544)
- ocserv-fw: Move under libexec.
- ocserv-fw: Fixed clean_all_rules logic on multiple similar devices (!384)
- Warn when more than 2 DNS server IPv6 addresses are sent by Radius.
- occtl: added machine-readable "raw_connected_at" field for user stats
- Modified "Camouflage" functionality to allow AnyConnect clients (#544)
* Version 1.2.2 (released 2023-09-21)

2
doc/sample.config
View File

@@ -441,7 +441,7 @@ pid-file = /var/run/ocserv.pid
# command line with the -d option. All messages at the configured
# level and lower will be displayed.
# Supported levels (default 0):
# 0 default (Same as basic)
# 0 default (Same as info)
# 1 basic
# 2 info
# 3 debug

2
doc/systemd/socket-activated/ocserv.service
View File

@@ -8,7 +8,7 @@ Requires=ocserv.socket
PrivateTmp=true
PIDFile=/run/ocserv.pid
Type=simple
ExecStart=/usr/sbin/ocserv --foreground --pid-file /run/ocserv.pid --config /etc/ocserv/ocserv.conf
ExecStart=/usr/sbin/ocserv --log-stderr --foreground --pid-file /run/ocserv.pid --config /etc/ocserv/ocserv.conf
ExecReload=/bin/kill -HUP $MAINPID
[Install]

2
doc/systemd/standalone/ocserv.service
View File

@@ -7,7 +7,7 @@ After=network-online.target
PrivateTmp=true
PIDFile=/run/ocserv.pid
Type=simple
ExecStart=/usr/sbin/ocserv --foreground --pid-file /run/ocserv.pid --config /etc/ocserv/ocserv.conf
ExecStart=/usr/sbin/ocserv --log-stderr --foreground --pid-file /run/ocserv.pid --config /etc/ocserv/ocserv.conf
ExecReload=/bin/kill -HUP $MAINPID
[Install]

4
src/Makefile.am
View File

@@ -35,11 +35,11 @@ CORE_SOURCES = $(HTTP_PARSER_SOURCES) \
common/hmac.c common/hmac.h common/snapshot.c common/snapshot.h \
common-config.h config.c config-kkdcp.c config-ports.c defs.h gettime.h \
icmp-ping.c icmp-ping.h inih/ini.c inih/ini.h ip-lease.c ip-lease.h \
ip-util.c ip-util.h isolate.h isolate.c log.c main.h main-ctl.h \
ip-util.c ip-util.h isolate.h isolate.c main.h main-ctl.h \
script-list.h setproctitle.c setproctitle.h str.c str.h subconfig.c \
sup-config/file.c sup-config/file.h sup-config/radius.c \
sup-config/radius.h tlslib.c tlslib.h tun.c tun.h valid-hostname.c \
vasprintf.c vasprintf.h vhost.h vpn.h namespace.h
vasprintf.c vasprintf.h vhost.h vpn.h namespace.h log.c log.h
if ENABLE_COMPRESSION
CORE_SOURCES += lzs.c lzs.h

9
src/acct/pam.c
View File

@@ -21,11 +21,12 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <vpn.h>
#include "pam.h"
#include <sec-mod-acct.h>
#include "log.h"
#ifdef HAVE_PAM
#include <security/pam_appl.h>
@@ -50,7 +51,7 @@ pam_handle_t *ph;
struct pam_conv dc;
if (ai->username[0] == 0) {
syslog(LOG_NOTICE,
oc_syslog(LOG_NOTICE,
"PAM-acct: no username present");
return ERR_AUTH_FAIL;
}
@@ -59,13 +60,13 @@ struct pam_conv dc;
dc.appdata_ptr = NULL;
pret = pam_start(PACKAGE, ai->username, &dc, &ph);
if (pret != PAM_SUCCESS) {
syslog(LOG_NOTICE, "PAM-acct init: %s", pam_strerror(ph, pret));
oc_syslog(LOG_NOTICE, "PAM-acct init: %s", pam_strerror(ph, pret));
goto fail1;
}
pret = pam_acct_mgmt(ph, PAM_DISALLOW_NULL_AUTHTOK);
if (pret != PAM_SUCCESS) {
syslog(LOG_INFO, "PAM-acct account error: %s", pam_strerror(ph, pret));
oc_syslog(LOG_INFO, "PAM-acct account error: %s", pam_strerror(ph, pret));
goto fail2;
}

17
src/acct/radius.c
View File

@@ -21,7 +21,6 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <unistd.h>
#include <vpn.h>
#include <ctype.h>
@@ -29,6 +28,8 @@
#include "radius.h"
#include "auth/common.h"
#include "log.h"
#ifdef HAVE_RADIUS
#ifdef LEGACY_RADIUS
@@ -172,7 +173,7 @@ static void radius_acct_session_stats(void *_vctx, unsigned auth_method, const c
status_type = PW_STATUS_ALIVE;
syslog(LOG_DEBUG, "radius-auth: sending session interim update");
oc_syslog(LOG_DEBUG, "radius-auth: sending session interim update");
if (rc_avpair_add(vctx->rh, &send, PW_ACCT_STATUS_TYPE, &status_type, -1, 0) == NULL) {
goto cleanup;
@@ -187,7 +188,7 @@ static void radius_acct_session_stats(void *_vctx, unsigned auth_method, const c
rc_avpair_free(recvd);
if (ret != OK_RC) {
syslog(LOG_NOTICE, "radius-auth: radius_open_session: %d", ret);
oc_syslog(LOG_NOTICE, "radius-auth: radius_open_session: %d", ret);
goto cleanup;
}
@@ -205,11 +206,11 @@ static int radius_acct_open_session(void *_vctx, unsigned auth_method, const com
status_type = PW_STATUS_START;
if (sid_size != SID_SIZE) {
syslog(LOG_DEBUG, "radius-auth: incorrect sid size");
oc_syslog(LOG_DEBUG, "radius-auth: incorrect sid size");
return -1;
}
syslog(LOG_DEBUG, "radius-auth: opening session %s", ai->safe_id);
oc_syslog(LOG_DEBUG, "radius-auth: opening session %s", ai->safe_id);
if (rc_avpair_add(vctx->rh, &send, PW_ACCT_STATUS_TYPE, &status_type, -1, 0) == NULL) {
ret = -1;
@@ -228,7 +229,7 @@ static int radius_acct_open_session(void *_vctx, unsigned auth_method, const com
rc_avpair_free(recvd);
if (ret != OK_RC) {
syslog(LOG_NOTICE, "radius-auth: radius_open_session: %d", ret);
oc_syslog(LOG_NOTICE, "radius-auth: radius_open_session: %d", ret);
ret = -1;
goto cleanup;
}
@@ -248,7 +249,7 @@ static void radius_acct_close_session(void *_vctx, unsigned auth_method, const c
status_type = PW_STATUS_STOP;
syslog(LOG_DEBUG, "radius-auth: closing session");
oc_syslog(LOG_DEBUG, "radius-auth: closing session");
if (rc_avpair_add(vctx->rh, &send, PW_ACCT_STATUS_TYPE, &status_type, -1, 0) == NULL)
return;
@@ -276,7 +277,7 @@ static void radius_acct_close_session(void *_vctx, unsigned auth_method, const c
rc_avpair_free(recvd);
if (ret != OK_RC) {
syslog(LOG_INFO, "radius-auth: radius_close_session: %d", ret);
oc_syslog(LOG_INFO, "radius-auth: radius_close_session: %d", ret);
goto cleanup;
}

3
src/auth-unix.c
View File

@@ -25,6 +25,7 @@
#include <grp.h>
#include <sec-mod-auth.h>
#include "auth-unix.h"
#include "log.h"
#ifdef HAVE_GET_USER_AUTH_GROUP
/* Fills-in groupname, if the user is in a unix group, via getpwnam().
@@ -64,7 +65,7 @@ unsigned found;
}
if (found == 0) {
syslog(LOG_NOTICE,
oc_syslog(LOG_NOTICE,
"user '%s' requested group '%s' but is not a member",
username, suggested);
return -1;

21
src/auth/gssapi.c
View File

@@ -25,7 +25,6 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <unistd.h>
#include <vpn.h>
#include <ctype.h>
@@ -38,6 +37,8 @@
#include <base64-helper.h>
#include "common-config.h"
#include "log.h"
struct gssapi_vhost_ctx_st {
gss_cred_id_t creds;
gss_OID_set oids;
@@ -68,7 +69,7 @@ static void print_gss_err(const char *where,
mech, &msg_ctx, &status);
if (GSS_ERROR(major))
break;
syslog(LOG_ERR, "gssapi: %s[maj]: %s\n", where, (char *)status.value);
oc_syslog(LOG_ERR, "gssapi: %s[maj]: %s\n", where, (char *)status.value);
gss_release_buffer(&minor, &status);
} while (msg_ctx);
@@ -78,7 +79,7 @@ static void print_gss_err(const char *where,
mech, &msg_ctx, &status);
if (GSS_ERROR(major))
break;
syslog(LOG_ERR, "gssapi: %s[min]: %s\n", where, (char *)status.value);
oc_syslog(LOG_ERR, "gssapi: %s[min]: %s\n", where, (char *)status.value);
gss_release_buffer(&minor, &status);
} while (msg_ctx);
}
@@ -167,20 +168,20 @@ static int get_name(struct gssapi_ctx_st *pctx, gss_name_t client, gss_OID mech_
pctx->username[name.length] = 0;
}
syslog(LOG_DEBUG, "gssapi: authenticated GSSAPI user: %.*s", (unsigned)name.length, (char*)name.value);
oc_syslog(LOG_DEBUG, "gssapi: authenticated GSSAPI user: %.*s", (unsigned)name.length, (char*)name.value);
gss_release_buffer(&minor, &name);
if (pctx->vctx->no_local_map == 0) {
ret = gss_localname(&minor, client, mech_type, &name);
if (GSS_ERROR(ret) || name.length >= MAX_USERNAME_SIZE) {
print_gss_err("gss_localname", mech_type, ret, minor);
syslog(LOG_INFO, "gssapi: authenticated user doesn't map to a local user");
oc_syslog(LOG_INFO, "gssapi: authenticated user doesn't map to a local user");
return -1;
}
memcpy(pctx->username, name.value, name.length);
pctx->username[name.length] = 0;
syslog(LOG_INFO, "gssapi: authenticated local user: %s", pctx->username);
oc_syslog(LOG_INFO, "gssapi: authenticated local user: %s", pctx->username);
gss_release_buffer(&minor, &name);
}
@@ -211,7 +212,7 @@ static int verify_krb5_constraints(struct gssapi_ctx_st *pctx, gss_OID mech_type
}
if (time(NULL) > authtime + pctx->vctx->ticket_freshness_secs) {
syslog(LOG_INFO, "gssapi: the presented kerberos ticket for %s is too old", pctx->username);
oc_syslog(LOG_INFO, "gssapi: the presented kerberos ticket for %s is too old", pctx->username);
return -1;
}
@@ -232,7 +233,7 @@ static int gssapi_auth_init(void **ctx, void *pool, void *_vctx, const common_au
struct gssapi_vhost_ctx_st *vctx = _vctx;
if (spnego == NULL || spnego[0] == 0) {
syslog(LOG_ERR, "gssapi: error in spnego data %s", __func__);
oc_syslog(LOG_ERR, "gssapi: error in spnego data %s", __func__);
return ERR_AUTH_FAIL;
}
@@ -244,7 +245,7 @@ static int gssapi_auth_init(void **ctx, void *pool, void *_vctx, const common_au
ret = oc_base64_decode_alloc(pctx, spnego, strlen(spnego), &raw, &raw_len);
if (ret == 0) {
syslog(LOG_ERR, "gssapi: error in base64 decoding %s", __func__);
oc_syslog(LOG_ERR, "gssapi: error in base64 decoding %s", __func__);
return ERR_AUTH_FAIL;
}
@@ -307,7 +308,7 @@ static int gssapi_auth_pass(void *ctx, const char *spnego, unsigned spnego_len)
/* nothing to be done */
ret = oc_base64_decode_alloc(pctx, spnego, spnego_len, &raw, &raw_len);
if (ret == 0) {
syslog(LOG_ERR, "gssapi: error in base64 decoding %s", __func__);
oc_syslog(LOG_ERR, "gssapi: error in base64 decoding %s", __func__);
return ERR_AUTH_FAIL;
}

