GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-09 08:16:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

Remove spaces

Browse Source 
* Remove trailing spaces at end-of-line
* Remove blank lines at end-of-file

Signed-off-by: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com>
This commit is contained in:
Dimitri Papadopoulos
2022-11-28 08:31:12 +01:00
parent 03b71ca57f
commit f28669bf60
169 changed files with 1321 additions and 1402 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
CONTRIBUTING.md
View File

@@ -4,7 +4,7 @@
tasks from our [planned list](https://gitlab.com/ocserv/ocserv/milestones),
or surprise us with enhancement we didn't plan for. In all cases be prepared
to defend and justify your enhancements, and get through few rounds
of changes.
of changes.
We try to stick to the following rules, so when contributing please
try to follow them too.
@@ -13,11 +13,11 @@ try to follow them too.
## Git commits:
Note that when contributing code you will need to assert that the contribution is
in accordance to the "Developer's Certificate of Origin" as found in the
in accordance to the "Developer's Certificate of Origin" as found in the
file [DCO.txt](doc/DCO.txt).
To indicate that, make sure that your contributions (patches or merge requests),
contain a "Signed-off-by" line, with your real name and e-mail address.
contain a "Signed-off-by" line, with your real name and e-mail address.
To automate the process use "git am -s" to produce patches and/or set the
a template to simplify this process, as follows.

21
NEWS
View File

@@ -148,7 +148,7 @@
* Version 0.12.0 (released 2018-04-22)
- Allow DTLS stream to come from different IP from TLS stream.
There are situations where internet providers send the UDP
There are situations where internet providers send the UDP
stream from different IP (#61).
- Increased possibilities of allowed combinations of authentication
methods (#108).
@@ -218,7 +218,7 @@
- Enhanced the cert-user-oid config option to read the SAN(rfc822name) value.
In that case, the username will be read from the subject alternative
name of the certificate rather than the DN. Based on patch by Johannes Sjøkvist.
- Do not log the real internal session ID as part of occtl or radius,
- Do not log the real internal session ID as part of occtl or radius,
but instead log a masked value. That ensures that access to log files or
radius is not sufficient to access an existing session.
- radius: Handle the special Framed-IP-Address values 255.255.255.254 and
@@ -362,7 +362,7 @@
only a specific service to a specific server.
- Switched to an event-driven design in main; using libev
- occtl: Added the show events command to allow viewing the users connecting in
real time.
real time.
* Version 0.10.9 (released 2015-10-07)
@@ -537,7 +537,7 @@
- Configuration option 'use-seccomp' was replaced by 'isolate-workers',
which in addition to seccomp it enables the Linux namespaces restrictions.
- Added support for stateless compression using LZ4 and LZS. This
is disabled by default.
is disabled by default.
* Version 0.8.9 (released 2014-12-10)
@@ -754,7 +754,7 @@
- Better display of IP addresses in log messages.
- Added the use-dbus configuration option. It can be used to disable
the D-BUS service (and thus the usage of the occtl utility).
- Added (optional) dependency on protocolbuffer-c, allowing a simpler
- Added (optional) dependency on protocolbuffer-c, allowing a simpler
handling and easier extension of the internal IPC protocol.
- Added configuration option cisco-client-compat which if enabled
it allows a client to authenticate by sending its credentials in
@@ -805,7 +805,7 @@
setting bandwidth limitations globally or per group/user.
- Call setgroups() after setgid() to avoid propagation of supplementary groups
to the unprivileged worker processes.
- If a system's libopts is available as well as automake then the system's
- If a system's libopts is available as well as automake then the system's
libopts will be used.
- Added --pid-file command line option to ocserv. This overrides any
configured pid-file.
@@ -833,7 +833,7 @@
- Instead of suggesting different DTLS and CSTP MTU values, suggest a single
value to the peer. That avoids issues with openconnect which reads one of
the suggested values and ignores the other.
- Added config option "output-buffer" to allow selecting between high throughput
- Added config option "output-buffer" to allow selecting between high throughput
or low latency (following similar openconnect change).
- Enabled config option "mtu".
- Configuration file parsing was modified to allow detecting misspellings of
@@ -848,7 +848,7 @@
* Version 0.1.5 (released 2013-07-15)
- More robust support of PAM by allowing more than one factor
- More robust support of PAM by allowing more than one factor
authentication. In practice this allows authentication with more than
one password (e.g., with a permanent one and an one time password), as
well as changing the password.
@@ -909,11 +909,11 @@
* Version 0.0.2 (released 2013-03-05)
- Updated HTTP protocol handling (fixes issue with openconnect < 4).
- Updated HTTP protocol handling (fixes issue with openconnect < 4).
Reported by Mike Miller.
- Use TCP wrappers (libwrap) when present.
- Fixed issue with the 'local' keyword in DNS server.
- Added configuration options 'user-profile' and 'always-require-cert' to
- Added configuration options 'user-profile' and 'always-require-cert' to
enable non-openconnect clients to connect. They are enabled with
the configure option --enable-anyconnect-compat.
- Allow setting a rate limit on the number of connections.
@@ -927,4 +927,3 @@
* Version 0.0.1 (released 2013-02-20)
- First public release

2
README.md
View File

@@ -5,7 +5,7 @@ VPN server designed for organizations that require a remote access
VPN with enterprise user management and control. It follows
the [openconnect protocol](https://gitlab.com/openconnect/protocol)
and is the counterpart of the [openconnect VPN client](http://www.infradead.org/openconnect/).
It is also compatible with CISCO's AnyConnect SSL VPN.
It is also compatible with CISCO's AnyConnect SSL VPN.
The program consists of:
1. ocserv, the main server application

12
configure.ac
View File

@@ -288,7 +288,7 @@ AC_LINK_IFELSE([AC_LANG_PROGRAM([
AC_DEFINE([HAVE_PAM], 1, [Enable the PAM library])],
[AC_MSG_RESULT(no)
AC_MSG_WARN([[
***
***
*** libpam was not found. PAM support will be disabled.
*** ]])])
LIBS="$oldlibs"
@@ -332,7 +332,7 @@ if test "$test_for_radius" = yes;then
AC_DEFINE([LEGACY_RADIUS], 1, [Enable the legacy library support])],
[AC_MSG_RESULT(no)
AC_MSG_WARN([[
***
***
*** radcli 1.2.1 or later was not found. Radius support will be disabled.
*** See http://radcli.github.io/radcli/
*** ]])])
@@ -479,7 +479,7 @@ AC_LINK_IFELSE([AC_LANG_PROGRAM([
with_local_http_parser=no],
[AC_MSG_RESULT(no)
AC_MSG_WARN([[
***
***
*** libhttp-parser not found.
*** An included version of the library will be used.
*** ]])])
@@ -609,7 +609,7 @@ AC_LINK_IFELSE([AC_LANG_PROGRAM([
with_local_pcl=no],
[AC_MSG_RESULT(no)
AC_MSG_WARN([[
***
***
*** libpcl (portable co-routines) was not found.
*** An included version of the library will be used.
*** ]])])
@@ -708,7 +708,7 @@ Summary of build options:
CWrap testing: ${have_cwrap}
CWrap PAM testing: ${have_cwrap_pam}
CWrap NSS testing: ${have_cwrap_nss}
PAM auth backend: ${pam_enabled}
Radius auth backend: ${radius_enabled}
GSSAPI auth backend: ${enable_gssapi}
@@ -750,5 +750,3 @@ if test "x${isolation}" = xnone;then
*** will not be isolated. Only seccomp is supported (see src/worker-privs.c)
*** ]])
fi

2
doc/README-oidc.md
View File

@@ -84,4 +84,4 @@ You can view the contents of the token using <https://jwt.ms>.
|iat|Mon Feb 17 2020 15:58:57 GMT-0700 (Mountain Standard Time)|The "iat" (issued at) claim identifies the time at which the JWT was issued. This claim can be used to determine the age of the JWT. [RFC 7519, Section 4.1.6]|
|nbf|Mon Feb 17 2020 15:58:57 GMT-0700 (Mountain Standard Time)|The "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. [RFC 7519, Section 4.1.5]|
|exp|Mon Feb 17 2020 16:59:57 GMT-0700 (Mountain Standard Time)|The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. [RFC 7519, Section 4.1.4]|
|preferred_username|SomeUser|Shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe. This value MAY be any valid JSON string including special characters such as @, /, or whitespace. The RP MUST NOT rely upon this value being unique, as discussed in OpenID Connect Core 1.0 Section 5.7. [OpenID Connect Core 1.0, Section 5.1]|
|preferred_username|SomeUser|Shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe. This value MAY be any valid JSON string including special characters such as @, /, or whitespace. The RP MUST NOT rely upon this value being unique, as discussed in OpenID Connect Core 1.0 Section 5.7. [OpenID Connect Core 1.0, Section 5.1]|

16
doc/design.md
View File

@@ -1,6 +1,6 @@
# Intro
To enforce isolation between clients and with the authenticating process,
To enforce isolation between clients and with the authenticating process,
ocserv consists of 3 components; the main process, the security module and
the worker processes. The following sections describe the purpose and tasks
assigned to each component, and the last section describes the communication
@@ -15,11 +15,11 @@ See https://ocserv.gitlab.io/www/technical.html
## The main process
The main component consists of the process which is tasked to:
* Listen for incoming TCP connections and fork/exec a new worker process
to handle it. - See main.c
* State is passed between main process and worker via an environment
* State is passed between main process and worker via an environment
variable.
* Listen for incoming UDP "connections" and forward the packet stream
@@ -57,7 +57,7 @@ leaked during a fork(). It handles:
* Partial certificate authentication. A user certificate received by the
worker process, is verified by it, and on its SM_CMD_AUTH_INIT message
it indicates the verification status. The security module approves,
it indicates the verification status. The security module approves,
and performs any other authentication method necessary.
* Gatekeeper for accounting information keeping and reporting. That is
@@ -107,7 +107,7 @@ device and the client. The tasks handled are:
* Authentication
```
```
main sec-mod worker
| | |
| | <--SEC_AUTH_INIT--- |
@@ -151,7 +151,7 @@ device and the client. The tasks handled are:
This is the same diagram as above but shows how the session ID (SID)
is assigned and used throughout the server.
```
```
main sec-mod worker
| | |
| | <--SEC_AUTH_INIT--- |
@@ -209,7 +209,7 @@ The ocserv server gathers statistical data about the latency incurred while proc
## Load Balancer integration
Ocserv can be deployed behind a layer 3 load balancer to support high availability and scale.
Ocserv can be deployed behind a layer 3 load balancer to support high availability and scale.
### Example load balancer configuration using keepalived.
This is not intended as an exhaustive guide to configuring keepalived, but rather as a high level overview.
@@ -253,4 +253,4 @@ virtual_server fwmark 1 {
* Set ocserv option "server-drain-ms = 10000" (2 times the health check interval) to permit graceful shutdown of ocserv instances. This setting adds a delay between the time when the server stops accepting new connections (which causes the load balancer to view it as unhealthy) and when existing clients are disconnected. This prevents clients from attempting to reconnect to a server that is shutting down or has recently shutdown.
* Notes on sizing the HA cluster. Best practices for high availability are to maintain a minimum of two spare nodes as this permits for one node to be undergoing maintenance and for an unplanned failure on a second node. Each node should be sized to account for a rapid reconnect of all clients, which will cause a spike of CPU utilization due to TLS key exchange. The rate-limit-ms can be used to flatten the spike at the expense of some clients retrying their connections.
* Notes on sizing the HA cluster. Best practices for high availability are to maintain a minimum of two spare nodes as this permits for one node to be undergoing maintenance and for an unplanned failure on a second node. Each node should be sized to account for a rapid reconnect of all clients, which will cause a spike of CPU utilization due to TLS key exchange. The rate-limit-ms can be used to flatten the spike at the expense of some clients retrying their connections.

2
doc/occtl.8.md
View File

@@ -9,7 +9,7 @@
## DESCRIPTION
This a control tool that can be used to send commands to ocserv. When
called without any arguments the tool can be used interactively, where
called without any arguments the tool can be used interactively, where
each command is entered on a command prompt; alternatively the tool
can be called with the command specified as parameter. In the latter
case the tool's exit code will reflect the successful execution of

1
doc/ocpasswd.8.md
View File

@@ -73,4 +73,3 @@ This program is released under the terms of the GNU General Public License, vers
## AUTHORS
Written by Nikos Mavrogiannopoulos. Many people have
contributed to it.