87
src/auth/openidconnect.c
View File

@@ -18,7 +18,6 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <unistd.h>
#include <vpn.h>
#include <ctype.h>
@@ -32,6 +31,8 @@
#include <cjose/cjose.h>
#include <time.h>
#include "log.h"
#define MINIMUM_KEY_REFRESH_INTERVAL (900)
typedef struct oidc_vctx_st {
@@ -61,7 +62,7 @@ static void oidc_vhost_init(void **vctx, void *pool, void *additional)
vc = talloc(pool, struct oidc_vctx_st);
if (vc == NULL) {
syslog(LOG_ERR, "ocserv-oidc allocation failure!\n");
oc_syslog(LOG_ERR, "ocserv-oidc allocation failure!\n");
exit(EXIT_FAILURE);
}
vc->config = NULL;
@@ -69,30 +70,30 @@ static void oidc_vhost_init(void **vctx, void *pool, void *additional)
vc->pool = pool;
if (config == NULL) {
syslog(LOG_ERR, "ocserv-oidc: no configuration passed!\n");
oc_syslog(LOG_ERR, "ocserv-oidc: no configuration passed!\n");
exit(EXIT_FAILURE);
}
vc->config = json_load_file(config, 0, &err);
if (vc->config == NULL) {
syslog(LOG_ERR, "ocserv-oidc: failed to load config file: %s\n", config);
oc_syslog(LOG_ERR, "ocserv-oidc: failed to load config file: %s\n", config);
exit(EXIT_FAILURE);
}
if (!json_object_get(vc->config, "openid_configuration_url")) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"ocserv-oidc: config file missing openid_configuration_url\n");
exit(EXIT_FAILURE);
}
if (!json_object_get(vc->config, "required_claims")) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"ocserv-oidc: config file missing required_claims\n");
exit(EXIT_FAILURE);
}
if (!json_object_get(vc->config, "user_name_claim")) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"ocserv-oidc: config file missing user_name_claim\n");
exit(EXIT_FAILURE);
}
@@ -104,7 +105,7 @@ static void oidc_vhost_init(void **vctx, void *pool, void *additional)
}
if (!oidc_fetch_oidc_keys(vc)) {
syslog(LOG_ERR, "ocserv-oidc: failed to load jwks\n");
oc_syslog(LOG_ERR, "ocserv-oidc: failed to load jwks\n");
exit(EXIT_FAILURE);
}
@@ -249,7 +250,7 @@ static json_t *oidc_fetch_json_from_uri(void * pool, const char *uri)
curl = curl_easy_init();
if (!curl) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"ocserv-oidc: failed to download JSON document: URI %s\n",
uri);
goto cleanup;
@@ -257,7 +258,7 @@ static json_t *oidc_fetch_json_from_uri(void * pool, const char *uri)
res = curl_easy_setopt(curl, CURLOPT_URL, uri);
if (res != CURLE_OK) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"ocserv-oidc: failed to download JSON document: URI %s, CURLcode %d\n",
uri, res);
goto cleanup;
@@ -267,7 +268,7 @@ static json_t *oidc_fetch_json_from_uri(void * pool, const char *uri)
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION,
oidc_json_parser_context_callback);
if (res != CURLE_OK) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"ocserv-oidc: failed to download JSON document: URI %s, CURLcode %d\n",
uri, res);
goto cleanup;
@@ -275,7 +276,7 @@ static json_t *oidc_fetch_json_from_uri(void * pool, const char *uri)
res = curl_easy_setopt(curl, CURLOPT_WRITEDATA, &context);
if (res != CURLE_OK) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"ocserv-oidc: failed to download JSON document: URI %s, CURLcode %d\n",
uri, res);
goto cleanup;
@@ -283,7 +284,7 @@ static json_t *oidc_fetch_json_from_uri(void * pool, const char *uri)
res = curl_easy_perform(curl);
if (res != CURLE_OK) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"ocserv-oidc: failed to download JSON document: URI %s, CURLcode %d\n",
uri, res);
goto cleanup;
@@ -291,7 +292,7 @@ static json_t *oidc_fetch_json_from_uri(void * pool, const char *uri)
json = json_loadb(context.buffer, context.offset, 0, &err);
if (!json) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"ocserv-oidc: failed to parse JSON document: URI %s\n",
uri);
goto cleanup;
@@ -323,7 +324,7 @@ static bool oidc_fetch_oidc_keys(oidc_vctx_st * vctx)
json_t *value;
if (!openid_configuration_url) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"ocserv-oidc: openid_configuration_url missing from config\n");
goto cleanup;
}
@@ -334,21 +335,21 @@ static bool oidc_fetch_oidc_keys(oidc_vctx_st * vctx)
(openid_configuration_url));
if (!oidc_config) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"ocserv-oidc: Unable to fetch config doc from %s\n", json_string_value(openid_configuration_url));
goto cleanup;
}
json_t *jwks_uri = json_object_get(oidc_config, "jwks_uri");
if (!jwks_uri || !json_string_value(jwks_uri)) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"ocserv-oidc: jwks_uri missing from config doc\n");
goto cleanup;
}
jwks = oidc_fetch_json_from_uri(vctx->pool, json_string_value(jwks_uri));
if (!jwks) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"ocserv-oidc: failed to fetch keys from jwks_uri %s\n",
json_string_value(jwks_uri));
goto cleanup;
@@ -356,14 +357,14 @@ static bool oidc_fetch_oidc_keys(oidc_vctx_st * vctx)
array = json_object_get(jwks, "keys");
if (array == NULL) {
syslog(LOG_ERR, "ocserv-oidc: JWK keys malformed\n");
oc_syslog(LOG_ERR, "ocserv-oidc: JWK keys malformed\n");
goto cleanup;
}
// Log the keys obtained
json_array_foreach(array, index, value) {
json_t *key_kid = json_object_get(value, "kid");
syslog(LOG_INFO,
oc_syslog(LOG_INFO,
"ocserv-oidc: fetched new JWK %s\n",
json_string_value(key_kid)
);
@@ -401,24 +402,24 @@ static bool oidc_verify_lifetime(json_t * token_claims)
time_t current_time = time(NULL);
if (!token_nbf || !json_integer_value(token_nbf)) {
syslog(LOG_NOTICE, "ocserv-oidc: Token missing 'nbf' claim\n");
oc_syslog(LOG_NOTICE, "ocserv-oidc: Token missing 'nbf' claim\n");
goto cleanup;
}
if (!token_exp || !json_integer_value(token_exp)) {
syslog(LOG_NOTICE, "ocserv-oidc: Token missing 'exp' claim\n");
oc_syslog(LOG_NOTICE, "ocserv-oidc: Token missing 'exp' claim\n");
goto cleanup;
}
if (!token_iat || !json_integer_value(token_iat)) {
syslog(LOG_NOTICE, "ocserv-oidc: Token missing 'iat' claim\n");
oc_syslog(LOG_NOTICE, "ocserv-oidc: Token missing 'iat' claim\n");
goto cleanup;
}
// Check to ensure the token is within it's validity
if (json_integer_value(token_nbf) > current_time
|| json_integer_value(token_exp) < current_time) {
syslog(LOG_NOTICE,
oc_syslog(LOG_NOTICE,
"ocserv-oidc: Token not within validity period NBF: %lld EXP: %lld Current: %ld\n",
json_integer_value(token_nbf),
json_integer_value(token_exp), current_time);
@@ -446,7 +447,7 @@ static bool oidc_verify_required_claims(json_t * required_claims,
token_claim_value =
json_object_get(token_claims, required_claim_name);
if (!json_equal(required_claim_value, token_claim_value)) {
syslog(LOG_NOTICE,
oc_syslog(LOG_NOTICE,
"ocserv-oidc: Required claim not met. Claim: %s Expected Value: %s\n",
required_claim_name,
json_string_value(required_claim_value));
@@ -470,7 +471,7 @@ static bool oidc_map_user_name(json_t * user_name_claim,
json_t *token_user_name_claim =
json_object_get(token_claims, json_string_value(user_name_claim));
if (!token_user_name_claim || !json_string_value(token_user_name_claim)) {
syslog(LOG_NOTICE, "ocserv-oidc: Token missing '%s' claim\n",
oc_syslog(LOG_NOTICE, "ocserv-oidc: Token missing '%s' claim\n",
json_string_value(user_name_claim));
goto cleanup;
}
@@ -493,7 +494,7 @@ static json_t *oidc_extract_claims(cjose_jws_t * jws)
// Extract the claim portion from the token
if (!cjose_jws_get_plaintext(jws, &plain_text, &plain_text_size, &err)) {
syslog(LOG_NOTICE,
oc_syslog(LOG_NOTICE,
"ocserv-oidc: Failed to get plain text from token\n");
goto cleanup;
}
@@ -502,7 +503,7 @@ static json_t *oidc_extract_claims(cjose_jws_t * jws)
token_claims =
json_loadb((char *)plain_text, plain_text_size, 0, &json_err);
if (!token_claims) {
syslog(LOG_NOTICE,
oc_syslog(LOG_NOTICE,
"ocserv-oidc: Failed to get claims from token\n");
goto cleanup;
}
@@ -525,20 +526,20 @@ static bool oidc_verify_signature(oidc_vctx_st * vctx, cjose_jws_t * jws)
json_t *value;
if (vctx->jwks == NULL) {
syslog(LOG_NOTICE, "ocserv-oidc: JWK keys not available\n");
oc_syslog(LOG_NOTICE, "ocserv-oidc: JWK keys not available\n");
goto cleanup;
}
array = json_object_get(vctx->jwks, "keys");
if (array == NULL) {
syslog(LOG_NOTICE, "ocserv-oidc: JWK keys malformed\n");
oc_syslog(LOG_NOTICE, "ocserv-oidc: JWK keys malformed\n");
goto cleanup;
}
// Get the token header
token_header = cjose_jws_get_protected(jws);
if (token_header == NULL) {
syslog(LOG_NOTICE,
oc_syslog(LOG_NOTICE,
"ocserv-oidc: Token malformed - no header\n");
goto cleanup;
}
@@ -546,13 +547,13 @@ static bool oidc_verify_signature(oidc_vctx_st * vctx, cjose_jws_t * jws)
// Get the kid of the key used to sign this token
token_kid = json_object_get(token_header, "kid");
if (token_kid == NULL || !json_string_value(token_kid)) {
syslog(LOG_NOTICE, "ocserv-oidc: Token malformed - no kid\n");
oc_syslog(LOG_NOTICE, "ocserv-oidc: Token malformed - no kid\n");
goto cleanup;
}
token_typ = json_object_get(token_header, "typ");
if (token_typ == NULL || !json_string_value(token_typ) || strcmp(json_string_value(token_typ), "JWT")) {
syslog(LOG_NOTICE, "ocserv-oidc: Token malformed - wrong typ claim\n");
oc_syslog(LOG_NOTICE, "ocserv-oidc: Token malformed - wrong typ claim\n");
goto cleanup;
}
@@ -567,16 +568,16 @@ static bool oidc_verify_signature(oidc_vctx_st * vctx, cjose_jws_t * jws)
if (jwk == NULL) {
time_t now;
syslog(LOG_NOTICE, "ocserv-oidc: JWK with kid=%s not found\n",
oc_syslog(LOG_NOTICE, "ocserv-oidc: JWK with kid=%s not found\n",
json_string_value(token_kid));
syslog(LOG_NOTICE, "ocserv-oidc: attempting to download new JWKs");
oc_syslog(LOG_NOTICE, "ocserv-oidc: attempting to download new JWKs");
now = time(NULL);
if ((now - vctx->last_jwks_load_time) > vctx->minimum_jwk_refresh_time) {
oidc_fetch_oidc_keys(vctx);
}
else {
syslog(LOG_NOTICE, "ocserv-oidc: skipping JWK refresh");
oc_syslog(LOG_NOTICE, "ocserv-oidc: skipping JWK refresh");
}
// Fail the request and let the client try again.
@@ -584,7 +585,7 @@ static bool oidc_verify_signature(oidc_vctx_st * vctx, cjose_jws_t * jws)
}
if (!cjose_jws_verify(jws, jwk, &err)) {
syslog(LOG_NOTICE, "ocserv-oidc: Token failed validation %s\n",
oc_syslog(LOG_NOTICE, "ocserv-oidc: Token failed validation %s\n",
err.message);
goto cleanup;
}
@@ -611,33 +612,33 @@ static bool oidc_verify_token(oidc_vctx_st * vctx, const char *token,
jws = cjose_jws_import(token, token_length, &err);
if (jws == NULL) {
syslog(LOG_NOTICE, "ocserv-oidc: Token malformed - %s\n",
oc_syslog(LOG_NOTICE, "ocserv-oidc: Token malformed - %s\n",
err.message);
goto cleanup;
}
if (!oidc_verify_signature(vctx, jws)) {
syslog(LOG_NOTICE,
oc_syslog(LOG_NOTICE,
"ocserv-oidc: Token signature validation failed\n");
goto cleanup;
}
token_claims = oidc_extract_claims(jws);
if (!token_claims) {
syslog(LOG_NOTICE,
oc_syslog(LOG_NOTICE,
"ocserv-oidc: Unable to access token claims\n");
goto cleanup;
}
if (!oidc_verify_lifetime(token_claims)) {
syslog(LOG_NOTICE,
oc_syslog(LOG_NOTICE,
"ocserv-oidc: Token lifetime validation failed\n");
goto cleanup;
}
if (!oidc_verify_required_claims
(json_object_get(vctx->config, "required_claims"), token_claims)) {
syslog(LOG_NOTICE,
oc_syslog(LOG_NOTICE,
"ocserv-oidc: Token required claims validation failed\n");
goto cleanup;
}
@@ -645,7 +646,7 @@ static bool oidc_verify_token(oidc_vctx_st * vctx, const char *token,
if (!oidc_map_user_name
(json_object_get(vctx->config, "user_name_claim"), token_claims,
user_name)) {
syslog(LOG_NOTICE,
oc_syslog(LOG_NOTICE,
"ocserv-oidc: Unable to map user name claim\n");
goto cleanup;
}

30
src/auth/pam.c
View File

@@ -21,13 +21,13 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <vpn.h>
#include "pam.h"
#include "common-config.h"
#include "auth-unix.h"
#include <sec-mod-auth.h>
#include <ccan/hash/hash.h>
#include "log.h"
#ifdef HAVE_PAM
@@ -78,7 +78,7 @@ static int ocserv_conv(int msg_size, const struct pam_message **msg,
switch (msg[i]->msg_style) {
case PAM_ERROR_MSG:
case PAM_TEXT_INFO:
syslog(LOG_DEBUG, "PAM-auth conv info: %s", msg[i]->msg);
oc_syslog(LOG_DEBUG, "PAM-auth conv info: %s", msg[i]->msg);
// That should never happen, but also not a big deal if we fail to add message here.
// coverity[check_return : FALSE]
@@ -87,7 +87,7 @@ static int ocserv_conv(int msg_size, const struct pam_message **msg,
ret = str_append_data(&pctx->msg, " ", 1);
if (ret < 0) {
syslog(LOG_ERR, "Error in memory allocation in PAM");
oc_syslog(LOG_ERR, "Error in memory allocation in PAM");
return PAM_BUF_ERR;
}
@@ -105,12 +105,12 @@ static int ocserv_conv(int msg_size, const struct pam_message **msg,
if (msg[i]->msg) {
ret = str_append_str(&pctx->msg, msg[i]->msg);
if (ret < 0) {
syslog(LOG_ERR, "Error in memory allocation in PAM");
oc_syslog(LOG_ERR, "Error in memory allocation in PAM");
return PAM_BUF_ERR;
}
}
syslog(LOG_DEBUG, "PAM-auth conv: echo-%s, msg: '%s'", (msg[i]->msg_style==PAM_PROMPT_ECHO_ON)?"on":"off", msg[i]->msg!=NULL?msg[i]->msg:"");
oc_syslog(LOG_DEBUG, "PAM-auth conv: echo-%s, msg: '%s'", (msg[i]->msg_style==PAM_PROMPT_ECHO_ON)?"on":"off", msg[i]->msg!=NULL?msg[i]->msg:"");
pctx->state = PAM_S_WAIT_FOR_PASS;
pctx->cr_ret = PAM_SUCCESS;
@@ -120,7 +120,7 @@ static int ocserv_conv(int msg_size, const struct pam_message **msg,
if (pctx->password[0] != 0) {
pctx->replies[i].resp = strdup(pctx->password);
if (pctx->replies[i].resp == NULL) {
syslog(LOG_ERR, "Error in memory allocation in PAM");
oc_syslog(LOG_ERR, "Error in memory allocation in PAM");
return PAM_BUF_ERR;
}
}
@@ -143,7 +143,7 @@ int pret;
pret = pam_authenticate(pctx->ph, 0);
if (pret != PAM_SUCCESS) {
syslog(LOG_INFO, "PAM authenticate error for '%s': %s", pctx->username, pam_strerror(pctx->ph, pret));
oc_syslog(LOG_INFO, "PAM authenticate error for '%s': %s", pctx->username, pam_strerror(pctx->ph, pret));
pctx->cr_ret = pret;
goto wait;
}
@@ -151,14 +151,14 @@ int pret;
pret = pam_acct_mgmt(pctx->ph, 0);
if (pret == PAM_NEW_AUTHTOK_REQD) {
/* change password */
syslog(LOG_INFO, "Password for user '%s' is expired. Attempting to update...", pctx->username);
oc_syslog(LOG_INFO, "Password for user '%s' is expired. Attempting to update...", pctx->username);
pctx->changing = 1;
pret = pam_chauthtok(pctx->ph, PAM_CHANGE_EXPIRED_AUTHTOK);
}
if (pret != PAM_SUCCESS) {
syslog(LOG_INFO, "PAM acct-mgmt error for '%s': %s", pctx->username, pam_strerror(pctx->ph, pret));
oc_syslog(LOG_INFO, "PAM acct-mgmt error for '%s': %s", pctx->username, pam_strerror(pctx->ph, pret));
pctx->cr_ret = pret;
goto wait;
}
@@ -179,7 +179,7 @@ int pret;
struct pam_ctx_st * pctx;
if (info->username == NULL || info->username[0] == 0) {
syslog(LOG_NOTICE,
oc_syslog(LOG_NOTICE,
"pam-auth: no username present");
return ERR_AUTH_FAIL;
}
@@ -194,7 +194,7 @@ struct pam_ctx_st * pctx;
pctx->dc.appdata_ptr = pctx;
pret = pam_start(PACKAGE, info->username, &pctx->dc, &pctx->ph);
if (pret != PAM_SUCCESS) {
syslog(LOG_NOTICE, "PAM-auth init: %s", pam_strerror(pctx->ph, pret));
oc_syslog(LOG_NOTICE, "PAM-auth init: %s", pam_strerror(pctx->ph, pret));
goto fail1;
}
@@ -233,7 +233,7 @@ size_t prompt_hash = 0;
co_call(pctx->cr);
if (pctx->cr_ret != PAM_SUCCESS) {
syslog(LOG_NOTICE, "PAM-auth pam_auth_msg: %s", pam_strerror(pctx->ph, pctx->cr_ret));
oc_syslog(LOG_NOTICE, "PAM-auth pam_auth_msg: %s", pam_strerror(pctx->ph, pctx->cr_ret));
return ERR_AUTH_FAIL;
}
}
@@ -273,7 +273,7 @@ struct pam_ctx_st * pctx = ctx;
return -1;
if (pctx->state != PAM_S_WAIT_FOR_PASS) {
syslog(LOG_NOTICE, "PAM auth: conversation left in wrong state (%d/expecting %d)", pctx->state, PAM_S_WAIT_FOR_PASS);
oc_syslog(LOG_NOTICE, "PAM auth: conversation left in wrong state (%d/expecting %d)", pctx->state, PAM_S_WAIT_FOR_PASS);
return ERR_AUTH_FAIL;
}
@@ -284,7 +284,7 @@ struct pam_ctx_st * pctx = ctx;
co_call(pctx->cr);
if (pctx->cr_ret != PAM_SUCCESS) {
syslog(LOG_NOTICE, "PAM-auth pam_auth_pass: %s", pam_strerror(pctx->ph, pctx->cr_ret));
oc_syslog(LOG_NOTICE, "PAM-auth pam_auth_pass: %s", pam_strerror(pctx->ph, pctx->cr_ret));
return ERR_AUTH_FAIL;
}
@@ -313,7 +313,7 @@ int pret;
pret = pam_get_item(pctx->ph, PAM_USER, (const void **)&user);
if (pret != PAM_SUCCESS) {
/*syslog(LOG_NOTICE, "PAM-auth: pam_get_item(PAM_USER): %s", pam_strerror(pctx->ph, pret));*/
/*oc_syslog(LOG_NOTICE, "PAM-auth: pam_get_item(PAM_USER): %s", pam_strerror(pctx->ph, pret));*/
return -1;
}

16
src/auth/plain.c
View File

@@ -22,7 +22,6 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <unistd.h>
#include <vpn.h>
#include <ctype.h>
@@ -39,6 +38,7 @@
* in unistd.h */
# include <crypt.h>
#endif
#include "log.h"
#define MAX_CPASS_SIZE 128
#define HOTP_WINDOW 20
@@ -154,7 +154,7 @@ static int read_auth_pass(struct plain_ctx_st *pctx)
fp = fopen(pctx->config->passwd, "r");
if (fp == NULL) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"error in plain authentication; cannot open: %s",
pctx->config->passwd);
return -1;
@@ -228,7 +228,7 @@ static int plain_auth_init(void **ctx, void *pool, void *vctx, const common_auth
int ret;
if (info->username == NULL || info->username[0] == 0) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"plain-auth: no username present");
return ERR_AUTH_FAIL;
}
@@ -279,7 +279,7 @@ static int plain_auth_group(void *ctx, const char *suggested, char *groupname, i
}
if (found == 0) {
syslog(LOG_NOTICE,
oc_syslog(LOG_NOTICE,
"user '%s' requested group '%s' but is not a member",
pctx->username, suggested);
return -1;
@@ -318,7 +318,7 @@ static int plain_auth_pass(void *ctx, const char *pass, unsigned pass_len)
pctx->pass_msg = pass_msg_failed;
return ERR_AUTH_CONTINUE;
} else {
syslog(LOG_NOTICE,
oc_syslog(LOG_NOTICE,
"plain-auth: error authenticating user '%s'",
pctx->username);
return ERR_AUTH_FAIL;
@@ -326,7 +326,7 @@ static int plain_auth_pass(void *ctx, const char *pass, unsigned pass_len)
}
if (pctx->cpass[0] == 0 && pctx->config->otp_file == NULL) {
syslog(LOG_NOTICE,
oc_syslog(LOG_NOTICE,
"plain-auth: user '%s' has empty password and no OTP file configured",
pctx->username);
return ERR_AUTH_FAIL;
@@ -347,7 +347,7 @@ static int plain_auth_pass(void *ctx, const char *pass, unsigned pass_len)
ret = oath_authenticate_usersfile(pctx->config->otp_file, pctx->username,
pass, HOTP_WINDOW, NULL, &last);
if (ret != OATH_OK) {
syslog(LOG_NOTICE,
oc_syslog(LOG_NOTICE,
"plain-auth: OTP auth failed for '%s': %s",
pctx->username, oath_strerror(ret));
return ERR_AUTH_FAIL;
@@ -412,7 +412,7 @@ static void plain_group_list(void *pool, void *additional, char ***groupname, un
pool = talloc_init("plain");
fp = fopen(config->passwd, "r");
if (fp == NULL) {
syslog(LOG_NOTICE,
oc_syslog(LOG_NOTICE,
"error in plain authentication; cannot open: %s",
(char*)config->passwd);
return;