53
doc/ocserv.8.md
View File

@@ -4,7 +4,7 @@
**ocserv** [options] -c [config]
OpenConnect VPN server (ocserv) is a VPN server compatible with the
OpenConnect VPN client. It follows the AnyConnect VPN protocol which
OpenConnect VPN client. It follows the AnyConnect VPN protocol which
is used by several CISCO routers.
@@ -12,26 +12,26 @@ is used by several CISCO routers.
This a standalone server that reads a configuration file (see below for more details),
and waits for client connections. Log messages are redirected to daemon facility.
The server maintains two connections/channels with the client. The main VPN
channel is established over TCP, HTTP and TLS. This is the control channel as well
as the backup data channel. After its establishment a UDP channel using DTLS
is initiated which serves as the main data channel. If the UDP channel fails
to establish or is temporarily unavailable the backup channel over TCP/TLS
The server maintains two connections/channels with the client. The main VPN
channel is established over TCP, HTTP and TLS. This is the control channel as well
as the backup data channel. After its establishment a UDP channel using DTLS
is initiated which serves as the main data channel. If the UDP channel fails
to establish or is temporarily unavailable the backup channel over TCP/TLS
is being used.
This server supports multiple authentication methods,
including PAM and certificate authentication. Authenticated users are
assigned an unprivileged worker process and obtain a networking (tun) device
including PAM and certificate authentication. Authenticated users are
assigned an unprivileged worker process and obtain a networking (tun) device
and an IP from a configurable pool of addresses.
Once authenticated, the server provides the client with an IP address and a list
of routes that it may access. In order to allow high-speed transfers the
server does not process or filter packets. It is expected that the server has
or will set up any required routes or firewall rules.
Once authenticated, the server provides the client with an IP address and a list
of routes that it may access. In order to allow high-speed transfers the
server does not process or filter packets. It is expected that the server has
or will set up any required routes or firewall rules.
It is possible to separate users into groups, which are either present on their
certificate, or presented on login for the user to choose. That way a user may
take advantage of the different settings that may apply per group. See the
take advantage of the different settings that may apply per group. See the
comments on the configuration file for more information.
It is also possible to run hostname-based virtual servers which could support
@@ -76,7 +76,7 @@ If your system supports Pluggable Authentication Modules (PAM), then
ocserv will take advantage of it to password authenticate its users.
Otherwise a plain password file similar to the UNIX password file is also supported.
In that case the 'ocpasswd' tool can be used for its management.
Note that password authentication can be used in conjunction with certificate
Note that password authentication can be used in conjunction with certificate
authentication.
### GSSAPI authentication
@@ -95,19 +95,19 @@ by the possession of the private key that corresponds to a known
to the server public key. That allows the usage of common smart
cards for user authentication.
In ocserv, a certificate authority (CA) is used to sign the client
certificates. That certificate authority can be local, used only by the
server to sign its user's known public keys which are then given to
users in a form of certificates. That authority need also provide a CRL
In ocserv, a certificate authority (CA) is used to sign the client
certificates. That certificate authority can be local, used only by the
server to sign its user's known public keys which are then given to
users in a form of certificates. That authority need also provide a CRL
to allow the server to reject the revoked clients (see *ca-cert*, *crl*).
In certificate authentication each client presents a certificate and signs
data provided by the server, as part of TLS authentication, to prove his
possession of the corresponding private key.
data provided by the server, as part of TLS authentication, to prove his
possession of the corresponding private key.
The certificate need also contain user identifying information,
for example, the user ID of the client must be embedded in the certificate's
Distinguished Name (DN), i.e., in the Common Name, or UID fields. For the
server to read the name, the *cert-user-oid* configuration option
for example, the user ID of the client must be embedded in the certificate's
Distinguished Name (DN), i.e., in the Common Name, or UID fields. For the
server to read the name, the *cert-user-oid* configuration option
must be set.
The following examples demonstrate how to use certtool from GnuTLS to
@@ -149,7 +149,7 @@ certtool.
encryption_key #only if the generated key is an RSA one
tls_www_server
_EOF_
$ certtool --generate-certificate --load-privkey server-key.pem \
--load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
--template server.tmpl --outfile server-cert.pem
@@ -199,7 +199,7 @@ AES).
$ certtool --generate-certificate --load-privkey user-key.pem \
--load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
--template user.tmpl --outfile user-cert.pem
$ certtool --to-p12 --load-privkey user-key.pem \
--pkcs-cipher 3des-pkcs12 \
--load-certificate user-cert.pem \
@@ -231,7 +231,7 @@ should be generated as follows.
## IMPLEMENTATION NOTES
Note that while this server utilizes privilege separation and all
authentication occurs on the security module, this does not apply for TLS client
authentication occurs on the security module, this does not apply for TLS client
certificate authentication. That is due to TLS protocol limitation.
@@ -260,4 +260,3 @@ This program is released under the terms of the GNU General Public License, vers
## AUTHORS
Written by Nikos Mavrogiannopoulos. Many people have
contributed to it.

6
doc/profile.xml
View File

@@ -19,14 +19,14 @@
</CertificateMatch>
<BackupServerList>
<HostAddress>localhost</HostAddress>
<HostAddress>localhost</HostAddress>
</BackupServerList>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>VPN Server</HostName>
<HostAddress>localhost</HostAddress>
<HostName>VPN Server</HostName>
<HostAddress>localhost</HostAddress>
</HostEntry>
</ServerList>
</AnyConnectProfile>

48
doc/sample.config
View File

@@ -112,7 +112,7 @@ socket-file = /var/run/ocserv-socket
#chroot-dir = /var/lib/ocserv
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
@@ -136,7 +136,7 @@ server-key = ../tests/certs/server-key.pem
#dh-params = /etc/ocserv/dh.pem
# In case PKCS #11, TPM or encrypted keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only, and is the
# in files. The srk-pin-file is applicable to TPM keys only, and is the
# storage root key.
#pin-file = /etc/ocserv/pin.txt
#srk-pin-file = /etc/ocserv/srkpin.txt
@@ -164,7 +164,7 @@ ca-cert = ../tests/certs/ca.pem
### All configuration options below this line are reloaded on a SIGHUP.
### The options above, will remain unchanged. Note however, that the
### The options above, will remain unchanged. Note however, that the
### server-cert, server-key, dh-params and ca-cert options will be reloaded
### if the provided file changes, on server reload. That allows certificate
### rotation, but requires the server key to remain the same for seamless
@@ -172,7 +172,7 @@ ca-cert = ../tests/certs/ca.pem
### failures during the reloading time.
# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of
# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of
# system calls allowed to a worker process, in order to reduce damage from a
# bug in the worker process. It is available on Linux systems at a performance cost.
# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
@@ -193,7 +193,7 @@ isolate-workers = true
#max-clients = 1024
max-clients = 16
# Limit the number of identical clients (i.e., users connecting
# Limit the number of identical clients (i.e., users connecting
# multiple times). Unset or set to zero for unlimited.
max-same-clients = 2
@@ -234,7 +234,7 @@ keepalive = 32400
dpd = 90
# Dead peer detection for mobile clients. That needs to
# be higher to prevent such clients being awaken too
# be higher to prevent such clients being awaken too
# often by the DPD messages, and save battery.
# The mobile clients are distinguished from the header
# 'X-AnyConnect-Identifier-Platform'.
@@ -264,17 +264,17 @@ try-mtu-discovery = false
# Make sure that you replace the following file in an atomic way.
#ocsp-response = /etc/ocserv/ocsp.der
# The object identifier that will be used to read the user ID in the client
# The object identifier that will be used to read the user ID in the client
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are:
# Useful OIDs are:
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1, SAN(rfc822name)
cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the
# The object identifier that will be used to read the user group in the
# client certificate. The object identifier should be part of the certificate's
# DN. If the user may belong to multiple groups, then use multiple such fields
# in the certificate's DN. Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
# in the certificate's DN. Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
#cert-group-oid = 2.5.4.11
# The revocation list of the certificates issued by the 'ca-cert' above.
@@ -310,7 +310,7 @@ tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-VERS-TLS1.0:-V
# More combinations in priority strings are available, check
# http://gnutls.org/manual/html_node/Priority-Strings.html
# E.g., the string below enforces perfect forward secrecy (PFS)
# E.g., the string below enforces perfect forward secrecy (PFS)
# on the main channel.
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
@@ -338,7 +338,7 @@ auth-timeout = 240
# traffic) before being disconnected. Unset to disable.
#mobile-idle-timeout = 2400
# The time (in seconds) that a client is not allowed to reconnect after
# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
min-reauth-time = 300
@@ -412,7 +412,7 @@ rekey-method = ssl
# client connection will be refused.
# The disconnect script will receive the additional values: STATS_BYTES_IN,
# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes
# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes
# output from the tun device, and the duration of the session in seconds.
#connect-script = /usr/bin/myscript
@@ -476,7 +476,7 @@ default-domain = example.com
#default-domain = "example.com one.example.com"
# The pool of addresses that leases will be given from. If the leases
# are given via Radius, or via the explicit-ip? per-user config option then
# are given via Radius, or via the explicit-ip? per-user config option then
# these network values should contain a network with at least a single
# address that will remain under the full control of ocserv (that is
# to be able to assign the local part of the tun device address).
@@ -490,7 +490,7 @@ ipv4-netmask = 255.255.255.0
#ipv4-network = 192.168.1.0/24
# The IPv6 subnet that leases will be given from.
#ipv6-network = fda9:4efe:7e3b:03ea::/48
#ipv6-network = fda9:4efe:7e3b:03ea::/48
# Specify the size of the network to provide to clients. It is
# generally recommended to provide clients with a /64 network in
@@ -538,7 +538,7 @@ ping-leases = false
#output-buffer = 10
# Routes to be forwarded to the client. If you need the
# client to forward routes to the server, you may use the
# client to forward routes to the server, you may use the
# config-per-user/group or even connect and disconnect scripts.
#
# To set the server as the default gateway for the client just
@@ -556,7 +556,7 @@ route = 192.168.0.0/255.255.0.0
no-route = 192.168.5.0/255.255.255.0
# Note the that following two firewalling options currently are available
# in Linux systems with iptables software.
# in Linux systems with iptables software.
# If set, the script /usr/bin/ocserv-fw will be called to restrict
# the user to its allowed routes and prevent him from accessing
@@ -600,7 +600,7 @@ no-route = 192.168.5.0/255.255.255.0
# or the groupname.
# The options allowed in the configuration files are dns, nbns,
# ipv?-network, ipv4-netmask, rx/tx-data-per-sec, iroute, route, no-route,
# explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp,
# explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp,
# keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns,
# restrict-user-to-routes, cgroup, stats-report-time,
# mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports,
@@ -611,7 +611,7 @@ no-route = 192.168.5.0/255.255.255.0
# by the commands route-add-cmd and route-del-cmd (see below). The no-udp
# is a boolean option (e.g., no-udp = true), and will prevent a UDP session
# for that specific user or group. The hostname option will set a
# hostname to override any proposed by the user. Note also, that, any
# hostname to override any proposed by the user. Note also, that, any
# routes, no-routes, DNS or NBNS servers present will overwrite the global ones.
#config-per-user = /etc/ocserv/config-per-user/
@@ -646,7 +646,7 @@ no-route = 192.168.5.0/255.255.255.0
# }
# In some distributions the krb5-k5tls plugin of kinit is required.
#
# The following option is available in ocserv, when compiled with GSSAPI support.
# The following option is available in ocserv, when compiled with GSSAPI support.
#kkdcp = "SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT"
#kkdcp = "/KdcProxy KERBEROS.REALM udp@127.0.0.1:88"
@@ -666,7 +666,7 @@ no-route = 192.168.5.0/255.255.255.0
# </AnyConnectProfile>
#
# Other fields may be used by some of the CISCO clients.
# This file must be accessible from inside the worker's chroot.
# This file must be accessible from inside the worker's chroot.
# Note that:
# (1) enabling this option is not recommended as it will allow the
# worker processes to open arbitrary files (when isolate-workers is
@@ -676,8 +676,8 @@ no-route = 192.168.5.0/255.255.255.0
#user-profile = profile.xml
#
# The following options are for (experimental) AnyConnect client
# compatibility.
# The following options are for (experimental) AnyConnect client
# compatibility.
# This option will enable the pre-draft-DTLS version of DTLS, and
# will not require clients to present their certificate on every TLS

2
src/acct/pam.c
View File

@@ -36,7 +36,7 @@
#include <str.h>
#include "auth/pam.h"
static int ocserv_conv(int msg_size, const struct pam_message **msg,
static int ocserv_conv(int msg_size, const struct pam_message **msg,
struct pam_response **resp, void *uptr)
{
*resp = NULL;

2
src/auth/gssapi.c
View File

@@ -84,7 +84,7 @@ static void print_gss_err(const char *where,
}
const gss_OID_desc spnego_mech = {6, (void *)"\x2b\x06\x01\x05\x05\x02"};
const gss_OID_set_desc desired_mechs = {
const gss_OID_set_desc desired_mechs = {
.count = 1,
.elements = (gss_OID)&spnego_mech
};

4
src/auth/openidconnect.c
View File

@@ -331,9 +331,9 @@ static bool oidc_fetch_oidc_keys(oidc_vctx_st * vctx)
"ocserv-oidc: openid_configuration_url missing from config\n");
goto cleanup;
}
json_t *oidc_config =
oidc_fetch_json_from_uri(vctx->pool,
oidc_fetch_json_from_uri(vctx->pool,
json_string_value
(openid_configuration_url));

20
src/auth/pam.c
View File

@@ -58,7 +58,7 @@ enum {
PAM_S_COMPLETE,
};
static int ocserv_conv(int msg_size, const struct pam_message **msg,
static int ocserv_conv(int msg_size, const struct pam_message **msg,
struct pam_response **resp, void *uptr)
{
struct pam_ctx_st * pctx = uptr;
@@ -131,7 +131,7 @@ static int ocserv_conv(int msg_size, const struct pam_message **msg,
*resp = pctx->replies;
pctx->replies = NULL;
return PAM_SUCCESS;
return PAM_SUCCESS;
}
static void co_auth_user(void* data)
@@ -147,7 +147,7 @@ int pret;
pctx->cr_ret = pret;
goto wait;
}
pret = pam_acct_mgmt(pctx->ph, 0);
if (pret == PAM_NEW_AUTHTOK_REQD) {
/* change password */
@@ -156,13 +156,13 @@ int pret;
pctx->changing = 1;
pret = pam_chauthtok(pctx->ph, PAM_CHANGE_EXPIRED_AUTHTOK);
}
if (pret != PAM_SUCCESS) {
syslog(LOG_INFO, "PAM acct-mgmt error for '%s': %s", pctx->username, pam_strerror(pctx->ph, pret));
pctx->cr_ret = pret;
goto wait;
}
pctx->state = PAM_S_COMPLETE;
pctx->cr_ret = PAM_SUCCESS;
@@ -208,7 +208,7 @@ struct pam_ctx_st * pctx;
pam_set_item(pctx->ph, PAM_RHOST, info->ip);
*ctx = pctx;
return ERR_AUTH_CONTINUE;
fail2:
@@ -254,7 +254,7 @@ size_t prompt_hash = 0;
pst->counter = pctx->passwd_counter;
/* differentiate password prompts, if the hash of the prompt
* is different.
* is different.
*/
if (pctx->prev_prompt_hash != prompt_hash)
pctx->passwd_counter++;
@@ -287,7 +287,7 @@ struct pam_ctx_st * pctx = ctx;
syslog(LOG_NOTICE, "PAM-auth pam_auth_pass: %s", pam_strerror(pctx->ph, pctx->cr_ret));
return ERR_AUTH_FAIL;
}
if (pctx->state != PAM_S_COMPLETE)
return ERR_AUTH_CONTINUE;
@@ -316,13 +316,13 @@ int pret;
/*syslog(LOG_NOTICE, "PAM-auth: pam_get_item(PAM_USER): %s", pam_strerror(pctx->ph, pret));*/
return -1;
}
if (user != NULL) {
strlcpy(username, user, username_size);
return 0;
}
return -1;
}