49
src/auth/radius.c
View File

@@ -22,7 +22,6 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <unistd.h>
#include <vpn.h>
#include <ctype.h>
@@ -111,7 +110,7 @@ static int radius_auth_init(void **ctx, void *pool, void *_vctx, const common_au
struct radius_vhost_ctx *vctx = _vctx;
if (info->username == NULL || info->username[0] == 0) {
syslog(LOG_NOTICE,
oc_syslog(LOG_NOTICE,
"radius-auth: no username present");
return ERR_AUTH_FAIL;
}
@@ -162,7 +161,7 @@ static int radius_auth_group(void *ctx, const char *suggested, char *groupname,
}
}
syslog(LOG_NOTICE,
oc_syslog(LOG_NOTICE,
"radius-auth: user '%s' requested group '%s' but is not a member",
pctx->username, suggested);
return -1;
@@ -216,11 +215,11 @@ static void parse_groupnames(struct radius_ctx_st *pctx, const char *full)
char *p, *p2;
if (pctx->groupnames_size >= MAX_GROUPS) {
syslog(LOG_WARNING,
oc_syslog(LOG_WARNING,
"radius-auth: cannot handle more than %d groups, ignoring group string %s",
MAX_GROUPS, full);
} else if (strncmp(full, "OU=", 3) == 0) {
syslog(LOG_DEBUG, "radius-auth: found group string %s", full);
oc_syslog(LOG_DEBUG, "radius-auth: found group string %s", full);
full += 3;
p = talloc_strdup(pctx, full);
@@ -231,20 +230,20 @@ static void parse_groupnames(struct radius_ctx_st *pctx, const char *full)
while (p2 != NULL) {
pctx->groupnames[pctx->groupnames_size++] = p2;
syslog(LOG_DEBUG, "radius-auth: found group %s", p2);
oc_syslog(LOG_DEBUG, "radius-auth: found group %s", p2);
p2 = strsep(&p, ";");
if (pctx->groupnames_size == MAX_GROUPS) {
if (p2)
syslog(LOG_WARNING,
oc_syslog(LOG_WARNING,
"radius-auth: cannot handle more than %d groups, ignoring trailing group(s) %s",
MAX_GROUPS, p2);
break;
}
}
} else {
syslog(LOG_DEBUG, "radius-auth: found group string %s", full);
oc_syslog(LOG_DEBUG, "radius-auth: found group string %s", full);
p = talloc_strdup(pctx, full);
if (p == NULL)
return;
@@ -265,16 +264,16 @@ static int radius_auth_pass(void *ctx, const char *pass, unsigned pass_len)
int ret;
/* send Access-Request */
syslog(LOG_DEBUG, "radius-auth: communicating username (%s) and password", pctx->username);
oc_syslog(LOG_DEBUG, "radius-auth: communicating username (%s) and password", pctx->username);
if (rc_avpair_add(pctx->vctx->rh, &send, PW_USER_NAME, pctx->username, -1, 0) == NULL) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"%s:%u: error in constructing radius message for user '%s'", __func__, __LINE__,
pctx->username);
return ERR_AUTH_FAIL;
}
if (rc_avpair_add(pctx->vctx->rh, &send, PW_USER_PASSWORD, (char*)pass, -1, 0) == NULL) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"%s:%u: error in constructing radius message for user '%s'", __func__, __LINE__,
pctx->username);
ret = ERR_AUTH_FAIL;
@@ -288,7 +287,7 @@ static int radius_auth_pass(void *ctx, const char *pass, unsigned pass_len)
if (inet_pton(AF_INET, pctx->our_ip, &in) != 0) {
in.s_addr = ntohl(in.s_addr);
if (rc_avpair_add(pctx->vctx->rh, &send, PW_NAS_IP_ADDRESS, (char*)&in, sizeof(struct in_addr), 0) == NULL) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"%s:%u: error in constructing radius message for user '%s'", __func__, __LINE__,
pctx->username);
ret = ERR_AUTH_FAIL;
@@ -296,7 +295,7 @@ static int radius_auth_pass(void *ctx, const char *pass, unsigned pass_len)
}
} else if (inet_pton(AF_INET6, pctx->our_ip, &in6) != 0) {
if (rc_avpair_add(pctx->vctx->rh, &send, PW_NAS_IPV6_ADDRESS, (char*)&in6, sizeof(struct in6_addr), 0) == NULL) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"%s:%u: error in constructing radius message for user '%s'", __func__, __LINE__,
pctx->username);
ret = ERR_AUTH_FAIL;
@@ -307,7 +306,7 @@ static int radius_auth_pass(void *ctx, const char *pass, unsigned pass_len)
if (pctx->vctx->nas_identifier[0] != 0) {
if (rc_avpair_add(pctx->vctx->rh, &send, PW_NAS_IDENTIFIER, pctx->vctx->nas_identifier, -1, 0) == NULL) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"%s:%u: error in constructing radius message for user '%s'", __func__, __LINE__,
pctx->username);
ret = ERR_AUTH_FAIL;
@@ -316,7 +315,7 @@ static int radius_auth_pass(void *ctx, const char *pass, unsigned pass_len)
}
if (rc_avpair_add(pctx->vctx->rh, &send, PW_CALLING_STATION_ID, pctx->remote_ip, -1, 0) == NULL) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"%s:%u: error in constructing radius message for user '%s'", __func__, __LINE__,
pctx->username);
ret = ERR_AUTH_FAIL;
@@ -325,7 +324,7 @@ static int radius_auth_pass(void *ctx, const char *pass, unsigned pass_len)
if (pctx->user_agent[0] != 0) {
if (rc_avpair_add(pctx->vctx->rh, &send, PW_CONNECT_INFO, pctx->user_agent, -1, 0) == NULL) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"%s:%u: error in constructing radius message for user '%s'", __func__, __LINE__,
pctx->username);
ret = ERR_AUTH_FAIL;
@@ -335,7 +334,7 @@ static int radius_auth_pass(void *ctx, const char *pass, unsigned pass_len)
service = PW_AUTHENTICATE_ONLY;
if (rc_avpair_add(pctx->vctx->rh, &send, PW_SERVICE_TYPE, &service, -1, 0) == NULL) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"%s:%u: error in constructing radius message for user '%s'", __func__, __LINE__,
pctx->username);
ret = ERR_AUTH_FAIL;
@@ -344,7 +343,7 @@ static int radius_auth_pass(void *ctx, const char *pass, unsigned pass_len)
service = PW_ASYNC;
if (rc_avpair_add(pctx->vctx->rh, &send, PW_NAS_PORT_TYPE, &service, -1, 0) == NULL) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"%s:%u: error in constructing radius message for user '%s'", __func__, __LINE__,
pctx->username);
ret = ERR_AUTH_FAIL;
@@ -353,7 +352,7 @@ static int radius_auth_pass(void *ctx, const char *pass, unsigned pass_len)
if (pctx->state != NULL) {
if (rc_avpair_add(pctx->vctx->rh, &send, PW_STATE, pctx->state, -1, 0) == NULL) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"%s:%u: error in constructing radius message for user '%s'", __func__, __LINE__,
pctx->username);
ret = ERR_AUTH_FAIL;
@@ -374,7 +373,7 @@ static int radius_auth_pass(void *ctx, const char *pass, unsigned pass_len)
while (vp != NULL) {
if (vp->attribute == PW_SERVICE_TYPE && vp->lvalue != PW_FRAMED) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"%s:%u: unknown radius service type '%d'", __func__, __LINE__,
(int)vp->lvalue);
goto fail;
@@ -415,7 +414,7 @@ static int radius_auth_pass(void *ctx, const char *pass, unsigned pass_len)
else {
char dst[MAX_IP_STR];
inet_ntop(AF_INET6, vp->strvalue, dst, sizeof(dst));
syslog(LOG_NOTICE, "radius-auth: cannot handle more than 2 DNS servers, ignoring additional DNS server from RADIUS: %s", dst);
oc_syslog(LOG_NOTICE, "radius-auth: cannot handle more than 2 DNS servers, ignoring additional DNS server from RADIUS: %s", dst);
}
} else if (vp->attribute == PW_FRAMED_IP_ADDRESS && vp->type == PW_TYPE_IPADDR) {
/* Framed-IP-Address */
@@ -451,7 +450,7 @@ static int radius_auth_pass(void *ctx, const char *pass, unsigned pass_len)
} else if (vp->attribute == PW_SESSION_TIMEOUT && vp->type == PW_TYPE_INTEGER) {
pctx->session_timeout_secs = vp->lvalue;
} else {
syslog(LOG_DEBUG, "radius-auth: ignoring server's value %u of type %u", (int)vp->attribute, (int)vp->type);
oc_syslog(LOG_DEBUG, "radius-auth: ignoring server's value %u of type %u", (int)vp->attribute, (int)vp->type);
}
vp = vp->next;
}
@@ -469,7 +468,7 @@ static int radius_auth_pass(void *ctx, const char *pass, unsigned pass_len)
pctx->state = talloc_strdup(pctx, vp->strvalue);
pctx->id++;
syslog(LOG_DEBUG, "radius-auth: Access-Challenge response stage %u, State %s", pctx->passwd_counter, vp->strvalue);
oc_syslog(LOG_DEBUG, "radius-auth: Access-Challenge response stage %u, State %s", pctx->passwd_counter, vp->strvalue);
ret = ERR_AUTH_CONTINUE;
}
vp = vp->next;
@@ -478,7 +477,7 @@ static int radius_auth_pass(void *ctx, const char *pass, unsigned pass_len)
/* PW_STATE or PW_REPLY_MESSAGE is empty or MAX_CHALLENGES limit exceeded */
if ((pctx->pass_msg[0] == 0) || (pctx->state == NULL) || (pctx->passwd_counter >= MAX_CHALLENGES)) {
strlcpy(pctx->pass_msg, pass_msg_failed, sizeof(pctx->pass_msg));
syslog(LOG_ERR, "radius-auth: Access-Challenge with invalid State or Reply-Message, or max number of password requests exceeded");
oc_syslog(LOG_ERR, "radius-auth: Access-Challenge with invalid State or Reply-Message, or max number of password requests exceeded");
ret = ERR_AUTH_FAIL;
}
goto cleanup;
@@ -492,7 +491,7 @@ static int radius_auth_pass(void *ctx, const char *pass, unsigned pass_len)
goto cleanup;
}
syslog(LOG_NOTICE,
oc_syslog(LOG_NOTICE,
"radius-auth: error authenticating user '%s' (code %d)",
pctx->username, ret);
ret = ERR_AUTH_FAIL;

41
src/common/common.c
View File

@@ -35,6 +35,7 @@
#include "common.h"
#include "defs.h"
#include "common/base64-helper.h"
#include "log.h"
int saved_argc = 0;
char **saved_argv = NULL;
@@ -324,7 +325,7 @@ void set_non_block(int fd)
* https://patchwork.kernel.org/project/qemu-devel/patch/20200331133536.3328-1-linus.walleij@linaro.org/
*/
int e = errno;
syslog(LOG_ERR, "set_non_block: %s", strerror(e));
oc_syslog(LOG_ERR, "set_non_block: %s", strerror(e));
}
}
@@ -336,7 +337,7 @@ void set_block(int fd)
ret = fcntl(fd, F_SETFL, val & (~O_NONBLOCK));
if (ret == -1) {
int e = errno;
syslog(LOG_ERR, "set_non_block: %s", strerror(e));
oc_syslog(LOG_ERR, "set_non_block: %s", strerror(e));
}
}
@@ -413,7 +414,7 @@ int forward_msg(void *pool, int ifd, uint8_t icmd, int ofd, uint8_t ocmd, unsign
ret = recvmsg_timeout(ifd, &hdr, 0, timeout);
if (ret == -1) {
int e = errno;
syslog(LOG_ERR, "%s:%u: recvmsg: %s", __FILE__, __LINE__,
oc_syslog(LOG_ERR, "%s:%u: recvmsg: %s", __FILE__, __LINE__,
strerror(e));
return ERR_BAD_COMMAND;
}
@@ -423,7 +424,7 @@ int forward_msg(void *pool, int ifd, uint8_t icmd, int ofd, uint8_t ocmd, unsign
}
if (rcmd != icmd) {
syslog(LOG_ERR, "%s:%u: expected %d, received %d", __FILE__,
oc_syslog(LOG_ERR, "%s:%u: expected %d, received %d", __FILE__,
__LINE__, (int)rcmd, (int)icmd);
return ERR_BAD_COMMAND;
}
@@ -434,7 +435,7 @@ int forward_msg(void *pool, int ifd, uint8_t icmd, int ofd, uint8_t ocmd, unsign
/* send headers */
ret = force_write(ofd, data, 5);
if (ret != 5) {
syslog(LOG_ERR, "%s:%u: cannot send headers: %s", __FILE__,
oc_syslog(LOG_ERR, "%s:%u: cannot send headers: %s", __FILE__,
__LINE__, strerror(errno));
return ERR_BAD_COMMAND;
}
@@ -448,14 +449,14 @@ int forward_msg(void *pool, int ifd, uint8_t icmd, int ofd, uint8_t ocmd, unsign
if (ret == -1 || ret == 0) {
if (errno == EAGAIN || errno == EINTR)
continue;
syslog(LOG_ERR, "%s:%u: cannot send between descriptors: %s", __FILE__,
oc_syslog(LOG_ERR, "%s:%u: cannot send between descriptors: %s", __FILE__,
__LINE__, strerror(errno));
return ERR_BAD_COMMAND;
}
ret = force_write(ofd, buf, ret);
if (ret == -1 || ret == 0) {
syslog(LOG_ERR, "%s:%u: cannot send between descriptors: %s", __FILE__,
oc_syslog(LOG_ERR, "%s:%u: cannot send between descriptors: %s", __FILE__,
__LINE__, strerror(errno));
return ERR_BAD_COMMAND;
}
@@ -504,7 +505,7 @@ int send_socket_msg(void *pool, int fd, uint8_t cmd,
if (length > 0) {
packed = talloc_size(pool, length);
if (packed == NULL) {
syslog(LOG_ERR, "%s:%u: memory error", __FILE__,
oc_syslog(LOG_ERR, "%s:%u: memory error", __FILE__,
__LINE__);
return -1;
}
@@ -514,7 +515,7 @@ int send_socket_msg(void *pool, int fd, uint8_t cmd,
ret = pack(msg, packed);
if (ret == 0) {
syslog(LOG_ERR, "%s:%u: packing error", __FILE__,
oc_syslog(LOG_ERR, "%s:%u: packing error", __FILE__,
__LINE__);
ret = -1;
goto cleanup;
@@ -539,7 +540,7 @@ int send_socket_msg(void *pool, int fd, uint8_t cmd,
} while (ret == -1 && errno == EINTR);
if (ret < 0) {
int e = errno;
syslog(LOG_ERR, "%s:%u: %s", __FILE__, __LINE__, strerror(e));
oc_syslog(LOG_ERR, "%s:%u: %s", __FILE__, __LINE__, strerror(e));
}
cleanup:
@@ -567,7 +568,7 @@ int recv_msg_headers(int fd, uint8_t *cmd, unsigned timeout)
ret = recvmsg_timeout(fd, &hdr, 0, timeout);
if (ret == -1) {
int e = errno;
syslog(LOG_WARNING, "%s:%u: recvmsg: %s", __FILE__, __LINE__,
oc_syslog(LOG_WARNING, "%s:%u: recvmsg: %s", __FILE__, __LINE__,
strerror(e));
return ERR_BAD_COMMAND;
}
@@ -611,7 +612,7 @@ int recv_msg_data(int fd, uint8_t *cmd, uint8_t *data, size_t data_size,
ret = recvmsg_timeout(fd, &hdr, 0, MAIN_SEC_MOD_TIMEOUT);
if (ret == -1) {
int e = errno;
syslog(LOG_ERR, "%s:%u: recvmsg: %s", __FILE__, __LINE__,
oc_syslog(LOG_ERR, "%s:%u: recvmsg: %s", __FILE__, __LINE__,
strerror(e));
return ERR_BAD_COMMAND;
}
@@ -628,7 +629,7 @@ int recv_msg_data(int fd, uint8_t *cmd, uint8_t *data, size_t data_size,
&& cmptr->cmsg_len == CMSG_LEN(sizeof(int))) {
if (cmptr->cmsg_level != SOL_SOCKET
|| cmptr->cmsg_type != SCM_RIGHTS) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"%s:%u: recvmsg returned invalid msg type",
__FILE__, __LINE__);
return ERR_BAD_COMMAND;
@@ -640,7 +641,7 @@ int recv_msg_data(int fd, uint8_t *cmd, uint8_t *data, size_t data_size,
}
if (l32 > data_size) {
syslog(LOG_ERR, "%s:%u: recv_msg_data: received more data than expected", __FILE__,
oc_syslog(LOG_ERR, "%s:%u: recv_msg_data: received more data than expected", __FILE__,
__LINE__);
ret = ERR_BAD_COMMAND;
goto cleanup;
@@ -649,7 +650,7 @@ int recv_msg_data(int fd, uint8_t *cmd, uint8_t *data, size_t data_size,
ret = force_read_timeout(fd, data, l32, MAIN_SEC_MOD_TIMEOUT);
if (ret < l32) {
int e = errno;
syslog(LOG_ERR, "%s:%u: recvmsg: %s", __FILE__,
oc_syslog(LOG_ERR, "%s:%u: recvmsg: %s", __FILE__,
__LINE__, strerror(e));
ret = ERR_BAD_COMMAND;
goto cleanup;
@@ -698,7 +699,7 @@ int recv_socket_msg(void *pool, int fd, uint8_t cmd,
ret = recvmsg_timeout(fd, &hdr, 0, timeout);
if (ret == -1) {
int e = errno;
syslog(LOG_ERR, "%s:%u: recvmsg: %s", __FILE__, __LINE__,
oc_syslog(LOG_ERR, "%s:%u: recvmsg: %s", __FILE__, __LINE__,
strerror(e));
return ERR_BAD_COMMAND;
}
@@ -708,7 +709,7 @@ int recv_socket_msg(void *pool, int fd, uint8_t cmd,
}
if (rcmd != cmd) {
syslog(LOG_ERR, "%s:%u: expected %d, received %d", __FILE__,
oc_syslog(LOG_ERR, "%s:%u: expected %d, received %d", __FILE__,
__LINE__, (int)rcmd, (int)cmd);
return ERR_BAD_COMMAND;
}
@@ -719,7 +720,7 @@ int recv_socket_msg(void *pool, int fd, uint8_t cmd,
&& cmptr->cmsg_len == CMSG_LEN(sizeof(int))) {
if (cmptr->cmsg_level != SOL_SOCKET
|| cmptr->cmsg_type != SCM_RIGHTS) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"%s:%u: recvmsg returned invalid msg type",
__FILE__, __LINE__);
return ERR_BAD_COMMAND;
@@ -744,7 +745,7 @@ int recv_socket_msg(void *pool, int fd, uint8_t cmd,
ret = force_read_timeout(fd, data, length, timeout);
if (ret < length) {
int e = errno;
syslog(LOG_ERR, "%s:%u: recvmsg: %s", __FILE__,
oc_syslog(LOG_ERR, "%s:%u: recvmsg: %s", __FILE__,
__LINE__, strerror(e));
ret = ERR_BAD_COMMAND;
goto cleanup;
@@ -752,7 +753,7 @@ int recv_socket_msg(void *pool, int fd, uint8_t cmd,
*msg = unpack(&pa, length, data);
if (*msg == NULL) {
syslog(LOG_ERR, "%s:%u: unpacking error", __FILE__,
oc_syslog(LOG_ERR, "%s:%u: unpacking error", __FILE__,
__LINE__);
ret = ERR_MEM;
goto cleanup;