8
src/auth/radius.c
View File

@@ -378,8 +378,8 @@ static int radius_auth_pass(void *ctx, const char *pass, unsigned pass_len)
} else if (vp->attribute == PW_DELEGATED_IPV6_PREFIX && vp->type == PW_TYPE_IPV6PREFIX) {
/* Delegated-IPv6-Prefix */
if (inet_ntop(AF_INET6, vp->strvalue, pctx->ipv6, sizeof(pctx->ipv6)) != NULL) {
memset(ipv6, 0, sizeof(ipv6));
memcpy(ipv6, vp->strvalue+2, vp->lvalue-2);
memset(ipv6, 0, sizeof(ipv6));
memcpy(ipv6, vp->strvalue+2, vp->lvalue-2);
if (inet_ntop(AF_INET6, ipv6, pctx->ipv6, sizeof(pctx->ipv6)) != NULL) {
pctx->ipv6_subnet_prefix = (unsigned)(unsigned char)vp->strvalue[1];
}
@@ -387,8 +387,8 @@ static int radius_auth_pass(void *ctx, const char *pass, unsigned pass_len)
} else if (vp->attribute == PW_FRAMED_IPV6_PREFIX && vp->type == PW_TYPE_IPV6PREFIX) {
if (vp->lvalue > 2 && vp->lvalue <= 18) {
/* Framed-IPv6-Prefix */
memset(ipv6, 0, sizeof(ipv6));
memcpy(ipv6, vp->strvalue+2, vp->lvalue-2);
memset(ipv6, 0, sizeof(ipv6));
memcpy(ipv6, vp->strvalue+2, vp->lvalue-2);
if (inet_ntop(AF_INET6, ipv6, txt, sizeof(txt)) != NULL) {
snprintf(route, sizeof(route), "%s/%u", txt, (unsigned)(unsigned char)vp->strvalue[1]);
append_route(pctx, vp->strvalue, vp->lvalue);

4
src/common.mk
View File

@@ -1,4 +1,4 @@
AM_CPPFLAGS =
AM_CPPFLAGS =
if LOCAL_TALLOC
AM_CPPFLAGS += -I$(top_srcdir)/src/ccan/talloc
@@ -6,7 +6,7 @@ endif
if LOCAL_HTTP_PARSER
AM_CPPFLAGS += -I$(top_srcdir)/src/http-parser/
NEEDED_HTTP_PARSER_LIBS =
NEEDED_HTTP_PARSER_LIBS =
else
NEEDED_HTTP_PARSER_LIBS = $(HTTP_PARSER_LIBS)
endif

1
src/common/common.c
View File

@@ -924,4 +924,3 @@ size_t oc_strlcpy(char *dst, char const *src, size_t siz)
}
#endif

4
src/common/common.h
View File

@@ -57,7 +57,7 @@ typedef void* (*unpack_func)(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
int send_socket_msg(void *pool, int fd, uint8_t cmd,
int send_socket_msg(void *pool, int fd, uint8_t cmd,
int socketfd,
const void* msg, pack_size_func get_size, pack_func pack);
@@ -71,7 +71,7 @@ int send_msg(void *pool, int fd, uint8_t cmd,
}
int recv_socket_msg(void *pool, int fd, uint8_t cmd,
int recv_socket_msg(void *pool, int fd, uint8_t cmd,
int *socketfd, void** msg, unpack_func, unsigned timeout);
inline static int recv_msg(void *pool, int fd, uint8_t cmd,

2
src/common/hmac.c
View File

@@ -54,5 +54,5 @@ void generate_hmac(size_t key_length, const uint8_t * key, size_t component_coun
hmac_sha256_digest(&ctx, HMAC_DIGEST_SIZE, digest);
safe_memset(&ctx, 0, sizeof(ctx));
safe_memset(&ctx, 0, sizeof(ctx));
}

24
src/common/snapshot.c
View File

@@ -101,20 +101,20 @@ static int snapshot_add_entry(snapshot_t * snapshot, const char *filename,
(snapshot_entry_t *) talloc_zero_array(snapshot->pool, char,
sizeof(uint32_t) +
file_name_length);
if (entry == NULL)
if (entry == NULL)
goto cleanup;
entry->fd = fd;
strlcpy((char *)entry->name, filename, file_name_length);
if (!htable_add
(&snapshot->ht, snapshot_hash_filename(entry->name), entry))
(&snapshot->ht, snapshot_hash_filename(entry->name), entry))
goto cleanup;
entry = NULL;
retval = 0;
cleanup:
if (entry)
if (entry)
talloc_free(entry);
return retval;
@@ -132,7 +132,7 @@ int snapshot_init(void *pool, struct snapshot_t **snapshot, const char *prefix)
size_t tmp_filename_template_length = strlen(prefix) + 7;
new_snapshot = talloc_zero(pool, snapshot_t);
if (new_snapshot == NULL)
if (new_snapshot == NULL)
goto cleanup;
new_snapshot->pool = pool;
@@ -143,7 +143,7 @@ int snapshot_init(void *pool, struct snapshot_t **snapshot, const char *prefix)
if (snprintf
((char *)new_snapshot->tmp_filename_template,
tmp_filename_template_length, "%sXXXXXX",
prefix) >= tmp_filename_template_length)
prefix) >= tmp_filename_template_length)
goto cleanup;
htable_init(&new_snapshot->ht, snapshot_rehash, new_snapshot);
@@ -153,7 +153,7 @@ int snapshot_init(void *pool, struct snapshot_t **snapshot, const char *prefix)
new_snapshot = NULL;
cleanup:
if (new_snapshot != NULL) {
if (new_snapshot->tmp_filename_template != NULL)
if (new_snapshot->tmp_filename_template != NULL)
talloc_free((char *)new_snapshot->
tmp_filename_template);
talloc_free(new_snapshot);
@@ -187,7 +187,7 @@ int snapshot_create(struct snapshot_t *snapshot, const char *filename)
int fd_out = -1;
snapshot_entry_t *entry = NULL;
if (filename == NULL)
if (filename == NULL)
return 0;
strlcpy(tmp_file_name, snapshot->tmp_filename_template,
@@ -242,7 +242,7 @@ int snapshot_create(struct snapshot_t *snapshot, const char *filename)
close(entry->fd);
entry->fd = fd_out;
} else {
if (snapshot_add_entry(snapshot, filename, fd_out) != 0)
if (snapshot_add_entry(snapshot, filename, fd_out) != 0)
goto cleanup;
}
@@ -290,7 +290,7 @@ int snapshot_restore_entry(struct snapshot_t *snapshot, int fd,
const char *file_name)
{
int ret = snapshot_add_entry(snapshot, file_name, fd);
if (ret < 0)
if (ret < 0)
return ret;
return 0;
@@ -317,14 +317,14 @@ int snapshot_lookup_filename(struct snapshot_t *snapshot, const char *file_name,
char fd_path[128];
char *new_file_name = NULL;
snapshot_entry_t *entry = snapshot_find(snapshot, file_name);
if (entry == NULL)
if (entry == NULL)
goto cleanup;
if (snapshot_file_name_from_fd(entry->fd, fd_path, sizeof(fd_path)) < 0)
goto cleanup;
new_file_name = talloc_strdup(snapshot->pool, fd_path);
if (new_file_name == NULL)
if (new_file_name == NULL)
goto cleanup;
*snapshot_file_name = new_file_name;
@@ -333,7 +333,7 @@ int snapshot_lookup_filename(struct snapshot_t *snapshot, const char *file_name,
ret = 0;
cleanup:
if (new_file_name != NULL)
if (new_file_name != NULL)
talloc_free(new_file_name);
return ret;

2
src/common/sockdiag.h
View File

@@ -26,4 +26,4 @@
int sockdiag_query_unix_domain_socket_queue_length(const char * socket_name, int * sock_rqueue, int * sock_wqueue);
#endif
#endif

2
src/common/system.c
View File

@@ -60,7 +60,7 @@ SIGHANDLER_T ocsignal(int signum, SIGHANDLER_T handler)
new_action.sa_handler = handler;
sigemptyset (&new_action.sa_mask);
new_action.sa_flags = 0;
sigaction (signum, &new_action, &old_action);
return old_action.sa_handler;
}

14
src/config.c
View File

@@ -1148,8 +1148,8 @@ static void replace_file_with_snapshot(char ** file_name)
}
if (snapshot_lookup_filename(
config_snapshot,
*file_name,
config_snapshot,
*file_name,
&snapshot_file_name) < 0) {
fprintf(stderr, ERRSTR"cannot find snapshot for file %s\n", *file_name);
exit(1);
@@ -1184,7 +1184,7 @@ static void parse_cfg_file(void *pool, const char *file, struct list_head *head,
if ((flags & CFG_FLAG_WORKER) == CFG_FLAG_WORKER) {
char * snapshot_file = NULL;
if ((snapshot_lookup_filename(config_snapshot, file, &snapshot_file) < 0) &&
if ((snapshot_lookup_filename(config_snapshot, file, &snapshot_file) < 0) &&
(snapshot_lookup_filename(config_snapshot, OLD_DEFAULT_CFG_FILE, &snapshot_file) < 0)) {
fprintf(stderr, ERRSTR"snapshot_lookup failed for file %s\n", file);
exit(1);
@@ -1226,7 +1226,7 @@ static void parse_cfg_file(void *pool, const char *file, struct list_head *head,
CONFIG_ERROR(local_cfg_file, ret);
exit(1);
}
ret = snapshot_create(config_snapshot, local_cfg_file);
if (ret < 0){
fprintf(stderr, ERRSTR"cannot snapshot config file %s\n", local_cfg_file);
@@ -1868,16 +1868,16 @@ void clear_old_configs(struct list_head *head)
}
// ocserv and ocserv-worker both load and parse the configuration files.
// As part of the process of loading the config files, auth / acct methods
// As part of the process of loading the config files, auth / acct methods
// are enabled based on the content of the acct_mod_st and auth_mod_st tables.
// These auth tables are present in the auth sub-subsystem. Linking against
// the auth subsystem pulls in a very large set of dependent binaries which
// increases the overall memory footprint. To avoid this, we provide stub
// increases the overall memory footprint. To avoid this, we provide stub
// versions of acct_mod_st and auth_mod_st tables that the ocserv-worker
// process can link against.
#if defined(OCSERV_WORKER_PROCESS)
// Group information is populated by the auth subsystem.
// Group information is populated by the auth subsystem.
// When compiles as part of ocserv-worker, the auth subsystem is not present.
// To work around this, the group information is passed from ocserv-main to
// ocserv-worker, which then caches it and returns it when queried.

1
src/ctl.proto
View File

@@ -121,4 +121,3 @@ message unban_req
{
required bytes ip = 1;
}

2
src/defs.h
View File

@@ -76,7 +76,7 @@ typedef enum {
CMD_SESSION_INFO = 13,
CMD_BAN_IP = 16,
CMD_BAN_IP_REPLY = 17,
CMD_LATENCY_STATS_DELTA = 18,
CMD_LATENCY_STATS_DELTA = 18,
/* from worker to sec-mod */
CMD_SEC_AUTH_INIT = 120,

1
src/html.c
View File

@@ -180,4 +180,3 @@ char *escape_url(void *pool, const char *url, unsigned len, unsigned *out_len)
return msg;
}

12
src/ip-lease.c
View File

@@ -58,11 +58,11 @@ struct htable_iter iter;
/* disable the destructor */
cache->db = NULL;
talloc_free(cache);
cache = htable_next(&db->ht, &iter);
}
htable_clear(&db->ht);
return;
}
@@ -246,7 +246,7 @@ int get_ipv4_lease(main_server_st* s, struct proc_st* proc)
memcpy(&proc->ipv4->sig, &tmp, sizeof(struct sockaddr_in));
if (is_ipv4_ok(s, &proc->ipv4->rip, &network, &mask) == 0) {
mslog(s, proc, LOG_DEBUG, "cannot assign explicit IP %s; it is in use or invalid",
mslog(s, proc, LOG_DEBUG, "cannot assign explicit IP %s; it is in use or invalid",
human_addr((void*)&tmp, sizeof(struct sockaddr_in), buf, sizeof(buf)));
ret = ERR_NO_IP;
goto fail;
@@ -314,7 +314,7 @@ int get_ipv4_lease(main_server_st* s, struct proc_st* proc)
/* check if it exists in the hash table */
if (is_ipv4_ok(s, &rnd, &network, &mask) == 0) {
mslog(s, proc, LOG_DEBUG, "cannot assign remote IP %s; it is in use or invalid",
mslog(s, proc, LOG_DEBUG, "cannot assign remote IP %s; it is in use or invalid",
human_addr((void*)&rnd, sizeof(struct sockaddr_in), buf, sizeof(buf)));
continue;
}
@@ -429,7 +429,7 @@ int get_ipv6_lease(main_server_st* s, struct proc_st* proc)
SA_IN6_U8_P(&proc->ipv6->sig)[i] = SA_IN6_U8_P(&proc->ipv6->rip)[i] & SA_IN6_U8_P(&subnet_mask)[i];
if (is_ipv6_ok(s, &tmp, &proc->ipv6->lip, &proc->ipv6->sig) == 0) {
mslog(s, proc, LOG_DEBUG, "cannot assign explicit IP %s; it is in use or invalid",
mslog(s, proc, LOG_DEBUG, "cannot assign explicit IP %s; it is in use or invalid",
human_addr((void*)&tmp, sizeof(struct sockaddr_in6), buf, sizeof(buf)));
ret = ERR_NO_IP;
goto fail;
@@ -564,7 +564,7 @@ char buf[128];
mslog(s, proc, LOG_ERR, "no IPv4 or IPv6 addresses are configured. Cannot obtain lease");
return -1;
}
if (proc->ipv4)
mslog(s, proc, LOG_DEBUG, "assigned IPv4: %s",
human_addr((void*)&proc->ipv4->rip, proc->ipv4->rip_len, buf, sizeof(buf)));