26
src/common/sockdiag.c
View File

@@ -22,6 +22,7 @@
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include "log.h"
#if defined(ENABLE_ADAPTIVE_RATE_LIMIT_SUPPORT)
@@ -32,7 +33,6 @@
#include <linux/sock_diag.h>
#include <linux/unix_diag.h>
#include <netinet/tcp.h>
#include <sys/syslog.h>
static int send_query(int fd, int inode, int states, int show)
{
@@ -70,7 +70,7 @@ static int send_query(int fd, int inode, int states, int show)
continue;
err = errno;
syslog(LOG_ERR, "sendmsg failed %s", strerror(err));
oc_syslog(LOG_ERR, "sendmsg failed %s", strerror(err));
return -1;
}
@@ -121,12 +121,12 @@ static int match_name(const struct unix_diag_msg *diag, unsigned int len,
}
if (path_len == 0) {
syslog(LOG_ERR, "UNIX_DIAG_NAME not present in response");
oc_syslog(LOG_ERR, "UNIX_DIAG_NAME not present in response");
return -1;
}
if (rqlen_valid == 0) {
syslog(LOG_ERR, "UNIX_DIAG_RQLEN not present in response");
oc_syslog(LOG_ERR, "UNIX_DIAG_RQLEN not present in response");
return -1;
}
@@ -165,19 +165,19 @@ static int receive_responses(int fd, process_response process, void *context)
if (errno == EINTR)
continue;
err = errno;
syslog(LOG_ERR, "recvmsg failed %s", strerror(err));
oc_syslog(LOG_ERR, "recvmsg failed %s", strerror(err));
return -1;
}
if (ret == 0) {
syslog(LOG_ERR, "recvmsg returned empty response");
oc_syslog(LOG_ERR, "recvmsg returned empty response");
return -1;
}
const struct nlmsghdr *h = (struct nlmsghdr *)buf;
if (!NLMSG_OK(h, ret)) {
syslog(LOG_ERR, "!NLMSG_OK");
oc_syslog(LOG_ERR, "!NLMSG_OK");
return -1;
}
@@ -191,11 +191,11 @@ static int receive_responses(int fd, process_response process, void *context)
const struct nlmsgerr *err = NLMSG_DATA(h);
if (h->nlmsg_len < NLMSG_LENGTH(sizeof(*err))) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"nlmsg_type NLMSG_ERROR has short nlmsg_len %d",
h->nlmsg_len);
} else {
syslog(LOG_ERR, "NLM query failed %s",
oc_syslog(LOG_ERR, "NLM query failed %s",
strerror(-err->error));
}
@@ -203,7 +203,7 @@ static int receive_responses(int fd, process_response process, void *context)
}
if (h->nlmsg_type != SOCK_DIAG_BY_FAMILY) {
syslog(LOG_ERR, "unexpected nlmsg_type %u\n",
oc_syslog(LOG_ERR, "unexpected nlmsg_type %u\n",
(unsigned)h->nlmsg_type);
return -1;
}
@@ -211,14 +211,14 @@ static int receive_responses(int fd, process_response process, void *context)
diag = (const struct unix_diag_msg *)NLMSG_DATA(h);
if (h->nlmsg_len < NLMSG_LENGTH(sizeof(*diag))) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"nlmsg_type SOCK_DIAG_BY_FAMILY has short nlmsg_len %d",
h->nlmsg_len);
return -1;
}
if (diag->udiag_family != AF_UNIX) {
syslog(LOG_ERR, "unexpected family %u\n",
oc_syslog(LOG_ERR, "unexpected family %u\n",
diag->udiag_family);
return -1;
}
@@ -244,7 +244,7 @@ int sockdiag_query_unix_domain_socket_queue_length(const char *socket_name,
if (fd < 0) {
err = errno;
syslog(LOG_ERR, "socket failed %s", strerror(err));
oc_syslog(LOG_ERR, "socket failed %s", strerror(err));
goto cleanup;
}

21
src/common/system.c
View File

@@ -27,12 +27,13 @@
#include <sys/socket.h>
#include <sys/un.h>
#include <sys/uio.h>
#include <sys/syslog.h>
#include <stdlib.h> /* getenv */
#include <errno.h>
#include <signal.h>
#include <string.h>
#include <defs.h>
#include "log.h"
void kill_on_parent_kill(int sig)
{
@@ -46,7 +47,7 @@ void pr_set_undumpable(const char *mod)
#ifdef __linux__
if (prctl(PR_SET_DUMPABLE, 0) == -1) {
int e = errno;
syslog(LOG_ERR, "%s: prctl(PR_SET_DUMPABLE) failed %s",
oc_syslog(LOG_ERR, "%s: prctl(PR_SET_DUMPABLE) failed %s",
mod, strerror(e));
}
#endif
@@ -84,13 +85,13 @@ int check_upeer_id(const char *mod, int debug, int cfd, uid_t uid, uid_t gid, ui
ret = getsockopt(cfd, SOL_SOCKET, SO_PEERCRED, &cr, &cr_len);
if (ret == -1) {
e = errno;
syslog(LOG_ERR, "%s: getsockopt SO_PEERCRED error: %s",
oc_syslog(LOG_ERR, "%s: getsockopt SO_PEERCRED error: %s",
mod, strerror(e));
return -1;
}
if (debug >= 3)
syslog(LOG_DEBUG,
if (debug >= OCLOG_DEBUG)
oc_syslog(LOG_DEBUG,
"%s: received request from pid %u and uid %u",
mod, (unsigned)cr.pid, (unsigned)cr.uid);
@@ -101,7 +102,7 @@ int check_upeer_id(const char *mod, int debug, int cfd, uid_t uid, uid_t gid, ui
*pid = cr.pid;
if (cr.uid != 0 && (cr.uid != uid || cr.gid != gid)) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"%s: received unauthorized request from pid %u and uid %u",
mod, (unsigned)cr.pid, (unsigned)cr.uid);
return -1;
@@ -114,7 +115,7 @@ int check_upeer_id(const char *mod, int debug, int cfd, uid_t uid, uid_t gid, ui
if (ret == -1) {
e = errno;
syslog(LOG_DEBUG, "%s: getpeereid error: %s",
oc_syslog(LOG_DEBUG, "%s: getpeereid error: %s",
mod, strerror(e));
return -1;
}
@@ -125,13 +126,13 @@ int check_upeer_id(const char *mod, int debug, int cfd, uid_t uid, uid_t gid, ui
if (pid)
*pid = 0;
if (debug >= 3)
syslog(LOG_DEBUG,
if (debug >= OCLOG_DEBUG)
oc_syslog(LOG_DEBUG,
"%s: received request from a processes with uid %u",
mod, (unsigned)euid);
if (euid != 0 && (euid != uid || egid != gid)) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"%s: received unauthorized request from a process with uid %u",
mod, (unsigned)euid);
return -1;

13
src/config-ports.c
View File

@@ -23,6 +23,7 @@
#include <common-config.h>
#include <ctype.h>
#include <talloc.h>
#include "log.h"
#include <vpn.h>
@@ -81,7 +82,7 @@ int cfg_parse_ports(void *pool, FwPortSt ***fw_ports, size_t *n_fw_ports, const
}
if (bracket_start == 0) {
syslog(LOG_ERR, "no bracket following negation at %d '%s'", (int)(ptrdiff_t)(p-str), str);
oc_syslog(LOG_ERR, "no bracket following negation at %d '%s'", (int)(ptrdiff_t)(p-str), str);
return -1;
}
}
@@ -110,7 +111,7 @@ int cfg_parse_ports(void *pool, FwPortSt ***fw_ports, size_t *n_fw_ports, const
proto = PROTO_ESP;
p += 3;
} else {
syslog(LOG_ERR, "unknown protocol on restrict-user-to-ports at %d '%s'", (int)(ptrdiff_t)(p-str), str);
oc_syslog(LOG_ERR, "unknown protocol on restrict-user-to-ports at %d '%s'", (int)(ptrdiff_t)(p-str), str);
return -1;
}
@@ -118,7 +119,7 @@ int cfg_parse_ports(void *pool, FwPortSt ***fw_ports, size_t *n_fw_ports, const
p++;
if (*p != '(') {
syslog(LOG_ERR, "expected parenthesis on restrict-user-to-ports at %d '%s'", (int)(ptrdiff_t)(p-str), str);
oc_syslog(LOG_ERR, "expected parenthesis on restrict-user-to-ports at %d '%s'", (int)(ptrdiff_t)(p-str), str);
return -1;
}
@@ -127,13 +128,13 @@ int cfg_parse_ports(void *pool, FwPortSt ***fw_ports, size_t *n_fw_ports, const
ret = append_port(pool, fw_ports, n_fw_ports, port, proto, negate);
if (ret < 0) {
syslog(LOG_ERR, "memory error");
oc_syslog(LOG_ERR, "memory error");
return -1;
}
p2 = strchr(p, ')');
if (p2 == NULL) {
syslog(LOG_ERR, "expected closing parenthesis on restrict-user-to-ports at %d '%s'", (int)(ptrdiff_t)(p-str), str);
oc_syslog(LOG_ERR, "expected closing parenthesis on restrict-user-to-ports at %d '%s'", (int)(ptrdiff_t)(p-str), str);
return -1;
}
@@ -144,7 +145,7 @@ int cfg_parse_ports(void *pool, FwPortSt ***fw_ports, size_t *n_fw_ports, const
if (*p2 == 0 || (negate != 0 && *p2 == ')')) {
finish = 1;
} else if (*p2 != ',') {
syslog(LOG_ERR, "expected comma or end of line on restrict-user-to-ports at %d '%s'", (int)(ptrdiff_t)(p2-str), str);
oc_syslog(LOG_ERR, "expected comma or end of line on restrict-user-to-ports at %d '%s'", (int)(ptrdiff_t)(p2-str), str);
return -1;
}
p=p2;

29
src/config.c
View File

@@ -523,6 +523,7 @@ static void apply_default_conf(vhost_cfg_st *vhost, unsigned reload)
if (!reload) { /* perm config defaults */
tls_vhost_init(vhost);
vhost->perm_config.stats_reset_time = 24*60*60*7; /* weekly */
vhost->perm_config.log_level = DEFAULT_LOG_LEVEL;
}
vhost->perm_config.config->mobile_idle_timeout = (unsigned)-1;
@@ -828,9 +829,7 @@ static int cfg_ini_handler(void *_ctx, const char *section, const char *name, co
if (!PWARN_ON_VHOST(vhost->name, "sec-mod-scale", sec_mod_scale))
READ_NUMERIC(vhost->perm_config.sec_mod_scale);
} else if (strcmp(name, "log-level") == 0) {
if (vhost->perm_config.debug == 0) {
READ_NUMERIC(vhost->perm_config.debug);
}
READ_NUMERIC(vhost->perm_config.log_level);
} else {
stage1_found = 0;
}
@@ -1580,6 +1579,8 @@ static void check_cfg(vhost_cfg_st *vhost, vhost_cfg_st *defvhost, unsigned sile
#define OPT_NO_CHDIR 1
static const struct option long_options[] = {
{"debug", 1, 0, 'd'},
{"log-stderr", 0, 0, 'e'},
{"syslog", 0, 0, 's'},
{"config", 1, 0, 'c'},
{"pid-file", 1, 0, 'p'},
{"test-config", 0, 0, 't'},
@@ -1608,8 +1609,10 @@ void usage(void)
fprintf(stderr, " -p, --pid-file=file Specify pid file for the server\n");
fprintf(stderr, " -v, --version output version information and exit\n");
fprintf(stderr, " -x, --traceable Allow processes tracing\n");
fprintf(stderr, " - use for debugging purposes only\n");
fprintf(stderr, " -h, --help display extended usage information and exit\n\n");
fprintf(stderr, " - use for debugging purposes only\n");
fprintf(stderr, " -e, --log-stderr Log to stderr\n");
fprintf(stderr, " -s, --syslog Log to syslog (default)\n");
fprintf(stderr, " -h, --help Display extended usage information and exit\n\n");
fprintf(stderr, "OpenConnect VPN server (ocserv) is a VPN server compatible with the\n");
fprintf(stderr, "OpenConnect VPN client. It follows the TLS and DTLS-based AnyConnect VPN\n");
@@ -1621,6 +1624,7 @@ void usage(void)
int cmd_parser (void *pool, int argc, char **argv, struct list_head *head, bool worker)
{
unsigned test_only = 0;
unsigned debug_asked = 0;
int c;
vhost_cfg_st *vhost;
@@ -1643,11 +1647,18 @@ int cmd_parser (void *pool, int argc, char **argv, struct list_head *head, bool
strlcpy(cfg_file, optarg, sizeof(cfg_file));
break;
case 'd':
vhost->perm_config.debug = atoi(optarg);
vhost->perm_config.log_level = atoi(optarg);
debug_asked = 1;
break;
case 't':
test_only = 1;
break;
case 'e':
vhost->perm_config.log_stderr = 1;
break;
case 's':
vhost->perm_config.syslog = 1;
break;
case OPT_NO_CHDIR:
vhost->perm_config.no_chdir = 1;
break;
@@ -1668,6 +1679,12 @@ int cmd_parser (void *pool, int argc, char **argv, struct list_head *head, bool
exit(EXIT_FAILURE);
}
if (vhost->perm_config.log_stderr == 0 && vhost->perm_config.syslog == 0) {
vhost->perm_config.syslog = 1; /* default if nothing specified*/
if (debug_asked)
vhost->perm_config.log_stderr = 1; /* compatible with previous behavior */
}
if (access(cfg_file, R_OK) != 0) {
fprintf(stderr, ERRSTR"cannot access config file: %s\n", cfg_file);
fprintf(stderr, "Usage: %s -c [config]\nUse %s --help for more information.\n", argv[0], argv[0]);

14
src/defs.h
View File

@@ -45,13 +45,13 @@
#define MAX_WAIT_SECS 3
/* Debug definitions for logger */
#define DEBUG_BASIC 1
#define DEBUG_INFO 2
#define DEBUG_DEBUG 3
#define DEBUG_HTTP 4
#define DEBUG_TRANSFERRED 5
#define DEBUG_SENSITIVE 8
#define DEBUG_TLS 9
#define OCLOG_BASIC 1
#define OCLOG_INFO 2
#define OCLOG_DEBUG 3
#define OCLOG_HTTP 4
#define OCLOG_TRANSFERRED 5
#define OCLOG_SENSITIVE 8
#define OCLOG_TLS 9
/* Authentication states */
enum {

4
src/html.c
View File

@@ -22,12 +22,12 @@
#include <stddef.h>
#include <string.h>
#include <unistd.h>
#include <syslog.h>
#include <common.h>
#include <ctype.h>
#include <wchar.h>
#include "html.h"
#include "log.h"
char *unescape_html(void *pool, const char *html, unsigned len, unsigned *out_len)
{
@@ -132,7 +132,7 @@ char *unescape_url(void *pool, const char *url, unsigned len, unsigned *out_len)
if (sscanf(b, "%02x", &u) <= 0) {
talloc_free(msg);
syslog(LOG_ERR, "%s: error parsing URL: %s", __func__, url);
oc_syslog(LOG_ERR, "%s: error parsing URL: %s", __func__, url);
return NULL;
}

4
src/ip-lease.c
View File

@@ -34,13 +34,13 @@ static void ip_from_seed(uint8_t *seed, unsigned seed_size,
int ret;
if (ip_size > sizeof(digest)) {
syslog(LOG_ERR, "too large IP!");
oc_syslog(LOG_ERR, "too large IP!");
abort();
}
ret = gnutls_hash_fast(GNUTLS_DIG_SHA1, seed, seed_size, digest);
if (ret < 0) {
syslog(LOG_ERR, "cannot hash: %s", strerror(ret));
oc_syslog(LOG_ERR, "cannot hash: %s", strerror(ret));
abort();
}

10
src/ip-util.c
View File

@@ -26,12 +26,12 @@
#include <stddef.h>
/* for inet_ntop */
#include <arpa/inet.h>
#include <syslog.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <sys/types.h>
#include <sys/socket.h>
#include "log.h"
int ip_cmp(const struct sockaddr_storage *s1, const struct sockaddr_storage *s2)
{
@@ -273,7 +273,7 @@ void set_mtu_disc(int fd, int family, int val)
#if defined(IPV6_DONTFRAG)
if (setsockopt(fd, IPPROTO_IPV6, IPV6_DONTFRAG,
(const void *) &y, sizeof(y)) < 0)
syslog(LOG_INFO, "setsockopt(IPV6_DF) failed");
oc_syslog(LOG_INFO, "setsockopt(IPV6_DF) failed");
#elif defined(IPV6_MTU_DISCOVER)
if (val)
y = IP_PMTUDISC_DO;
@@ -281,14 +281,14 @@ void set_mtu_disc(int fd, int family, int val)
y = IP_PMTUDISC_DONT;
if (setsockopt(fd, IPPROTO_IPV6, IPV6_MTU_DISCOVER,
(const void *) &y, sizeof(y)) < 0)
syslog(LOG_INFO, "setsockopt(IPV6_MTU_DISCOVER) failed");
oc_syslog(LOG_INFO, "setsockopt(IPV6_MTU_DISCOVER) failed");
#endif
} else {
y = val;
#if defined(IP_DONTFRAG)
if (setsockopt(fd, IPPROTO_IP, IP_DONTFRAG,
(const void *) &y, sizeof(y)) < 0)
syslog(LOG_INFO, "setsockopt(IP_DF) failed");
oc_syslog(LOG_INFO, "setsockopt(IP_DF) failed");
#elif defined(IP_MTU_DISCOVER)
if (val)
y = IP_PMTUDISC_DO;
@@ -296,7 +296,7 @@ void set_mtu_disc(int fd, int family, int val)
y = IP_PMTUDISC_DONT;
if (setsockopt(fd, IPPROTO_IP, IP_MTU_DISCOVER,
(const void *) &y, sizeof(y)) < 0)
syslog(LOG_INFO, "setsockopt(IP_MTU_DISCOVER) failed");
oc_syslog(LOG_INFO, "setsockopt(IP_MTU_DISCOVER) failed");
#endif
}
}

108
src/log.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright (C) 2013 Nikos Mavrogiannopoulos
* Copyright (C) 2013-2023 Nikos Mavrogiannopoulos
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -28,42 +28,60 @@
#include <worker.h>
#include <main.h>
#include <sec-mod.h>
#include "sec-mod.h"
#include "log.h"
/* Returns zero when the given priority is not sufficient
* for logging */
static unsigned check_priority(int *priority, int debug_prio)
* for logging. Updates the priority with */
static unsigned check_priority(int oc_priority, int log_prio, int *syslog_prio)
{
switch (*priority) {
switch (oc_priority) {
case LOG_ERR:
case LOG_WARNING:
case LOG_NOTICE:
if (syslog_prio)
*syslog_prio = oc_priority;
break;
case LOG_DEBUG:
if (debug_prio < DEBUG_DEBUG)
if (log_prio < OCLOG_DEBUG)
return 0;
if (syslog_prio)
*syslog_prio = oc_priority;
break;
case LOG_INFO:
if (debug_prio < DEBUG_INFO)
if (log_prio < OCLOG_INFO)
return 0;
if (syslog_prio)
*syslog_prio = oc_priority;
break;
case LOG_HTTP_DEBUG:
if (debug_prio < DEBUG_HTTP)
if (log_prio < OCLOG_HTTP)
return 0;
*priority = LOG_INFO;
if (syslog_prio)
*syslog_prio = LOG_DEBUG;
break;
case LOG_TRANSFER_DEBUG:
if (debug_prio < DEBUG_TRANSFERRED)
if (log_prio < OCLOG_TRANSFERRED)
return 0;
*priority = LOG_DEBUG;
if (syslog_prio)
*syslog_prio = LOG_DEBUG;
break;
case LOG_SENSITIVE:
if (debug_prio < DEBUG_SENSITIVE)
if (log_prio < OCLOG_SENSITIVE)
return 0;
*priority = LOG_DEBUG;
if (syslog_prio)
*syslog_prio = LOG_DEBUG;
break;
default:
syslog(LOG_DEBUG, "unknown log level %d", *priority);
syslog(LOG_DEBUG, "unknown log level %d", oc_priority);
if (syslog_prio)
*syslog_prio = LOG_DEBUG;
}
return 1;
@@ -76,15 +94,16 @@ void __attribute__ ((format(printf, 3, 4)))
char name[MAX_USERNAME_SIZE+MAX_HOSTNAME_SIZE+3];
const char* ip;
va_list args;
int debug_prio;
int log_prio;
unsigned have_vhosts;
int syslog_prio;
if (ws->vhost)
debug_prio = WSPCONFIG(ws)->debug;
log_prio = WSPCONFIG(ws)->log_level;
else
debug_prio = GETPCONFIG(ws)->debug;
log_prio = GETPCONFIG(ws)->log_level;
if (!check_priority(&priority, debug_prio))
if (!check_priority(priority, log_prio, &syslog_prio))
return;
ip = ws->remote_ip_str;
@@ -104,7 +123,7 @@ void __attribute__ ((format(printf, 3, 4)))
} else
name[0] = 0;
syslog(priority, "worker%s: %s %s", name, ip?ip:"[unknown]", buf);
oc_syslog(syslog_prio, "worker%s: %s %s", name, ip?ip:"[unknown]", buf);
}
/* proc is optional */
@@ -117,13 +136,14 @@ void __attribute__ ((format(printf, 4, 5)))
char name[MAX_USERNAME_SIZE+MAX_HOSTNAME_SIZE+3];
const char* ip = NULL;
va_list args;
int debug_prio = 1;
int log_prio = DEFAULT_LOG_LEVEL;
unsigned have_vhosts;
int syslog_prio;
if (s)
debug_prio = GETPCONFIG(s)->debug;
log_prio = GETPCONFIG(s)->log_level;
if (!check_priority(&priority, debug_prio))
if (!check_priority(priority, log_prio, &syslog_prio))
return;
if (proc) {
@@ -148,7 +168,7 @@ void __attribute__ ((format(printf, 4, 5)))
} else
name[0] = 0;
syslog(priority, "main%s:%s %s", name, ip?ip:"[unknown]", buf);
oc_syslog(syslog_prio, "main%s:%s %s", name, ip?ip:"[unknown]", buf);
}
void mslog_hex(const main_server_st * s, const struct proc_st* proc,
@@ -158,14 +178,12 @@ void mslog_hex(const main_server_st * s, const struct proc_st* proc,
int ret;
size_t buf_size;
gnutls_datum_t data = {bin, bin_size};
int debug_prio;
int log_prio = DEFAULT_LOG_LEVEL;
if (s)
debug_prio = GETPCONFIG(s)->debug;
else
debug_prio = 1;
log_prio = GETPCONFIG(s)->log_level;
if (priority == LOG_DEBUG && debug_prio == 0)
if (!check_priority(priority, log_prio, NULL))
return;
if (b64) {
@@ -187,14 +205,14 @@ void oclog_hex(const worker_st* ws, int priority,
int ret;
size_t buf_size;
gnutls_datum_t data = {bin, bin_size};
int debug_prio;
int log_prio;
if (ws->vhost)
debug_prio = WSPCONFIG(ws)->debug;
log_prio = WSPCONFIG(ws)->log_level;
else
debug_prio = GETPCONFIG(ws)->debug;
log_prio = GETPCONFIG(ws)->log_level;
if (priority == LOG_DEBUG && debug_prio == 0)
if (!check_priority(priority, log_prio, NULL))
return;
if (b64) {
@@ -216,8 +234,11 @@ void seclog_hex(const struct sec_mod_st* sec, int priority,
int ret;
size_t buf_size;
gnutls_datum_t data = {bin, bin_size};
int log_prio;
if (priority == LOG_DEBUG && GETPCONFIG(sec)->debug == 0)
log_prio = GETPCONFIG(sec)->log_level;
if (!check_priority(priority, log_prio, NULL))
return;
if (b64) {
@@ -231,3 +252,24 @@ void seclog_hex(const struct sec_mod_st* sec, int priority,
seclog(sec, priority, "%s %s", prefix, buf);
}
void __attribute__ ((format(printf, 3, 4)))
_seclog(const sec_mod_st* sec, int priority, const char *fmt, ...)
{
char buf[512];
va_list args;
int log_prio = DEFAULT_LOG_LEVEL;
int syslog_prio;
if (sec)
log_prio = GETPCONFIG(sec)->log_level;
if (!check_priority(priority, log_prio, &syslog_prio))
return;
va_start(args, fmt);
vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
oc_syslog(syslog_prio, "sec-mod: %s", buf);
}