4
src/ipc.proto
View File

@@ -385,5 +385,5 @@ message secm_list_cookies_reply_msg
/* snapshot_state */
message snapshot_state_msg
{
}
}

5
src/isolate.c
View File

@@ -25,7 +25,7 @@
#include <main.h>
#include <limits.h>
void init_fd_limits_default(main_server_st * s)
{
#ifdef RLIMIT_NOFILE
@@ -54,7 +54,7 @@ void update_fd_limits(main_server_st * s, unsigned main)
int ret;
if (main) {
if (GETCONFIG(s)->max_clients > 0)
if (GETCONFIG(s)->max_clients > 0)
max = MAX_FD_LIMIT(GETCONFIG(s)->max_clients);
else
// If the admin doesn't specify max_clients,
@@ -182,4 +182,3 @@ void drop_privileges(main_server_st * s)
strerror(e));
}
}

2
src/isolate.h
View File

@@ -30,4 +30,4 @@ void set_self_oom_score_adj(struct main_server_st * s);
void drop_privileges(struct main_server_st * s);
#endif
#endif

9
src/main-auth.c
View File

@@ -239,14 +239,14 @@ int handle_auth_cookie_req(sec_mod_instance_st * sec_mod_instance, struct proc_s
return 0;
}
/* Checks for multiple users.
*
/* Checks for multiple users.
*
* It returns a negative error code if more than the maximum allowed
* users are found.
*
*
* In addition this function will also check whether the cookie
* used had been re-used before, and then disconnect the old session
* (cookies are unique).
* (cookies are unique).
*/
int check_multiple_users(main_server_st *s, struct proc_st* proc)
{
@@ -272,4 +272,3 @@ int check_multiple_users(main_server_st *s, struct proc_st* proc)
return 0;
}

8
src/main-ban.c
View File

@@ -355,7 +355,7 @@ int if_address_init(main_server_st *s)
}
count ++;
}
local_if_addresses = talloc_array(s, if_address_st, count);
if (local_if_addresses == NULL) {
fprintf(stderr, "Failed to allocate");
@@ -406,11 +406,11 @@ static bool test_local_ipv4(struct sockaddr_in * remote, struct sockaddr_in * lo
static bool test_local_ipv6(struct sockaddr_in6 * remote, struct sockaddr_in6 * local, struct sockaddr_in6 * network)
{
unsigned index = 0;
for (index = 0; index < 4; index ++) {
uint32_t l = local->sin6_addr.s6_addr32[index] & network->sin6_addr.s6_addr32[index];
uint32_t r = remote->sin6_addr.s6_addr32[index] & network->sin6_addr.s6_addr32[index];
if (l != r)
if (l != r)
return false;
}
return true;
@@ -448,4 +448,4 @@ void if_address_cleanup(main_server_st * s)
s->if_addresses = NULL;
s->if_addresses_count = 0;
}
}

4
src/main-ctl-unix.c
View File

@@ -602,13 +602,13 @@ static void method_list_cookies(method_ctx *ctx, int cfd, uint8_t * msg,
mslog(ctx->s, NULL, LOG_ERR, "error sending list cookies to sec-mod!");
continue;
}
ret = recv_msg(ctx->pool, ctx->s->sec_mod_instances[i].sec_mod_fd_sync, CMD_SECM_LIST_COOKIES_REPLY,
ret = recv_msg(ctx->pool, ctx->s->sec_mod_instances[i].sec_mod_fd_sync, CMD_SECM_LIST_COOKIES_REPLY,
(void*)&sub_reply, (unpack_func)secm_list_cookies_reply_msg__unpack, MAIN_SEC_MOD_TIMEOUT);
if (ret < 0) {
mslog(ctx->s, NULL, LOG_ERR, "error receiving list cookies reply");
continue;
}
if (sub_reply) {
sub_replies[i] = sub_reply;
total_cookies += sub_reply->n_cookies;

1
src/main-proc.c
View File

@@ -158,4 +158,3 @@ void remove_proc(main_server_st * s, struct proc_st *proc, unsigned flags)
safe_memset(proc->sid, 0, sizeof(proc->sid));
talloc_free(proc);
}

13
src/main-sec-mod-cmd.c
View File

@@ -469,13 +469,13 @@ int session_open(sec_mod_instance_st * sec_mod_instance, struct proc_st *proc, c
ireq.sid.data = (void*)cookie;
ireq.sid.len = cookie_size;
if (proc->ipv4 &&
if (proc->ipv4 &&
human_addr2((struct sockaddr *)&proc->ipv4->rip, proc->ipv4->rip_len,
str_ipv4, sizeof(str_ipv4), 0) != NULL) {
ireq.ipv4 = str_ipv4;
}
if (proc->ipv6 &&
if (proc->ipv6 &&
human_addr2((struct sockaddr *)&proc->ipv6->rip, proc->ipv6->rip_len,
str_ipv6, sizeof(str_ipv6), 0) != NULL) {
ireq.ipv6 = str_ipv6;
@@ -565,7 +565,7 @@ int session_open(sec_mod_instance_st * sec_mod_instance, struct proc_st *proc, c
static void reset_stats(main_server_st *s, time_t now)
{
unsigned int i;
unsigned int i;
unsigned long max_auth_time = 0;
unsigned long avg_auth_time = 0;
for (i = 0; i < s->sec_mod_instance_count; i ++) {
@@ -758,11 +758,11 @@ void run_sec_mod(sec_mod_instance_st * sec_mod_instance, unsigned int instance_i
int sfd[2];
pid_t pid;
const char *p;
main_server_st * s = sec_mod_instance->server;
main_server_st * s = sec_mod_instance->server;
/* fills sec_mod_instance->socket_file */
snprintf(sec_mod_instance->socket_file, sizeof(sec_mod_instance->socket_file), "%s.%d", secmod_socket_file_name(GETPCONFIG(s)), instance_index);
mslog(s, NULL, LOG_DEBUG, "created sec-mod socket file (%s)", sec_mod_instance->socket_file);
@@ -824,4 +824,3 @@ void run_sec_mod(sec_mod_instance_st * sec_mod_instance, unsigned int instance_i
exit(1);
}
}

13
src/main-user.c
View File

@@ -384,13 +384,13 @@ const char* script, *next_script = NULL;
mslog(s, proc, LOG_ERR, "Could not execute script %s", script);
exit(1);
}
exit(77);
} else if (pid == -1) {
mslog(s, proc, LOG_ERR, "Could not fork()");
return -1;
}
if (type == SCRIPT_CONNECT) {
add_to_script_list(s, pid, proc);
return ERR_WAIT_FOR_SCRIPT;
@@ -408,7 +408,7 @@ add_utmp_entry(main_server_st *s, struct proc_st* proc)
#ifdef HAVE_LIBUTIL
struct utmpx entry;
struct timespec tv;
if (GETCONFIG(s)->use_utmp == 0)
return;
@@ -435,8 +435,8 @@ add_utmp_entry(main_server_st *s, struct proc_st* proc)
#if defined(WTMPX_FILE)
updwtmpx(WTMPX_FILE, &entry);
#endif
#endif
return;
#endif
}
@@ -467,7 +467,7 @@ static void remove_utmp_entry(main_server_st *s, struct proc_st* proc)
entry.ut_tv.tv_sec = tv.tv_sec;
entry.ut_tv.tv_usec = tv.tv_nsec / 1000;
updwtmpx(WTMPX_FILE, &entry);
#endif
#endif
return;
#endif
}
@@ -500,4 +500,3 @@ void user_disconnected(main_server_st *s, struct proc_st* proc)
remove_utmp_entry(s, proc);
call_script(s, proc, SCRIPT_DISCONNECT);
}

7
src/main-worker-cmd.c
View File

@@ -191,7 +191,7 @@ static int accept_user(main_server_st * s, struct proc_st *proc, unsigned cmd)
return ret;
}
/* Performs the required steps based on the result from the
/* Performs the required steps based on the result from the
* authentication function (e.g. handle_auth_init).
*
* @cmd: the command received
@@ -450,7 +450,7 @@ int handle_worker_commands(main_server_st * s, struct proc_st *proc)
#if defined(CAPTURE_LATENCY_SUPPORT)
case CMD_LATENCY_STATS_DELTA:{
LatencyStatsDelta * tmsg;
if (proc->status != PS_AUTH_COMPLETED) {
mslog(s, proc, LOG_ERR,
"received LATENCY STATS DELTA in unauthenticated state.");
@@ -464,7 +464,7 @@ int handle_worker_commands(main_server_st * s, struct proc_st *proc)
ret = ERR_BAD_COMMAND;
goto cleanup;
}
s->stats.delta_latency_stats.median_total += tmsg->median_delta;
s->stats.delta_latency_stats.rms_total += tmsg->rms_delta;
s->stats.delta_latency_stats.sample_count += tmsg->sample_count_delta;
@@ -485,4 +485,3 @@ int handle_worker_commands(main_server_st * s, struct proc_st *proc)
return ret;
}

40
src/main.c
View File

@@ -169,7 +169,7 @@ static void set_common_socket_options(int fd)
set_cloexec_flag (fd, 1);
}
static
static
int _listen_ports(void *pool, struct perm_cfg_st* config, struct addrinfo *res,
struct listen_list_st *list, struct netns_fds *netns)
{
@@ -253,7 +253,7 @@ int _listen_ports(void *pool, struct perm_cfg_st* config, struct addrinfo *res,
/* Returns 0 on success or negative value on error.
*/
static int
listen_ports(void *pool, struct perm_cfg_st* config,
listen_ports(void *pool, struct perm_cfg_st* config,
struct listen_list_st *list,
struct netns_fds *netns)
{
@@ -486,7 +486,7 @@ void clear_lists(main_server_st *s)
}
ev_timer_stop(main_loop, &maintenance_watcher);
#if defined(CAPTURE_LATENCY_SUPPORT)
ev_timer_stop(main_loop, &latency_watcher);
ev_timer_stop(main_loop, &latency_watcher);
#endif
/* free memory and descriptors by the event loop */
ev_loop_destroy (main_loop);
@@ -676,7 +676,7 @@ int sfd = -1;
/* check version */
if (s->msg_buffer[0] == 22) {
mslog(s, NULL, LOG_DEBUG, "new DTLS session from %s (record v%u.%u, hello v%u.%u)",
mslog(s, NULL, LOG_DEBUG, "new DTLS session from %s (record v%u.%u, hello v%u.%u)",
human_addr((struct sockaddr*)&cli_addr, cli_addr_size, tbuf, sizeof(tbuf)),
(unsigned int)s->msg_buffer[1], (unsigned int)s->msg_buffer[2],
(unsigned int)s->msg_buffer[RECORD_PAYLOAD_POS], (unsigned int)s->msg_buffer[RECORD_PAYLOAD_POS+1]);
@@ -684,7 +684,7 @@ int sfd = -1;
if (s->msg_buffer[1] != 254 && (s->msg_buffer[1] != 1 && s->msg_buffer[2] != 0) &&
s->msg_buffer[RECORD_PAYLOAD_POS] != 254 && (s->msg_buffer[RECORD_PAYLOAD_POS] != 0 && s->msg_buffer[RECORD_PAYLOAD_POS+1] != 0)) {
mslog(s, NULL, LOG_INFO, "%s: unknown DTLS record version: %u.%u",
mslog(s, NULL, LOG_INFO, "%s: unknown DTLS record version: %u.%u",
human_addr((struct sockaddr*)&cli_addr, cli_addr_size, tbuf, sizeof(tbuf)),
(unsigned)s->msg_buffer[1], (unsigned)s->msg_buffer[2]);
goto fail;
@@ -779,7 +779,7 @@ int sfd = -1;
ret = send_socket_msg_to_worker(s, proc_to_send, CMD_UDP_FD,
sfd,
&msg,
&msg,
(pack_size_func)udp_fd_msg__get_packed_size,
(pack_func)udp_fd_msg__pack);
if (ret < 0) {
@@ -902,7 +902,7 @@ static void kill_children_auth_timeout(main_server_st* s)
list_for_each_safe(&s->proc_list.head, ctmp, cpos, list) {
/* If the worker has not completed it's auth within auth_timeout seconds, kill it */
if ((ctmp->status < PS_AUTH_COMPLETED) &&
(ctmp->conn_time < oldest_permitted_session) &&
(ctmp->conn_time < oldest_permitted_session) &&
(ctmp->pid != -1)) {
remove_proc(s, ctmp, RPROC_KILL);
}
@@ -944,7 +944,7 @@ static void term_sig_watcher_cb(struct ev_loop *loop, ev_signal *w, int revents)
if (server_drain_ms == 0) {
terminate_server(s);
}
else
else
{
if (!ev_is_active(&graceful_shutdown_watcher)) {
mslog(s, NULL, LOG_INFO, "termination request received; stopping new connections");
@@ -1129,7 +1129,7 @@ static void listen_watcher_cb (EV_P_ ev_io *w, int revents)
hmac_components[2].length = sizeof(ws->session_start_time);
generate_hmac(sizeof(s->hmac_key), s->hmac_key, sizeof(hmac_components) / sizeof(hmac_components[0]), hmac_components, (uint8_t*) ws->sec_auth_init_hmac);
// Clear the HMAC key
safe_memset((uint8_t*)s->hmac_key, 0, sizeof(s->hmac_key));
@@ -1169,7 +1169,7 @@ fork_failed:
close(cmd_fd[0]);
} else { /* parent */
/* add_proc */
ctmp = new_proc(s, pid, cmd_fd[0],
ctmp = new_proc(s, pid, cmd_fd[0],
&ws->remote_addr, ws->remote_addr_len,
&ws->our_addr, ws->our_addr_len,
ws->sid, sizeof(ws->sid));
@@ -1247,7 +1247,7 @@ static void perform_maintenance(main_server_st *s)
mslog(s, NULL, LOG_DEBUG, "performing maintenance");
cleanup_banned_entries(s);
clear_old_configs(s->vconfig);
kill_children_auth_timeout(s);
list_for_each_rev(s->vconfig, vhost, list) {
@@ -1271,12 +1271,12 @@ static void latency_watcher_cb(EV_P_ ev_timer *w, int revents)
s->stats.delta_latency_stats.rms_total = 0;
s->stats.delta_latency_stats.sample_count = 0;
mslog(
s,
NULL,
LOG_DEBUG,
"Latency: Median Total %ld RMS Total %ld Sample Count %ld",
s->stats.current_latency_stats.median_total,
s->stats.current_latency_stats.rms_total,
s,
NULL,
LOG_DEBUG,
"Latency: Median Total %ld RMS Total %ld Sample Count %ld",
s->stats.current_latency_stats.median_total,
s->stats.current_latency_stats.rms_total,
s->stats.current_latency_stats.sample_count);
}
#endif
@@ -1460,12 +1460,12 @@ int main(int argc, char** argv)
// Start the configured number of ocserv-sm processes
s->sec_mod_instance_count = GETPCONFIG(s)->sec_mod_scale;
if (s->sec_mod_instance_count == 0) {
if (GETCONFIG(s)->max_clients != 0) {
// Compute ideal number of clients per sec-mod
unsigned int sec_mod_count_for_users = GETCONFIG(s)->max_clients / MINIMUM_USERS_PER_SEC_MOD + 1;
// Limit it to number of processors.
// Limit it to number of processors.
s->sec_mod_instance_count = MIN(processor_count,sec_mod_count_for_users);
} else {
// If it's unlimited, the use processor count.
@@ -1605,7 +1605,7 @@ int main(int argc, char** argv)
/* Main server loop */
ev_run (main_loop, 0);
/* try to clean-up everything allocated to ease checks
/* try to clean-up everything allocated to ease checks
* for memory leaks.
*/
for (i = 0; i < s->sec_mod_instance_count; i ++) {