99
src/log.h Normal file
View File

@@ -0,0 +1,99 @@
/*
* Copyright (C) 2023 Nikos Mavrogiannopoulos
*
* Author: Nikos Mavrogiannopoulos
*
* This file is part of ocserv.
*
* ocserv is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public License
* as published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>
*/
#ifndef OC_LOG_H
# define OC_LOG_H
#include <stdint.h>
#include <stdio.h>
#include <syslog.h>
extern int syslog_open;
#ifdef __GNUC__
# define oc_syslog(prio, fmt, ...) do { \
if (syslog_open) { \
syslog(prio, "sec-mod: "fmt, ##__VA_ARGS__); \
} else { \
fprintf(stderr, "sec-mod: "fmt, ##__VA_ARGS__); \
}} while(0)
#else
# define oc_syslog(prio, ...) do { \
if (syslog_open) { \
syslog(prio, __VA_ARGS__); \
} else { \
fprintf(stderr, __VA_ARGS__); \
}} while(0)
#endif
#ifdef UNDER_TEST
/* for testing */
# define mslog(...)
# define oclog(...)
# define seclog(...)
#else
struct main_server_st;
struct worker_st;
struct proc_st;
struct sec_mod_st;
void
__attribute__ ((format(printf, 4, 5)))
_mslog(const struct main_server_st * s, const struct proc_st* proc,
int priority, const char *fmt, ...);
void __attribute__ ((format(printf, 3, 4)))
_oclog(const struct worker_st * server, int priority, const char *fmt, ...);
void __attribute__ ((format(printf, 3, 4)))
_seclog(const struct sec_mod_st* sec, int priority, const char *fmt, ...);
# ifdef __GNUC__
# define mslog(s, proc, prio, fmt, ...) \
(prio==LOG_ERR)?_mslog(s, proc, prio, "%s:%d: "fmt, __FILE__, __LINE__, ##__VA_ARGS__): \
_mslog(s, proc, prio, fmt, ##__VA_ARGS__)
# define oclog(server, prio, fmt, ...) \
(prio==LOG_ERR)?_oclog(server, prio, "%s:%d: "fmt, __FILE__, __LINE__, ##__VA_ARGS__): \
_oclog(server, prio, fmt, ##__VA_ARGS__)
# define seclog(sec, prio, fmt, ...) \
(prio==LOG_ERR)?_seclog(sec, prio, "%s:%d: "fmt, __FILE__, __LINE__, ##__VA_ARGS__): \
_seclog(sec, prio, fmt, ##__VA_ARGS__)
# else
# define mslog _mslog
# define seclog _seclog
# define oclog _oclog
# endif
void mslog_hex(const struct main_server_st * s, const struct proc_st* proc,
int priority, const char *prefix, uint8_t* bin, unsigned bin_size, unsigned b64);
void oclog_hex(const struct worker_st* ws, int priority,
const char *prefix, uint8_t* bin, unsigned bin_size, unsigned b64);
void seclog_hex(const struct sec_mod_st* sec, int priority,
const char *prefix, uint8_t* bin, unsigned bin_size, unsigned b64);
#endif
#endif /* OC_LOG_H */

1
src/main-ban.c
View File

@@ -35,7 +35,6 @@
#include <sys/ioctl.h>
#include <sys/un.h>
#include <common.h>
#include <syslog.h>
#include <vpn.h>
#include <tlslib.h>
#include <main.h>

2
src/main-ctl-unix.c
View File

@@ -911,7 +911,7 @@ static void ctl_handle_commands(main_server_st * s)
goto fail;
}
ret = check_upeer_id("ctl", GETPCONFIG(s)->debug, cfd, 0, 0, NULL, NULL);
ret = check_upeer_id("ctl", GETPCONFIG(s)->log_level, cfd, 0, 0, NULL, NULL);
if (ret < 0) {
mslog(s, NULL, LOG_ERR, "ctl: unauthorized connection");
goto fail;

13
src/main.c
View File

@@ -1451,13 +1451,16 @@ int main(int argc, char** argv)
exit(EXIT_FAILURE);
}
flags = LOG_PID|LOG_NDELAY;
if (GETPCONFIG(s)->syslog) {
flags = LOG_PID|LOG_NDELAY;
#ifdef LOG_PERROR
if (GETPCONFIG(s)->debug != 0)
flags |= LOG_PERROR;
if (GETPCONFIG(s)->log_stderr && GETPCONFIG(s)->syslog)
flags |= LOG_PERROR;
#endif
openlog("ocserv", flags, LOG_DAEMON);
syslog_open = 1;
openlog("ocserv", flags, LOG_DAEMON);
syslog_open = 1;
}
#ifdef HAVE_LIBWRAP
allow_severity = LOG_DAEMON|LOG_INFO;
deny_severity = LOG_DAEMON|LOG_WARNING;

27
src/main.h
View File

@@ -52,6 +52,8 @@ extern char **saved_argv;
extern struct ev_loop *main_loop;
extern ev_timer maintainance_watcher;
#include "log.h"
#define MAIN_MAINTENANCE_TIME (900)
int cmd_parser (void *pool, int argc, char **argv, struct list_head *head, bool worker);
@@ -326,31 +328,6 @@ int send_udp_fd(main_server_st* s, struct proc_st * proc, int fd);
int session_open(sec_mod_instance_st * sec_mod_instance, struct proc_st *proc, const uint8_t *cookie, unsigned cookie_size);
int session_close(sec_mod_instance_st * sec_mod_instance, struct proc_st *proc);
#ifdef UNDER_TEST
/* for testing */
# define mslog(...)
#else
void
__attribute__ ((format(printf, 4, 5)))
_mslog(const main_server_st * s, const struct proc_st* proc,
int priority, const char *fmt, ...);
# ifdef __GNUC__
# define mslog(s, proc, prio, fmt, ...) \
(prio==LOG_ERR)?_mslog(s, proc, prio, "%s:%d: "fmt, __FILE__, __LINE__, ##__VA_ARGS__): \
_mslog(s, proc, prio, fmt, ##__VA_ARGS__)
# else
# define mslog _mslog
# endif
#endif
void mslog_hex(const main_server_st * s, const struct proc_st* proc,
int priority, const char *prefix, uint8_t* bin, unsigned bin_size, unsigned b64);
int open_tun(main_server_st* s, struct proc_st* proc);
void close_tun(main_server_st* s, struct proc_st* proc);
void reset_tun(struct proc_st* proc);

2
src/occtl/occtl.c
View File

@@ -30,6 +30,8 @@
#include <locale.h>
#include <occtl/occtl.h>
int syslog_open = 0;
static int handle_reset_cmd(CONN_TYPE * conn, const char *arg, cmd_params_st *params);
static int handle_help_cmd(CONN_TYPE * conn, const char *arg, cmd_params_st *params);
static int handle_exit_cmd(CONN_TYPE * conn, const char *arg, cmd_params_st *params);

24
src/sec-mod.c
View File

@@ -35,7 +35,6 @@
#include <sys/ioctl.h>
#include <sys/un.h>
#include <common.h>
#include <syslog.h>
#include <main.h>
#include <sec-mod.h>
#include <tlslib.h>
@@ -48,6 +47,7 @@
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
#include <gnutls/abstract.h>
#include "log.h"
#define MAINTAINANCE_TIME 310
@@ -70,20 +70,20 @@ int pin_callback(void *user, int attempt, const char *token_url,
unsigned len;
if (flags & GNUTLS_PIN_FINAL_TRY) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"PIN callback: final try before locking; not attempting to unlock");
return -1;
}
if (flags & GNUTLS_PIN_WRONG) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"PIN callback: wrong PIN was entered for '%s' (%s)",
token_label, token_url);
return -1;
}
if (ps->pin[0] == 0) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"PIN required for '%s' but pin-file was not set",
token_label);
return -1;
@@ -97,7 +97,7 @@ int pin_callback(void *user, int attempt, const char *token_url,
}
if (srk != 0 && ps->srk_pin[0] == 0) {
syslog(LOG_ERR,
oc_syslog(LOG_ERR,
"PIN required for '%s' but srk-pin-file was not set",
token_label);
return -1;
@@ -105,7 +105,7 @@ int pin_callback(void *user, int attempt, const char *token_url,
len = strlen(p);
if (len > pin_max - 1) {
syslog(LOG_ERR, "Too long PIN (%u chars)", len);
oc_syslog(LOG_ERR, "Too long PIN (%u chars)", len);
return -1;
}
@@ -126,7 +126,7 @@ int load_pins(struct perm_cfg_st *config, struct pin_st *s)
if (config->srk_pin_file != NULL) {
fd = open(config->srk_pin_file, O_RDONLY);
if (fd < 0) {
syslog(LOG_ERR, "could not open SRK PIN file '%s'",
oc_syslog(LOG_ERR, "could not open SRK PIN file '%s'",
config->srk_pin_file);
return -1;
}
@@ -134,7 +134,7 @@ int load_pins(struct perm_cfg_st *config, struct pin_st *s)
ret = read(fd, s->srk_pin, sizeof(s->srk_pin) - 1);
close(fd);
if (ret <= 1) {
syslog(LOG_ERR, "could not read from PIN file '%s'",
oc_syslog(LOG_ERR, "could not read from PIN file '%s'",
config->srk_pin_file);
return -1;
}
@@ -147,7 +147,7 @@ int load_pins(struct perm_cfg_st *config, struct pin_st *s)
if (config->pin_file != NULL) {
fd = open(config->pin_file, O_RDONLY);
if (fd < 0) {
syslog(LOG_ERR, "could not open PIN file '%s'",
oc_syslog(LOG_ERR, "could not open PIN file '%s'",
config->pin_file);
return -1;
}
@@ -155,7 +155,7 @@ int load_pins(struct perm_cfg_st *config, struct pin_st *s)
ret = read(fd, s->pin, sizeof(s->pin) - 1);
close(fd);
if (ret <= 1) {
syslog(LOG_ERR, "could not read from PIN file '%s'",
oc_syslog(LOG_ERR, "could not read from PIN file '%s'",
config->pin_file);
return -1;
}
@@ -904,7 +904,7 @@ void sec_mod_server(void *main_pool, void *config_pool, struct list_head *vconfi
uid_t uid;
uint8_t *buffer;
int sd;
sec_mod_st *sec;
sec_mod_st *sec = NULL;
void *sec_mod_pool;
vhost_cfg_st *vhost = NULL;
fd_set rd_set;
@@ -1098,7 +1098,7 @@ void sec_mod_server(void *main_pool, void *config_pool, struct list_head *vconfi
/* do not allow unauthorized processes to issue commands
*/
ret = check_upeer_id("sec-mod", GETPCONFIG(sec)->debug, cfd,
ret = check_upeer_id("sec-mod", GETPCONFIG(sec)->log_level, cfd,
GETPCONFIG(sec)->uid, GETPCONFIG(sec)->gid,
&uid, &pid);
if (ret < 0) {

16
src/sec-mod.h
View File

@@ -29,6 +29,7 @@
#include "common/common.h"
#include "vhost.h"
#include "log.h"
#define SESSION_STR "(session: %.6s)"
#define MAX_GROUPS 128
@@ -141,21 +142,6 @@ void del_client_entry(sec_mod_st *sec, client_entry_st * e);
void expire_client_entry(sec_mod_st *sec, client_entry_st * e);
void cleanup_client_entries(sec_mod_st *sec);
#ifdef __GNUC__
# define seclog(sec, prio, fmt, ...) { \
if (prio != LOG_DEBUG || GETPCONFIG(sec)->debug >= 3) { \
syslog(prio, "sec-mod: "fmt, ##__VA_ARGS__); \
}}
#else
# define seclog(sec,prio,...) { \
if (prio != LOG_DEBUG || GETPCONFIG(sec)->debug >= 3) { \
syslog(prio, __VA_ARGS__); \
}}
#endif
void seclog_hex(const struct sec_mod_st* sec, int priority,
const char *prefix, uint8_t* bin, unsigned bin_size, unsigned b64);
void sec_auth_init(struct vhost_cfg_st *vhost);
void handle_secm_list_cookies_reply(void *pool, int fd, sec_mod_st *sec);

17
src/sup-config/file.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright (C) 2013 Nikos Mavrogiannopoulos
* Copyright (C) 2013-2023 Nikos Mavrogiannopoulos
* Copyright (C) 2014, 2015 Red Hat, Inc.
*
* This program is free software; you can redistribute it and/or modify
@@ -32,6 +32,7 @@
#include <ctype.h>
#include "inih/ini.h"
#include "log.h"
#include <vpn.h>
#include <main.h>
@@ -92,7 +93,7 @@ static int group_cfg_ini_handler(void *_ctx, const char *section, const char *na
char *value;
if (section != NULL && section[0] != 0) {
syslog(LOG_INFO, "skipping unknown section '%s' in %s", section, file);
oc_syslog(LOG_INFO, "skipping unknown section '%s' in %s", section, file);
return 1;
}
@@ -145,7 +146,7 @@ static int group_cfg_ini_handler(void *_ctx, const char *section, const char *na
prefix = extract_prefix(msg->config->ipv6_net);
if (prefix != 0) {
if (valid_ipv6_prefix(prefix) == 0) {
syslog(LOG_ERR, "unknown ipv6-prefix '%u' in %s", msg->config->ipv6_prefix, file);
oc_syslog(LOG_ERR, "unknown ipv6-prefix '%u' in %s", msg->config->ipv6_prefix, file);
}
msg->config->ipv6_prefix = prefix;
msg->config->has_ipv6_prefix = 1;
@@ -197,7 +198,7 @@ static int group_cfg_ini_handler(void *_ctx, const char *section, const char *na
return 0;
}
} else {
syslog(LOG_INFO, "skipping unknown option '%s' in %s", name, file);
oc_syslog(LOG_INFO, "skipping unknown option '%s' in %s", name, file);
}
talloc_free(value);
@@ -224,9 +225,9 @@ int parse_group_cfg_file(struct cfg_st *global_config,
ret = ini_parse(file, group_cfg_ini_handler, &ctx);
if (ret != 0) {
if (ret > 0)
syslog(LOG_ERR, "error in line %d of config file %s", ret, file);
oc_syslog(LOG_ERR, "error in line %d of config file %s", ret, file);
else
syslog(LOG_ERR, "cannot load config file %s", file);
oc_syslog(LOG_ERR, "cannot load config file %s", file);
return 0;
}
@@ -264,7 +265,7 @@ static int read_sup_config_file(struct cfg_st *global_config,
int ret;
if (access(file, R_OK) == 0) {
syslog(LOG_DEBUG, "Loading %s configuration '%s'", type,
oc_syslog(LOG_DEBUG, "Loading %s configuration '%s'", type,
file);
ret = parse_group_cfg_file(global_config, msg, pool, file);
@@ -272,7 +273,7 @@ static int read_sup_config_file(struct cfg_st *global_config,
return ERR_READ_CONFIG;
} else {
if (fallback != NULL) {
syslog(LOG_DEBUG, "Loading default %s configuration '%s'", type, fallback);
oc_syslog(LOG_DEBUG, "Loading default %s configuration '%s'", type, fallback);
ret = parse_group_cfg_file(global_config, msg, pool, fallback);
if (ret < 0)