18
src/main.h
View File

@@ -103,7 +103,7 @@ typedef struct proc_st {
unsigned pid_killed; /* if explicitly disconnected */
time_t udp_fd_receive_time; /* when the corresponding process has received a UDP fd */
time_t conn_time; /* the time the user connected */
/* the tun lease this process has */
@@ -132,12 +132,12 @@ typedef struct proc_st {
/* whether the host-update script has already been called */
unsigned host_updated;
/* The DTLS session ID associated with the TLS session
/* The DTLS session ID associated with the TLS session
* it is either generated or restored from a cookie.
*/
uint8_t dtls_session_id[GNUTLS_MAX_SESSION_ID];
unsigned dtls_session_id_size; /* would act as a flag if session_id is set */
/* The following are set by the worker process (or by a stored cookie) */
char username[MAX_USERNAME_SIZE]; /* the owner */
char groupname[MAX_GROUPNAME_SIZE]; /* the owner's group */
@@ -168,7 +168,7 @@ typedef struct proc_st {
uint64_t bytes_in;
uint64_t bytes_out;
uint32_t discon_reason; /* filled on session close */
unsigned applied_iroutes; /* whether the iroutes in the config have been successfully applied */
/* The following we rely on talloc for deallocation */
@@ -253,7 +253,7 @@ typedef struct sec_mod_instance_st {
int sec_mod_fd; /* messages are sent and received async */
int sec_mod_fd_sync; /* messages are send in a sync order (ping-pong). Only main sends. */
/* updated on the cli_stats_msg from sec-mod.
/* updated on the cli_stats_msg from sec-mod.
* Holds the number of entries in secmod list of users */
unsigned secmod_client_entries;
unsigned tlsdb_entries;
@@ -309,7 +309,7 @@ typedef struct main_server_st {
#endif
struct if_address_st * if_addresses;
unsigned int if_addresses_count;
unsigned int if_addresses_count;
} main_server_st;
void clear_lists(main_server_st *s);
@@ -332,7 +332,7 @@ int session_close(sec_mod_instance_st * sec_mod_instance, struct proc_st *proc);
#else
void
void
__attribute__ ((format(printf, 4, 5)))
_mslog(const main_server_st * s, const struct proc_st* proc,
int priority, const char *fmt, ...);
@@ -397,7 +397,7 @@ inline static void disconnect_proc(main_server_st *s, proc_st *proc)
void put_into_cgroup(main_server_st * s, const char* cgroup, pid_t pid);
inline static
int send_msg_to_worker(main_server_st* s, struct proc_st* proc, uint8_t cmd,
int send_msg_to_worker(main_server_st* s, struct proc_st* proc, uint8_t cmd,
const void* msg, pack_size_func get_size, pack_func pack)
{
mslog(s, proc, LOG_DEBUG, "sending message '%s' to worker", cmd_request_to_str(cmd));
@@ -405,7 +405,7 @@ int send_msg_to_worker(main_server_st* s, struct proc_st* proc, uint8_t cmd,
}
inline static
int send_socket_msg_to_worker(main_server_st* s, struct proc_st* proc, uint8_t cmd,
int send_socket_msg_to_worker(main_server_st* s, struct proc_st* proc, uint8_t cmd,
int socketfd, const void* msg, pack_size_func get_size, pack_func pack)
{
mslog(s, proc, LOG_DEBUG, "sending (socket) message %u to worker", (unsigned)cmd);

12
src/occtl/cache.c
View File

@@ -55,14 +55,14 @@ void entries_add(void *pool, const char* user, unsigned user_size, unsigned id)
max_entries_size += 128;
entries = talloc_realloc_size(pool, entries, sizeof(uid_entries_st)*max_entries_size);
}
entries[entries_size].user = talloc_strdup(pool, user);
entries[entries_size].user_size = user_size;
entries[entries_size].id_size =
entries[entries_size].id_size =
snprintf(entries[entries_size].id, sizeof(entries[entries_size].id), "%u", id);
entries_size++;
return;
}
@@ -79,7 +79,7 @@ unsigned i;
return strdup(entries[i].user);
}
}
return NULL;
}
@@ -97,6 +97,6 @@ unsigned i;
}
}
}
return NULL;
}

6
src/occtl/ip-cache.c
View File

@@ -53,11 +53,11 @@ void ip_entries_add(void *pool, const char* ip, unsigned ip_size)
max_ip_entries_size += 128;
ip_entries = talloc_realloc_size(pool, ip_entries, sizeof(ip_entries_st)*max_ip_entries_size);
}
strlcpy(ip_entries[ip_entries_size].ip, ip, sizeof(ip_entries[ip_entries_size].ip));
ip_entries[ip_entries_size].ip_size = ip_size;
ip_entries_size++;
return;
}
@@ -74,6 +74,6 @@ unsigned i;
return strdup(ip_entries[i].ip);
}
}
return NULL;
}

2
src/occtl/occtl.c
View File

@@ -276,7 +276,7 @@ static int handle_exit_cmd(CONN_TYPE * conn, const char *arg, cmd_params_st *par
exit(0);
}
/* checks whether an input command of type " list users" matches
/* checks whether an input command of type " list users" matches
* the given cmd (e.g., "list users"). If yes it executes func() and returns true.
*/
static

4
src/occtl/pager.c
View File

@@ -35,7 +35,7 @@ static const char* get_pager(void)
pager = getenv("PAGER");
if (pager == NULL)
pager = OCCTL_PAGER;
return pager;
}
@@ -67,7 +67,7 @@ FILE* pager_start(cmd_params_st *params)
fprintf(stderr, "unable to start pager; check your $PAGER environment variable\n");
fp = stdout;
}
return fp;
}

2
src/occtl/time.c
View File

@@ -41,7 +41,7 @@ void print_time_ival7(char output[MAX_TMPSTR_SIZE], time_t t1, time_t t2)
snprintf(output, MAX_TMPSTR_SIZE, " ? ");
return;
}
if (t >= 48 * 60 * 60)
/* 2 days or more */
snprintf(output, MAX_TMPSTR_SIZE, _("%2ludays"), (long)t / (24 * 60 * 60));

42
src/occtl/unix.c
View File

@@ -67,7 +67,7 @@ struct unix_ctx {
const char *socket_file;
};
static uint8_t msg_map[] = {
static uint8_t msg_map[] = {
[CTL_CMD_STATUS] = CTL_CMD_STATUS_REP,
[CTL_CMD_RELOAD] = CTL_CMD_RELOAD_REP,
[CTL_CMD_STOP] = CTL_CMD_STOP_REP,
@@ -184,7 +184,7 @@ int connect_to_ocserv (const char *socket_file)
ret = connect(sd, (struct sockaddr *)&sa, sizeof(sa));
if (ret == -1) {
e = errno;
fprintf(stderr, "error connecting to ocserv socket '%s': %s\n",
fprintf(stderr, "error connecting to ocserv socket '%s': %s\n",
sa.sun_path, strerror(e));
ret = -1;
goto error;
@@ -267,12 +267,12 @@ int handle_status_cmd(struct unix_ctx *ctx, const char *arg, cmd_params_st *para
time2human(median_latency, buf, sizeof(buf));
print_single_value(stdout, params, "Median latency", buf, 1);
if (HAVE_JSON(params))
if (HAVE_JSON(params))
print_single_value_int(stdout, params, "raw_median_latency", median_latency, 1);
time2human(stdev_latency, buf, sizeof(buf));
print_single_value(stdout, params, "STDEV latency", buf, 1);
if (HAVE_JSON(params))
if (HAVE_JSON(params))
print_single_value_int(stdout, params, "raw_stdev_latency", stdev_latency, 1);
}
@@ -358,7 +358,7 @@ int handle_reload_cmd(struct unix_ctx *ctx, const char *arg, cmd_params_st *para
BoolMsg *rep;
unsigned status;
PROTOBUF_ALLOCATOR(pa, ctx);
init_reply(&raw);
ret = send_cmd(ctx, CTL_CMD_RELOAD, NULL, NULL, NULL, &raw);
@@ -398,7 +398,7 @@ int handle_stop_cmd(struct unix_ctx *ctx, const char *arg, cmd_params_st *params
BoolMsg *rep;
unsigned status;
PROTOBUF_ALLOCATOR(pa, ctx);
init_reply(&raw);
ret = send_cmd(ctx, CTL_CMD_STOP, NULL, NULL, NULL, &raw);
@@ -446,7 +446,7 @@ int handle_unban_ip_cmd(struct unix_ctx *ctx, const char *arg, cmd_params_st *pa
check_cmd_help(rl_line_buffer);
return 1;
}
init_reply(&raw);
/* convert the IP to the simplest form */
@@ -468,8 +468,8 @@ int handle_unban_ip_cmd(struct unix_ctx *ctx, const char *arg, cmd_params_st *pa
return 1;
}
ret = send_cmd(ctx, CTL_CMD_UNBAN_IP, &req,
(pack_size_func)unban_req__get_packed_size,
ret = send_cmd(ctx, CTL_CMD_UNBAN_IP, &req,
(pack_size_func)unban_req__get_packed_size,
(pack_func)unban_req__pack, &raw);
if (ret < 0) {
goto error;
@@ -514,13 +514,13 @@ int handle_disconnect_user_cmd(struct unix_ctx *ctx, const char *arg, cmd_params
check_cmd_help(rl_line_buffer);
return 1;
}
init_reply(&raw);
req.username = (void*)arg;
ret = send_cmd(ctx, CTL_CMD_DISCONNECT_NAME, &req,
(pack_size_func)username_req__get_packed_size,
ret = send_cmd(ctx, CTL_CMD_DISCONNECT_NAME, &req,
(pack_size_func)username_req__get_packed_size,
(pack_func)username_req__pack, &raw);
if (ret < 0) {
goto error;
@@ -569,13 +569,13 @@ int handle_disconnect_id_cmd(struct unix_ctx *ctx, const char *arg, cmd_params_s
check_cmd_help(rl_line_buffer);
return 1;
}
init_reply(&raw);
req.id = id;
ret = send_cmd(ctx, CTL_CMD_DISCONNECT_ID, &req,
(pack_size_func)id_req__get_packed_size,
ret = send_cmd(ctx, CTL_CMD_DISCONNECT_ID, &req,
(pack_size_func)id_req__get_packed_size,
(pack_func)id_req__pack, &raw);
if (ret < 0) {
goto error;
@@ -1340,7 +1340,7 @@ int session_info_cmd(void *ctx, SecmListCookiesReplyMsg * args, FILE *out,
print_single_value_int(out, params, "in_use", args->cookies[i]->in_use, 1);
} else {
/* old names for compatibility */
print_pair_value(out, params, "In use", args->cookies[i]->in_use?"True":"False",
print_pair_value(out, params, "In use", args->cookies[i]->in_use?"True":"False",
"Activated", args->cookies[i]->session_is_open?"True":"False", 1);
print_single_value(out, params, "Certificate auth", args->cookies[i]->tls_auth_ok?"True":"False", 1);
}
@@ -1394,8 +1394,8 @@ int handle_show_user_cmd(struct unix_ctx *ctx, const char *arg, cmd_params_st *p
req.username = (void*)arg;
ret = send_cmd(ctx, CTL_CMD_USER_INFO, &req,
(pack_size_func)username_req__get_packed_size,
ret = send_cmd(ctx, CTL_CMD_USER_INFO, &req,
(pack_size_func)username_req__get_packed_size,
(pack_func)username_req__pack, &raw);
if (ret < 0) {
goto error;
@@ -1448,7 +1448,7 @@ int handle_events_cmd(struct unix_ctx *ctx, const char *arg, cmd_params_st *para
init_reply(&raw);
ret = send_cmd(ctx, CTL_CMD_TOP, NULL, 0, 0, &raw);
ret = send_cmd(ctx, CTL_CMD_TOP, NULL, 0, 0, &raw);
if (ret < 0) {
goto error;
}
@@ -1628,8 +1628,8 @@ int handle_show_id_cmd(struct unix_ctx *ctx, const char *arg, cmd_params_st *par
req.id = id;
ret = send_cmd(ctx, CTL_CMD_ID_INFO, &req,
(pack_size_func)id_req__get_packed_size,
ret = send_cmd(ctx, CTL_CMD_ID_INFO, &req,
(pack_size_func)id_req__get_packed_size,
(pack_func)id_req__pack, &raw);
if (ret < 0) {
goto error;

3
src/ocpasswd/ocpasswd.c
View File

@@ -121,7 +121,7 @@ crypt_int(const char *fpasswd, const char *username, const char *groupname,
fd = fopen(fpasswd, "r");
if (fd == NULL) {
fprintf(fd2, "%s:%s:%s\n", username, groupname, cr_passwd);
fprintf(fd2, "%s:%s:%s\n", username, groupname, cr_passwd);
} else {
int found = 0;
while ((len = getline(&line, &line_size, fd)) > 0) {
@@ -538,4 +538,3 @@ int main(int argc, char **argv)
gnutls_global_deinit();
return 0;
}

1
src/proc-search.c
View File

@@ -317,4 +317,3 @@ struct proc_st *proc_search_sid(struct main_server_st *s,
return htable_get(s->proc_table.db_sid, hash_any(sid, SID_SIZE, 0), sid_cmp, &fsid);
}

9
src/route-add.c
View File

@@ -80,8 +80,8 @@ int ret, status = 0;
}
static
int replace_cmd(struct main_server_st* s, proc_st *proc,
char **cmd, const char* pattern,
int replace_cmd(struct main_server_st* s, proc_st *proc,
char **cmd, const char* pattern,
const char* route, const char* dev)
{
str_st str;
@@ -156,7 +156,7 @@ int route_del(struct main_server_st* s, proc_st *proc, const char* route, const
return route_adddel(s, proc, GETCONFIG(s)->route_del_cmd, route, dev);
}
/* Executes the commands required to apply all the configured routes
/* Executes the commands required to apply all the configured routes
* for this client locally.
*/
int apply_iroutes(struct main_server_st* s, struct proc_st *proc)
@@ -182,7 +182,7 @@ fail:
return -1;
}
/* Executes the commands required to removed all the configured routes
/* Executes the commands required to removed all the configured routes
* for this client.
*/
void remove_iroutes(struct main_server_st* s, struct proc_st *proc)
@@ -199,4 +199,3 @@ unsigned i;
return;
}

2
src/script-list.h
View File

@@ -36,7 +36,7 @@ struct script_wait_st *stmp;
stmp = talloc(s, struct script_wait_st);
if (stmp == NULL)
return;
stmp->proc = proc;
stmp->pid = pid;

3
src/sec-mod-cookies.c
View File

@@ -31,7 +31,7 @@ static void send_empty_reply(void *pool, int fd, sec_mod_st *sec)
{
SecmListCookiesReplyMsg msg = SECM_LIST_COOKIES_REPLY_MSG__INIT;
int ret;
ret = send_msg(pool, fd, CMD_SECM_LIST_COOKIES_REPLY, &msg,
(pack_size_func) secm_list_cookies_reply_msg__get_packed_size,
(pack_func) secm_list_cookies_reply_msg__pack);
@@ -119,4 +119,3 @@ void handle_secm_list_cookies_reply(void *pool, int fd, sec_mod_st *sec)
talloc_free(msg.cookies);
talloc_free(cookies);
}

2
src/sec-mod-resume.h
View File

@@ -27,7 +27,7 @@ int handle_resume_delete_req(sec_mod_st* sec,
const SessionResumeFetchMsg * req);
int handle_resume_fetch_req(sec_mod_st* sec,
const SessionResumeFetchMsg * req,
const SessionResumeFetchMsg * req,
SessionResumeReplyMsg* rep);
int handle_resume_store_req(sec_mod_st* sec,

1
src/sec-mod-sup-config.c
View File

@@ -46,4 +46,3 @@ void sup_config_init(sec_mod_st *sec)
}
}
}

12
src/sec-mod.c
View File

@@ -660,7 +660,7 @@ static void check_other_work(sec_mod_st *sec)
cleanup_client_entries(sec);
expire_tls_sessions(sec);
send_stats_to_main(sec);
seclog(sec, LOG_DEBUG, "active sessions %d",
seclog(sec, LOG_DEBUG, "active sessions %d",
sec_mod_client_db_elems(sec));
alarm(MAINTAINANCE_TIME);
need_maintainance = 0;
@@ -712,7 +712,7 @@ int serve_request_main(sec_mod_st *sec, int fd, uint8_t *buffer, unsigned buffer
if (ret < 0) {
seclog(sec, LOG_ERR, "error processing data for '%s' command (%d)", cmd_request_to_str(cmd), ret);
}
leave:
return ret;
}
@@ -754,7 +754,7 @@ int serve_request_worker(sec_mod_st *sec, int cfd, pid_t pid, uint8_t *buffer, u
if (ret < 0) {
seclog(sec, LOG_DEBUG, "error processing '%s' command (%d)", cmd_request_to_str(cmd), ret);
}
leave:
return ret;
}
@@ -866,7 +866,7 @@ static int load_keys(sec_mod_st *sec, unsigned force)
*
* This is the main part of the security module.
* It creates the unix domain socket identified by @socket_file
* and then accepts connections from the workers to it. Then
* and then accepts connections from the workers to it. Then
* it serves commands requested on the server's private key.
*
* When the operation is decrypt the provided data are
@@ -884,7 +884,7 @@ static int load_keys(sec_mod_st *sec, unsigned force)
* from main, and thus should be prevented from accessing
* parts the key in stack or heap that was not zeroized.
* Other than that it allows the main server to spawn
* clients fast without becoming a bottleneck due to private
* clients fast without becoming a bottleneck due to private
* key operations.
*/
void sec_mod_server(void *main_pool, void *config_pool, struct list_head *vconfig,
@@ -1076,7 +1076,7 @@ void sec_mod_server(void *main_pool, void *config_pool, struct list_head *vconfi
exit(1);
}
}
if (FD_ISSET(sd, &rd_set)) {
sa_len = sizeof(sa);
cfd = accept(sd, (struct sockaddr *)&sa, &sa_len);

5
src/str.c
View File

@@ -108,11 +108,11 @@ int str_append_data(str_st * dest, const void *data, size_t data_size)
ret = str_append_size(dest, data_size+1);
if (ret < 0)
return ret;
memcpy(&dest->data[dest->length], data, data_size);
dest->length = data_size + dest->length;
dest->data[dest->length] = 0;
return 0;
}
@@ -231,4 +231,3 @@ int str_replace_str(str_st *str, const str_rep_tab *tab)
return 0;
}

4
src/subconfig.c
View File

@@ -340,7 +340,7 @@ void *oidc_get_brackets_string(void * pool, struct perm_cfg_st *config, const ch
char * additional = NULL;
unsigned vals_size, i;
vals_size = expand_brackets_string(pool, str, vals);
for (i = 0; i < vals_size; i ++) {
@@ -348,6 +348,6 @@ void *oidc_get_brackets_string(void * pool, struct perm_cfg_st *config, const ch
additional = talloc_strdup(pool, vals[i].value);
}
}
return additional;
}

2
src/sup-config/file.c
View File

@@ -254,7 +254,7 @@ int parse_group_cfg_file(struct cfg_st *global_config,
ret = 0;
fail:
return ret;
}

2
src/tlslib.h
View File

@@ -41,7 +41,7 @@
# error
#endif
typedef struct
typedef struct
{
struct htable *ht;
unsigned int entries;

1
src/valid-hostname.c
View File

@@ -41,4 +41,3 @@ unsigned valid_hostname(const char *host)
}
return 1;
}

6
src/vhost.h
View File

@@ -73,7 +73,7 @@ typedef struct vhost_cfg_st {
/* macros to retrieve the default vhost configuration; they
* are non-null as there is always a configured host. */
#ifdef __clang_analyzer__
#ifdef __clang_analyzer__
static volatile void *v = 0xffffffff;
static inline vhost_cfg_st *default_vhost(void * s) __attribute__((returns_nonnull));
@@ -83,7 +83,7 @@ static inline vhost_cfg_st *default_vhost(void * s)
}
static inline struct vhost_cfg_st *GETVHOST(void *s) __attribute__((returns_nonnull));
static inline struct vhost_cfg_st *GETVHOST(void *s)
static inline struct vhost_cfg_st *GETVHOST(void *s)
{
return v;
}
@@ -122,7 +122,7 @@ inline static vhost_cfg_st *find_vhost(struct list_head *vconfig, const char *na
vhost_cfg_st *vhost = NULL;
if (name == NULL)
return default_vhost(vconfig);
list_for_each(vconfig, vhost, list) {
if (vhost->name != NULL && c_strcasecmp(vhost->name, name) == 0)
return vhost;

6
src/vpn.h
View File

@@ -303,12 +303,12 @@ struct cfg_st {
unsigned use_occtl; /* whether support for the occtl tool will be enabled */
unsigned try_mtu; /* MTU discovery enabled */
unsigned cisco_client_compat; /* do not require client certificate,
unsigned cisco_client_compat; /* do not require client certificate,
* and allow auth to complete in different
* TCP sessions. */
unsigned rate_limit_ms; /* if non zero force a connection every rate_limit milliseconds if ocserv-sm is heavily loaded */
unsigned ping_leases; /* non zero if we need to ping prior to leasing */
unsigned server_drain_ms; /* how long to wait after we stop accepting new connections before closing old connections */
unsigned server_drain_ms; /* how long to wait after we stop accepting new connections before closing old connections */
size_t rx_per_sec;
size_t tx_per_sec;
@@ -345,7 +345,7 @@ struct cfg_st {
bool gssapi_no_local_user_map;
/* known iroutes - only sent to the users who are not registering them
/* known iroutes - only sent to the users who are not registering them
*/
char **known_iroutes;
size_t known_iroutes_size;

9
src/worker-auth.c
View File

@@ -1003,7 +1003,7 @@ int post_common_handler(worker_st * ws, unsigned http_ver, const char *imsg)
if (WSCONFIG(ws)->xml_config_file) {
success_msg_foot = talloc_asprintf(ws, OC_SUCCESS_MSG_FOOT_PROFILE,
WSCONFIG(ws)->xml_config_file, WSCONFIG(ws)->xml_config_hash);
}
}
#endif
if (success_msg_foot == NULL) {
@@ -1095,13 +1095,13 @@ int post_common_handler(worker_st * ws, unsigned http_ver, const char *imsg)
if (ret < 0)
goto fail;
ret =
ret =
add_owasp_headers(ws);
if (ret < 0)
goto fail;
#ifdef ANYCONNECT_CLIENT_COMPAT
#ifdef ANYCONNECT_CLIENT_COMPAT
if (WSCONFIG(ws)->xml_config_file) {
ret =
cstp_printf(ws,
@@ -1699,7 +1699,7 @@ int post_auth_handler(worker_st * ws, unsigned http_ver)
}
if (ret == ERR_AUTH_CONTINUE) {
oclog(ws, LOG_DEBUG, "continuing authentication for '%s'",
ws->username);
ws->auth_state = S_AUTH_REQ;
@@ -1753,4 +1753,3 @@ int post_auth_handler(worker_st * ws, unsigned http_ver)
talloc_free(msg);
return ret;
}

7
src/worker-bandwidth.c
View File

@@ -46,16 +46,15 @@ size_t transferred_kb;
b->allowed_kb = MIN(t, b->kb_per_sec);
b->transferred_bytes = bytes;
return 1;
}
sum = b->transferred_bytes + bytes;
if (sum > b->allowed_kb*1000)
return 0; /* NO */
b->transferred_bytes = sum;
return 1;
}