6
src/sup-config/radius.c
View File

@@ -1,4 +1,5 @@
/*
* Copyright (C) 2013-2023 Nikos Mavrogiannopoulos
* Copyright (C) 2014 Red Hat, Inc.
*
* This program is free software; you can redistribute it and/or modify
@@ -35,6 +36,7 @@
#include <main.h>
#include <sec-mod-sup-config.h>
#include <auth/radius.h>
#include "log.h"
static int get_sup_config(struct cfg_st *cfg, client_entry_st *entry,
SecmSessionReplyMsg *msg, void *pool)
@@ -67,11 +69,11 @@ static int get_sup_config(struct cfg_st *cfg, client_entry_st *entry,
for (i=0;i<pctx->routes_size;i++) {
msg->config->routes[i] = talloc_strdup(pool, pctx->routes[i]);
if (msg->config->routes[i] == NULL) {
syslog(LOG_ERR, "Error allocating memory for routes");
oc_syslog(LOG_ERR, "Error allocating memory for routes");
return -1;
}
if (ip_route_sanity_check(msg->config->routes, &msg->config->routes[i]) < 0) {
syslog(LOG_ERR, "Route '%s' is malformed", msg->config->routes[i]);
oc_syslog(LOG_ERR, "Route '%s' is malformed", msg->config->routes[i]);
return -1;
}
}

23
src/tlslib.c
View File

@@ -47,6 +47,7 @@
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <ctype.h>
#include "log.h"
#ifndef UNDER_TEST
static void tls_reload_ocsp(main_server_st* s, struct vhost_cfg_st *vhost);
@@ -435,7 +436,7 @@ void tls_cache_deinit(tls_sess_db_st* db)
#ifndef UNDER_TEST
static void tls_log_func(int level, const char *str)
{
syslog(LOG_DEBUG, "TLS[<%d>]: %s", level, str);
oc_syslog(LOG_DEBUG, "TLS[<%d>]: %s", level, str);
}
#endif /* UNDER_TEST */
@@ -445,9 +446,9 @@ static void tls_audit_log_func(gnutls_session_t session, const char *str)
(void)(ws);
if (session == NULL)
syslog(LOG_NOTICE, "warning: %s", str);
else {
if (session == NULL) {
oc_syslog(LOG_NOTICE, "warning: %s", str);
} else {
ws = gnutls_session_get_ptr(session);
oclog(ws, LOG_NOTICE, "warning: %s", str);
@@ -463,7 +464,7 @@ static int verify_certificate_cb(gnutls_session_t session)
ws = gnutls_session_get_ptr(session);
if (ws == NULL) {
syslog(LOG_ERR, "%s:%d: could not obtain worker state", __func__, __LINE__);
oc_syslog(LOG_ERR, "%s:%d: could not obtain worker state", __func__, __LINE__);
return -1;
}
@@ -690,14 +691,14 @@ int key_cb_common_func (gnutls_privkey_t key, void* userdata, const gnutls_datum
sd = socket(AF_UNIX, SOCK_STREAM, 0);
if (sd == -1) {
e = errno;
syslog(LOG_ERR, "error opening socket: %s", strerror(e));
oc_syslog(LOG_ERR, "error opening socket: %s", strerror(e));
return GNUTLS_E_INTERNAL_ERROR;
}
ret = connect(sd, (struct sockaddr *)&cdata->sa, cdata->sa_len);
if (ret == -1) {
e = errno;
syslog(LOG_ERR, "error connecting to sec-mod socket '%s': %s",
oc_syslog(LOG_ERR, "error connecting to sec-mod socket '%s': %s",
cdata->sa.sun_path, strerror(e));
goto error;
}
@@ -721,7 +722,7 @@ int key_cb_common_func (gnutls_privkey_t key, void* userdata, const gnutls_datum
DEFAULT_SOCKET_TIMEOUT);
if (ret < 0) {
e = errno;
syslog(LOG_ERR, "error receiving sec-mod reply: %s",
oc_syslog(LOG_ERR, "error receiving sec-mod reply: %s",
strerror(e));
goto error;
}
@@ -731,7 +732,7 @@ int key_cb_common_func (gnutls_privkey_t key, void* userdata, const gnutls_datum
output->size = reply->data.len;
output->data = gnutls_malloc(reply->data.len);
if (output->data == NULL) {
syslog(LOG_ERR, "error allocating memory");
oc_syslog(LOG_ERR, "error allocating memory");
goto error;
}
@@ -915,7 +916,7 @@ unsigned need_file_reload(const char *file, time_t last_access)
ret = stat(file, &st);
if (ret == -1) {
e = errno;
syslog(LOG_INFO, "file %s (to be reloaded) was not found: %s",
oc_syslog(LOG_INFO, "file %s (to be reloaded) was not found: %s",
file, strerror(e));
return 0;
}
@@ -955,7 +956,7 @@ void tls_load_files(main_server_st *s, struct vhost_cfg_st *vhost)
mslog(s, NULL, LOG_INFO, "reloading server certificates");
}
if (vhost->perm_config.debug >= DEBUG_TLS) {
if (vhost->perm_config.log_level >= OCLOG_TLS) {
gnutls_global_set_log_function(tls_log_func);
gnutls_global_set_log_level(9);
}

4
src/tlslib.h
View File

@@ -68,10 +68,6 @@ size_t tls_get_overhead(gnutls_protocol_t, gnutls_cipher_algorithm_t, gnutls_mac
#define GNUTLS_FATAL_ERR DTLS_FATAL_ERR
#ifdef UNDER_TEST
# define syslog_open 0
#endif
#define GNUTLS_ALERT_PRINT(ws, session, err) { \
if (err == GNUTLS_E_FATAL_ALERT_RECEIVED || err == GNUTLS_E_WARNING_ALERT_RECEIVED) { \
oclog(ws, LOG_NOTICE, "TLS alert (at %s:%d): %s", __FILE__, __LINE__, gnutls_alert_get_name(gnutls_alert_get(session))); \

3
src/tun.c
View File

@@ -48,6 +48,7 @@
#include <main.h>
#include <ccan/list/list.h>
#include "vhost.h"
#include "log.h"
#if defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__DragonFly__)
# include <net/if_var.h>
@@ -853,7 +854,7 @@ ssize_t tun_write(int sockfd, const void *buf, size_t len)
else {
if (!complained) {
complained = 1;
syslog(LOG_ERR, "tun_write: Unknown packet (len %d) received %02x %02x %02x %02x...\n",
oc_syslog(LOG_ERR, "tun_write: Unknown packet (len %d) received %02x %02x %02x %02x...\n",
(int)len, data[0], data[1], data[2], data[3]);
}
return -1;

10
src/vpn.h
View File

@@ -1,5 +1,5 @@
/*
* Copyright (C) 2013-2017 Nikos Mavrogiannopoulos
* Copyright (C) 2013-2023 Nikos Mavrogiannopoulos
*
* Author: Nikos Mavrogiannopoulos
*
@@ -91,6 +91,8 @@ inline static const char *proto_to_str(fw_proto_t proto)
return proto2str[proto];
}
#define DEFAULT_LOG_LEVEL 2
/* Banning works with a point system. A wrong password
* attempt gives you PASSWORD_POINTS, and you are banned
* when the maximum ban score is reached.
@@ -111,7 +113,6 @@ inline static const char *proto_to_str(fw_proto_t proto)
/* The time after a disconnection the cookie is valid */
#define DEFAULT_COOKIE_RECON_TIMEOUT 120
#define DEFAULT_DPD_TIME 600
#define AC_PKT_DATA 0 /* Uncompressed data */
@@ -396,7 +397,10 @@ struct perm_cfg_st {
unsigned int stats_reset_time;
unsigned foreground;
unsigned no_chdir;
unsigned debug;
unsigned log_level;
unsigned log_stderr;
unsigned syslog;
unsigned pr_dumpable;
char *ca;

2
src/worker-http.c
View File

@@ -310,7 +310,7 @@ void header_value_check(struct worker_st *ws, struct http_req_st *req)
if (req->value.length <= 0)
return;
if (WSPCONFIG(ws)->debug < DEBUG_SENSITIVE && header_is_sensitive(&req->header))
if (WSPCONFIG(ws)->log_level < OCLOG_SENSITIVE && header_is_sensitive(&req->header))
oclog(ws, LOG_HTTP_DEBUG, "HTTP processing: %.*s: (censored)", (int)req->header.length,
req->header.data);
else

13
src/worker.c
View File

@@ -155,13 +155,16 @@ int main(int argc, char **argv)
snapshot_terminate(config_snapshot);
config_snapshot = NULL;
flags = LOG_PID | LOG_NDELAY;
if (GETPCONFIG(s)->syslog) {
flags = LOG_PID | LOG_NDELAY;
#ifdef LOG_PERROR
if (GETPCONFIG(s)->debug != 0)
flags |= LOG_PERROR;
if (GETPCONFIG(s)->log_stderr)
flags |= LOG_PERROR;
#endif
openlog("ocserv", flags, LOG_DAEMON);
syslog_open = 1;
openlog("ocserv", flags, LOG_DAEMON);
syslog_open = 1;
}
#ifdef HAVE_LIBWRAP
allow_severity = LOG_DAEMON | LOG_INFO;
deny_severity = LOG_DAEMON | LOG_WARNING;

21
src/worker.h
View File

@@ -41,6 +41,8 @@
#include "ev.h"
#include "common/common.h"
#include "log.h"
// Name of environment variable used to pass worker_startup_msg
// between ocserv-main and ocserv-worker.
#define OCSERV_ENV_WORKER_STARTUP_MSG "OCSERV_WORKER_STARTUP_MSG"
@@ -362,25 +364,6 @@ int get_cert_names(worker_st * ws, const gnutls_datum_t * raw);
void set_resume_db_funcs(gnutls_session_t);
void __attribute__ ((format(printf, 3, 4)))
_oclog(const worker_st * server, int priority, const char *fmt, ...);
#ifdef UNDER_TEST
# define oclog(...)
#else
# ifdef __GNUC__
# define oclog(server, prio, fmt, ...) \
(prio==LOG_ERR)?_oclog(server, prio, "%s:%d: "fmt, __FILE__, __LINE__, ##__VA_ARGS__): \
_oclog(server, prio, fmt, ##__VA_ARGS__)
# else
# define oclog _oclog
# endif
#endif
void oclog_hex(const worker_st* ws, int priority,
const char *prefix, uint8_t* bin, unsigned bin_size, unsigned b64);
typedef int (*url_handler_fn) (worker_st *, unsigned http_ver);
int http_url_cb(http_parser * parser, const char *at, size_t length);
int http_header_value_cb(http_parser * parser, const char *at, size_t length);

2
tests/ban-ips.c
View File

@@ -30,6 +30,8 @@
#include "../src/ip-util.h"
#include "../src/main-ban.c"
int syslog_open = 0;
/* Test the IP banning functionality */
static
unsigned check_if_banned_str(main_server_st *s, const char *ip)

2
tests/cstp-recv.c
View File

@@ -36,6 +36,8 @@ static unsigned verbose = 0;
#include "../src/tlslib.c"
int syslog_open = 0;
int get_cert_names(worker_st * ws, const gnutls_datum_t * raw)
{
return 0;

2
tests/html-escape.c
View File

@@ -27,6 +27,8 @@
#include "../src/html.c"
#include "../src/common/common.h"
int syslog_open = 0;
static char *strings[] =
{
"hello there",

2
tests/human_addr.c
View File

@@ -25,6 +25,8 @@
#include "../src/ip-util.h"
#include "../src/ip-util.c"
int syslog_open = 0;
static unsigned ip_to_sockaddr(const char *ip, unsigned port, struct sockaddr_storage *ss)
{
int ret;

2
tests/ipv4-prefix.c
View File

@@ -23,6 +23,8 @@
#include "../src/ip-util.h"
#include "../src/ip-util.c"
int syslog_open = 0;
int main(void)
{
char *p;

2
tests/ipv6-prefix.c
View File

@@ -23,6 +23,8 @@
#include "../src/ip-util.h"
#include "../src/ip-util.c"
int syslog_open = 0;
static char* my_ipv6_prefix_to_mask(char str[MAX_IP_STR], unsigned prefix)
{
struct in6_addr in;

2
tests/port-parsing.c
View File

@@ -28,6 +28,8 @@
#include "../src/config-ports.c"
#include "../src/ipc.pb-c.h"
int syslog_open = 0;
#define reset(x,y) { \
talloc_free(x); \
x = NULL; \

2
tests/url-escape.c
View File

@@ -26,6 +26,8 @@
#include "../src/html.h"
#include "../src/html.c"
int syslog_open = 0;
static char *strings[] =
{
"Laguna+Beach",