9
src/worker-http-handlers.c
View File

@@ -223,7 +223,7 @@ int get_config_handler(worker_st *ws, unsigned http_ver)
int ret;
struct stat st;
oclog(ws, LOG_HTTP_DEBUG, "requested config: %s", ws->req.url);
oclog(ws, LOG_HTTP_DEBUG, "requested config: %s", ws->req.url);
cookie_authenticate_or_exit(ws);
@@ -232,7 +232,7 @@ int get_config_handler(worker_st *ws, unsigned http_ver)
response_404(ws, http_ver);
return -1;
}
ret = stat(ws->user_config->xml_config_file, &st);
if (ret == -1) {
oclog(ws, LOG_INFO, "cannot load config file '%s'", ws->user_config->xml_config_file);
@@ -259,7 +259,7 @@ int get_config_handler(worker_st *ws, unsigned http_ver)
int get_string_handler(worker_st *ws, unsigned http_ver)
{
oclog(ws, LOG_HTTP_DEBUG, "requested fixed string: %s", ws->req.url);
oclog(ws, LOG_HTTP_DEBUG, "requested fixed string: %s", ws->req.url);
if (!strcmp(ws->req.url, "/1/binaries/update.txt")) {
return send_data(ws, http_ver, "text/xml", VPN_VERSION,
sizeof(VPN_VERSION) - 1);
@@ -274,7 +274,7 @@ int get_string_handler(worker_st *ws, unsigned http_ver)
int get_dl_handler(worker_st *ws, unsigned http_ver)
{
oclog(ws, LOG_HTTP_DEBUG, "requested downloader: %s", ws->req.url);
oclog(ws, LOG_HTTP_DEBUG, "requested downloader: %s", ws->req.url);
return send_data(ws, http_ver, "application/x-shellscript", SH_SCRIPT,
sizeof(SH_SCRIPT) - 1);
}
@@ -288,4 +288,3 @@ int get_empty_handler(worker_st *ws, unsigned http_ver)
}
#endif

10
src/worker-kkdcp.c
View File

@@ -30,7 +30,7 @@
#ifdef HAVE_GSSAPI
int der_decode(const uint8_t *der, unsigned der_size, uint8_t *out, unsigned *out_size,
int der_decode(const uint8_t *der, unsigned der_size, uint8_t *out, unsigned *out_size,
char *realm, unsigned realm_size, int *error)
{
int ret, len;
@@ -67,9 +67,9 @@ int der_decode(const uint8_t *der, unsigned der_size, uint8_t *out, unsigned *ou
ret = 0;
cleanup:
asn1_delete_structure(&c2);
asn1_delete_structure(&c2);
return ret;
}
int der_encode_inplace(uint8_t *raw, unsigned *raw_size, unsigned max_size, int *error)
@@ -105,9 +105,9 @@ int der_encode_inplace(uint8_t *raw, unsigned *raw_size, unsigned max_size, int
ret = 0;
cleanup:
asn1_delete_structure(&c2);
asn1_delete_structure(&c2);
return ret;
}
/* max UDP size */

4
src/worker-latency.c
View File

@@ -79,7 +79,7 @@ ssize_t dtls_pull_latency(gnutls_transport_ptr_t ptr, void *data, size_t size)
void send_latency_stats_delta_to_main(worker_st * ws, time_t now)
{
LatencyStatsDelta msg = LATENCY_STATS_DELTA__INIT;
if (ws->latency.sample_set_count == 0) {
return;
}
@@ -87,7 +87,7 @@ void send_latency_stats_delta_to_main(worker_st * ws, time_t now)
msg.median_delta = ws->latency.median_total;
msg.rms_delta = ws->latency.rms_total;
msg.sample_count_delta = ws->latency.sample_set_count;
ws->latency.median_total = 0;
ws->latency.rms_total = 0;
ws->latency.sample_set_count = 0;

2
src/worker-misc.c
View File

@@ -180,7 +180,7 @@ int handle_commands_from_main(struct worker_st *ws)
}
/* Completes the VPN device information.
*
*
* Returns 0 on success.
*/
int complete_vpn_info(worker_st * ws, struct vpn_st *vinfo)

4
src/worker-privs.c
View File

@@ -208,7 +208,7 @@ int disable_system_calls(struct worker_st *ws)
break;
}
}
#endif
#endif
/* this we need to get the MTU from
* the TUN device */
@@ -228,7 +228,7 @@ int disable_system_calls(struct worker_st *ws)
ret = -1;
goto fail;
}
ret = 0;
fail:

4
src/worker-proxyproto.c
View File

@@ -95,12 +95,12 @@ static void parse_ssl_tlvs(struct worker_st *ws, uint8_t *data, size_t data_size
memcpy(&tssl, data, sizeof(pp2_tlv_ssl));
if ((tssl.client & PP2_CLIENT_SSL) &&
if ((tssl.client & PP2_CLIENT_SSL) &&
(tssl.client & PP2_CLIENT_CERT_SESS) &&
(tssl.verify == 0)) {
oclog(ws, LOG_INFO, "proxy-hdr: user has presented valid certificate");
ws->cert_auth_ok = 1;
}
} else if (tlv.type == PP2_TYPE_SSL_CN && ws->cert_auth_ok) {
if (tlv.length > sizeof(ws->cert_username)-1) {

6
src/worker-resume.c
View File

@@ -46,7 +46,7 @@ static int recv_resume_fetch_reply(worker_st *ws, int sd, gnutls_datum_t *sdata)
SessionResumeReplyMsg *resp;
PROTOBUF_ALLOCATOR(pa, ws);
ret = recv_msg(ws, sd, RESUME_FETCH_REP, (void*)&resp,
ret = recv_msg(ws, sd, RESUME_FETCH_REP, (void*)&resp,
(unpack_func)session_resume_reply_msg__unpack, DEFAULT_SOCKET_TIMEOUT);
if (ret < 0) {
oclog(ws, LOG_ERR, "error receiving resumption reply (fetch)");
@@ -57,7 +57,7 @@ static int recv_resume_fetch_reply(worker_st *ws, int sd, gnutls_datum_t *sdata)
ret = -1;
goto cleanup;
}
sdata->data = gnutls_malloc(resp->session_data.len);
if (sdata->data == NULL) {
ret = -1;
@@ -70,7 +70,7 @@ static int recv_resume_fetch_reply(worker_st *ws, int sd, gnutls_datum_t *sdata)
ret = 0;
cleanup:
session_resume_reply_msg__free_unpacked(resp, &pa);
return ret;
}

12
src/worker-vpn.c
View File

@@ -1652,7 +1652,7 @@ static int tun_mainloop(struct worker_st *ws, struct timespec *tnow)
cstp_type = AC_PKT_COMPRESSED;
}
}
#endif
#endif
/* only transmit if allowed */
if (bandwidth_update(&ws->b_tx, dtls_to_send.size, tnow)
@@ -2624,9 +2624,9 @@ static int test_for_tcp_health_probe(struct worker_st *ws)
ret = recv(ws->conn_fd, buffer, sizeof(buffer), MSG_PEEK);
// If we get back an error, assume this was a tcp health probe
if (ret > 0)
if (ret > 0)
return 0;
else
else
return 1;
}
@@ -2743,7 +2743,7 @@ static void term_sig_watcher_cb(struct ev_loop *loop, ev_signal *w, int revents)
static void invoke_dtls_if_needed(struct dtls_st * dtls)
{
if ((dtls->udp_state > UP_WAIT_FD) &&
if ((dtls->udp_state > UP_WAIT_FD) &&
(dtls->dtls_session != NULL) &&
(gnutls_record_check_pending(dtls->dtls_session))) {
ev_invoke(worker_loop, &dtls->io, EV_READ);
@@ -2789,7 +2789,7 @@ static int worker_event_loop(struct worker_st * ws)
ocsignal(SIGTERM, SIG_DFL);
ocsignal(SIGINT, SIG_DFL);
ocsignal(SIGALRM, SIG_DFL);
ev_init(&alarm_sig_watcher, term_sig_watcher_cb);
ev_signal_set (&alarm_sig_watcher, SIGALRM);
ev_signal_start (worker_loop, &alarm_sig_watcher);
@@ -2801,7 +2801,7 @@ static int worker_event_loop(struct worker_st * ws)
ev_init (&term_sig_watcher, term_sig_watcher_cb);
ev_signal_set (&term_sig_watcher, SIGTERM);
ev_signal_start (worker_loop, &term_sig_watcher);
ev_set_userdata (worker_loop, ws);
ev_set_syserr_cb(syserr_cb);

12
src/worker.h
View File

@@ -154,7 +154,7 @@ struct http_req_st {
unsigned int message_complete;
unsigned link_mtu;
unsigned tunnel_mtu;
unsigned no_ipv4;
unsigned no_ipv6;
@@ -199,7 +199,7 @@ typedef struct worker_st {
int cmd_fd;
int conn_fd;
sock_type_t conn_type; /* AF_UNIX or something else */
http_parser *parser;
struct list_head *vconfig;
@@ -267,7 +267,7 @@ typedef struct worker_st {
unsigned dtls_crypto_overhead; /* estimated overhead of DTLS ciphersuite + DTLS CSTP HEADER */
unsigned dtls_proto_overhead; /* UDP + IP header size */
/* Indicates whether the new IPv6 headers will
* be sent or the old */
unsigned full_ipv6;
@@ -309,7 +309,7 @@ typedef struct worker_st {
/* information on the tun device addresses and network */
struct vpn_st vinfo;
unsigned default_route;
void *main_pool; /* to be used only on deinitialization */
#if defined(CAPTURE_LATENCY_SUPPORT)
@@ -411,7 +411,7 @@ int send_msg_to_secmod(worker_st * ws, int sd, uint8_t cmd,
}
inline static
int send_msg_to_main(worker_st *ws, uint8_t cmd,
int send_msg_to_main(worker_st *ws, uint8_t cmd,
const void* msg, pack_size_func get_size, pack_func pack)
{
oclog(ws, LOG_DEBUG, "sending message '%s' to main", cmd_request_to_str(cmd));
@@ -424,7 +424,7 @@ void cookie_authenticate_or_exit(worker_st *ws);
int add_owasp_headers(worker_st * ws);
/* after that time (secs) of inactivity in the UDP part, connection switches to
/* after that time (secs) of inactivity in the UDP part, connection switches to
* TCP (if activity occurs there).
*/
#define UDP_SWITCH_TIME 15

2
tests/Makefile.am
View File

@@ -172,7 +172,7 @@ check_PROGRAMS = str-test str-test2 ipv4-prefix ipv6-prefix kkdcp-parsing json-e
port-parsing human_addr valid-hostname url-escape html-escape cstp-recv \
proxyproto-v1
gen_oidc_test_data_CPPFLAGS = $(AM_CPPFLAGS)
gen_oidc_test_data_CPPFLAGS = $(AM_CPPFLAGS)
gen_oidc_test_data_SOURCES = generate_oidc_test_data.c
gen_oidc_test_data_LDADD = $(LDADD) $(CJOSE_LIBS) $(JANSSON_LIBS)

1
tests/ac-aes128-gcm-cipher
View File

@@ -28,4 +28,3 @@ ${PKG_CONFIG} --atleast-version=8.02 openconnect
test $? != 0 && exit 77
. cipher-common.sh

1
tests/ac-aes256-gcm-cipher
View File

@@ -30,4 +30,3 @@ ${PKG_CONFIG} --atleast-version=8.03 openconnect
test $? != 0 && exit 77
. cipher-common.sh

1
tests/aes128-cipher
View File

@@ -24,4 +24,3 @@ CIPHER_NAME="AES128-SHA"
GNUTLS_NAME="(DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1)"
. cipher-common.sh

1
tests/aes256-cipher
View File

@@ -24,4 +24,3 @@ CIPHER_NAME="AES256-SHA"
GNUTLS_NAME="(DTLS0.9)-(RSA)-(AES-256-CBC)-(SHA1)"
. cipher-common.sh

2
tests/ban-ips.c
View File

@@ -138,7 +138,7 @@ int main()
exit(1);
}
/* check expiration of entries */
/* check expiration of entries */
sleep(GETCONFIG(s)->min_reauth_time+1);
if (check_if_banned_str(s, "192.168.1.1") != 0) {

4
tests/certs/server-key-ed25519.pem
View File

@@ -6,12 +6,12 @@ curve: Ed25519
private key:
e9:d6:68:ea:ca:c3:59:45:a9:38:ff:bb:5f:b7:15:a1
a9:a5:81:d0:96:58:bc:5a:6d:b9:b5:48:ac:7f:a3:c9
x:
31:55:5d:6c:d7:8c:d9:64:b9:cd:02:68:85:63:6f:a2
51:fe:fb:b9:4f:73:43:5b:42:2c:66:e7:77:fc:75:aa
Public Key PIN:

2
tests/certs/server-key-rsa-pss.pem
View File

@@ -85,7 +85,7 @@ exp1:
48:d0:23:5d:ab:22:07:26:02:f0:10:9d:2b:89:2d:eb
68:47:6f:9c:59:ff:1d:c3:5d:a4:de:51:1c:45:81:8c
de:41:a9:e0:9a:80:46:c6:cb:22:d5:14:c6:ac:e6:51
exp2:
00:8e:26:ce:43:cc:b0:20:ee:1d:ef:de:76:e0:c7:35

2
tests/common.sh
View File

@@ -269,4 +269,4 @@ GETPORT='
done
'
trap "fail \"Failed to launch the server, aborting test... \"" 10
trap "fail \"Failed to launch the server, aborting test... \"" 10

2
tests/config-auth.xml
View File

@@ -3,5 +3,3 @@
<config-auth client="vpn" type="init">
<version who="vpn">v5.01</version>
</config-auth>

2
tests/cstp-recv.c
View File

@@ -104,7 +104,7 @@ int main(int argc, char **argv)
child = fork();
assert(child >= 0);
if (child) {
close(sockets[1]);
receiver(sockets[0]);

31
tests/data/apple-ios.config
View File

@@ -1,6 +1,6 @@
# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam.
# Options: certificate, pam.
#auth = "certificate"
auth = "plain[@SRCDIR@/data/test1.passwd]"
#auth = "pam"
@@ -19,7 +19,7 @@ use-dbus = no
#max-clients = 1024
max-clients = 16
# Limit the number of client connections to one every X milliseconds
# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
@@ -41,7 +41,7 @@ dpd = 20
try-mtu-discovery = false
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
@@ -78,14 +78,14 @@ server-key = @SRCDIR@/certs/server-key.pem
# The object identifier that will be used to read the user ID in the client certificate.
# The object identifier should be part of the certificate's DN
# Useful OIDs are:
# Useful OIDs are:
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
#cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the client
# The object identifier that will be used to read the user group in the client
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
# Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
#cert-group-oid = 2.5.4.11
# A revocation list of ca-cert is set
@@ -105,7 +105,7 @@ auth-timeout = 40
# before being disconnected. Unset to disable.
#idle-timeout = 5
# The time (in seconds) that a client is not allowed to reconnect after
# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
#min-reauth-time = 2
@@ -117,7 +117,7 @@ cookie-validity = 172800
# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
# may be "connect" or "disconnect".
@@ -159,27 +159,27 @@ ipv4-network = @VPNNET@
#ipv4-nbns = 192.168.2.3
ipv6-network = fd69:7016:8d15:b5a5::/64
#ipv6-mask =
#ipv6-dns =
#ipv6-mask =
#ipv6-dns =
# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
ping-leases = false
# Leave empty to assign the default MTU of the device
# mtu =
# mtu =
#route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
#
# The following options are for (experimental) AnyConnect client
# compatibility. They are only available if the server is built
# The following options are for (experimental) AnyConnect client
# compatibility. They are only available if the server is built
# with --enable-anyconnect
#
# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot.
# This file must be accessible from inside the worker's chroot.
# The profile is ignored by the openconnect client.
#user-profile = profile.xml
@@ -188,4 +188,3 @@ ping-leases = false
# cookie. Legacy CISCO clients do not do that, and thus this option
# should be set for them.
#always-require-cert = false

26
tests/data/config-per-group.config
View File

@@ -1,6 +1,6 @@
# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam.
# Options: certificate, pam.
#auth = "certificate[optional]"
auth = "plain[@SRCDIR@/data/test1.passwd]"
#auth = "pam"
@@ -18,7 +18,7 @@ max-ban-score = 0
#max-clients = 1024
max-clients = 16
# Limit the number of client connections to one every X milliseconds
# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
@@ -40,7 +40,7 @@ dpd = 440
try-mtu-discovery = false
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
@@ -77,14 +77,14 @@ server-key = @SRCDIR@/certs/server-key.pem
# The object identifier that will be used to read the user ID in the client certificate.
# The object identifier should be part of the certificate's DN
# Useful OIDs are:
# Useful OIDs are:
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the client
# The object identifier that will be used to read the user group in the client
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
# Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
#cert-group-oid = 2.5.4.11
# A revocation list of ca-cert is set
@@ -100,13 +100,13 @@ tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
# to authentication
auth-timeout = 40
# The time (in seconds) that a client is not allowed to reconnect after
# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
#min-reauth-time = 2
# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
# may be "connect" or "disconnect".
@@ -151,19 +151,19 @@ ipv4-dns = 192.168.1.1
ping-leases = false
# Leave empty to assign the default MTU of the device
# mtu =
# mtu =
route = @ROUTE1@
#route = 192.168.5.0/255.255.255.0
#
# The following options are for (experimental) AnyConnect client
# compatibility. They are only available if the server is built
# The following options are for (experimental) AnyConnect client
# compatibility. They are only available if the server is built
# with --enable-anyconnect
#
# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot.
# This file must be accessible from inside the worker's chroot.
# The profile is ignored by the openconnect client.
#user-profile = profile.xml

33
tests/data/haproxy-proxyproto-v1.config
View File

@@ -1,6 +1,6 @@
# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam.
# Options: certificate, pam.
#auth = "certificate"
auth = "plain[@SRCDIR@/data/test1.passwd]"
#auth = "pam"
@@ -23,7 +23,7 @@ max-clients = 16
listen-proxy-proto = true
# Limit the number of client connections to one every X milliseconds
# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
@@ -45,7 +45,7 @@ dpd = 240
try-mtu-discovery = false
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
@@ -82,14 +82,14 @@ server-key = @SRCDIR@/certs/server-key.pem
# The object identifier that will be used to read the user ID in the client certificate.
# The object identifier should be part of the certificate's DN
# Useful OIDs are:
# Useful OIDs are:
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
#cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the client
# The object identifier that will be used to read the user group in the client
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
# Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
#cert-group-oid = 2.5.4.11
# A revocation list of ca-cert is set
@@ -105,7 +105,7 @@ tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
# to authentication
auth-timeout = 40
# The time (in seconds) that a client is not allowed to reconnect after
# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
#min-reauth-time = 2
@@ -117,7 +117,7 @@ cookie-validity = 172800
# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
# may be "connect" or "disconnect".
@@ -157,28 +157,28 @@ ipv4-dns = 192.168.1.1
# The NBNS server (if any)
#ipv4-nbns = 192.168.2.3
#ipv6-address =
#ipv6-mask =
#ipv6-dns =
#ipv6-address =
#ipv6-mask =
#ipv6-dns =
# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
ping-leases = false
# Leave empty to assign the default MTU of the device
# mtu =
# mtu =
route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
#
# The following options are for (experimental) AnyConnect client
# compatibility. They are only available if the server is built
# The following options are for (experimental) AnyConnect client
# compatibility. They are only available if the server is built
# with --enable-anyconnect
#
# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot.
# This file must be accessible from inside the worker's chroot.
# The profile is ignored by the openconnect client.
#user-profile = profile.xml
@@ -187,4 +187,3 @@ route = 192.168.1.0/255.255.255.0
# cookie. Legacy CISCO clients do not do that, and thus this option
# should be set for them.
#always-require-cert = false

33
tests/data/haproxy-proxyproto.config
View File

@@ -1,6 +1,6 @@
# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam.
# Options: certificate, pam.
#auth = "certificate"
auth = "plain[@SRCDIR@/data/test1.passwd]"
#auth = "pam"
@@ -23,7 +23,7 @@ max-clients = 16
listen-proxy-proto = true
# Limit the number of client connections to one every X milliseconds
# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
@@ -45,7 +45,7 @@ dpd = 240
try-mtu-discovery = false
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
@@ -82,14 +82,14 @@ server-key = @SRCDIR@/certs/server-key.pem
# The object identifier that will be used to read the user ID in the client certificate.
# The object identifier should be part of the certificate's DN
# Useful OIDs are:
# Useful OIDs are:
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
#cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the client
# The object identifier that will be used to read the user group in the client
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
# Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
#cert-group-oid = 2.5.4.11
# A revocation list of ca-cert is set
@@ -105,7 +105,7 @@ tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
# to authentication
auth-timeout = 40
# The time (in seconds) that a client is not allowed to reconnect after
# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
#min-reauth-time = 2
@@ -117,7 +117,7 @@ cookie-validity = 172800
# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
# may be "connect" or "disconnect".
@@ -157,28 +157,28 @@ ipv4-dns = 192.168.1.1
# The NBNS server (if any)
#ipv4-nbns = 192.168.2.3
#ipv6-address =
#ipv6-mask =
#ipv6-dns =
#ipv6-address =
#ipv6-mask =
#ipv6-dns =
# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
ping-leases = false
# Leave empty to assign the default MTU of the device
# mtu =
# mtu =
route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
#
# The following options are for (experimental) AnyConnect client
# compatibility. They are only available if the server is built
# The following options are for (experimental) AnyConnect client
# compatibility. They are only available if the server is built
# with --enable-anyconnect
#
# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot.
# This file must be accessible from inside the worker's chroot.
# The profile is ignored by the openconnect client.
#user-profile = profile.xml
@@ -187,4 +187,3 @@ route = 192.168.1.0/255.255.255.0
# cookie. Legacy CISCO clients do not do that, and thus this option
# should be set for them.
#always-require-cert = false

27
tests/data/ipv6-iface.config
View File

@@ -1,6 +1,6 @@
# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam.
# Options: certificate, pam.
#auth = "certificate"
auth = "plain[@SRCDIR@/data/test1.passwd]"
#auth = "pam"
@@ -21,7 +21,7 @@ use-dbus = no
#max-clients = 1024
max-clients = 16
# Limit the number of client connections to one every X milliseconds
# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
@@ -43,7 +43,7 @@ dpd = 440
try-mtu-discovery = false
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
@@ -80,14 +80,14 @@ server-key = @SRCDIR@/certs/server-key.pem
# The object identifier that will be used to read the user ID in the client certificate.
# The object identifier should be part of the certificate's DN
# Useful OIDs are:
# Useful OIDs are:
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
#cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the client
# The object identifier that will be used to read the user group in the client
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
# Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
#cert-group-oid = 2.5.4.11
# A revocation list of ca-cert is set
@@ -103,13 +103,13 @@ tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
# to authentication
auth-timeout = 40
# The time (in seconds) that a client is not allowed to reconnect after
# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
#min-reauth-time = 2
# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
# may be "connect" or "disconnect".
@@ -145,16 +145,16 @@ ipv6-network = @VPNNET6@
ping-leases = false
# Leave empty to assign the default MTU of the device
# mtu =
# mtu =
#
# The following options are for (experimental) AnyConnect client
# compatibility. They are only available if the server is built
# The following options are for (experimental) AnyConnect client
# compatibility. They are only available if the server is built
# with --enable-anyconnect
#
# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot.
# This file must be accessible from inside the worker's chroot.
# The profile is ignored by the openconnect client.
#user-profile = profile.xml
@@ -163,4 +163,3 @@ ping-leases = false
# cookie. Legacy CISCO clients do not do that, and thus this option
# should be set for them.
#always-require-cert = false

1
tests/data/kdc.conf
View File

@@ -12,4 +12,3 @@
key_stash_file = /var/kerberos/krb5kdc/k5.KERBEROS.TEST
supported_enctypes = aes256-cts:normal aes128-cts:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal
}

43
tests/data/kerberos.config
View File

@@ -1,6 +1,6 @@
# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam.
# Options: certificate, pam.
#auth = "certificate"
#auth = "plain[/etc/ocserv/passwd]"
auth = "pam"
@@ -31,7 +31,7 @@ isolate-workers = @ISOLATE_WORKERS@
stats-report-time = 30
# Use listen-host to limit to specific IPs or to the IPs of a provided
# Use listen-host to limit to specific IPs or to the IPs of a provided
# hostname.
#listen-host = @ADDRESS@
@@ -39,11 +39,11 @@ stats-report-time = 30
#max-clients = 1024
max-clients = 16
# Limit the number of client connections to one every X milliseconds
# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
# Limit the number of identical clients (i.e., users connecting
# Limit the number of identical clients (i.e., users connecting
# multiple times). Unset or set to zero for unlimited.
max-same-clients = 2
@@ -58,7 +58,7 @@ keepalive = 32400
dpd = 240
# Dead peer detection for mobile clients. The needs to
# be much higher to prevent such clients being awaken too
# be much higher to prevent such clients being awaken too
# often by the DPD messages, and save battery.
# (clients that send the X-AnyConnect-Identifier-DeviceType)
mobile-dpd = 1800
@@ -67,7 +67,7 @@ mobile-dpd = 1800
try-mtu-discovery = false
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
@@ -92,7 +92,7 @@ server-key = @SRCDIR@/certs/server-key.pem
#ocsp-response = /path/to/ocsp.der
# In case PKCS #11 or TPM keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only, and is the
# in files. The srk-pin-file is applicable to TPM keys only, and is the
# storage root key.
#pin-file = /path/to/pin.txt
#srk-pin-file = /path/to/srkpin.txt
@@ -102,16 +102,16 @@ server-key = @SRCDIR@/certs/server-key.pem
# is set.
ca-cert = @SRCDIR/certs/ca.pem
# The object identifier that will be used to read the user ID in the client
# The object identifier that will be used to read the user ID in the client
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are:
# Useful OIDs are:
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
#cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the
# The object identifier that will be used to read the user group in the
# client certificate. The object identifier should be part of the certificate's
# DN. Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
# DN. Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
#cert-group-oid = 2.5.4.11
# The revocation list of the certificates issued by the 'ca-cert' above.
@@ -135,7 +135,7 @@ auth-timeout = 40
# traffic) before being disconnected. Unset to disable.
#mobile-idle-timeout = 2400
# The time (in seconds) that a client is not allowed to reconnect after
# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
#min-reauth-time = 2
@@ -155,7 +155,7 @@ rekey-method = ssl
# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
@@ -227,7 +227,7 @@ ipv6-network = @VPNNET6@
ping-leases = false
# Unset to assign the default MTU of the device
# mtu =
# mtu =
# Unset to enable bandwidth restrictions (in bytes/sec). The
# setting here is global, but can also be set per user or per group.
@@ -240,7 +240,7 @@ ping-leases = false
#output-buffer = 10
# Routes to be forwarded to the client. If you need the
# client to forward routes to the server, you may use the
# client to forward routes to the server, you may use the
# config-per-user/group or even connect and disconnect scripts.
#
# To set the server as the default gateway for the client just
@@ -273,11 +273,11 @@ route = fc13:71:ea31:4b4e::/64
#route-del-cmd = "ip route delete %R dev %D"
#
# The following options are for (experimental) AnyConnect client
# compatibility.
# The following options are for (experimental) AnyConnect client
# compatibility.
# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot.
# This file must be accessible from inside the worker's chroot.
# It is not used by the openconnect client.
#user-profile = profile.xml
@@ -288,7 +288,7 @@ route = fc13:71:ea31:4b4e::/64
# Unless set to false it is required for clients to present their
# certificate even if they are authenticating via a previously granted
# cookie and complete their authentication in the same TCP connection.
# Legacy CISCO clients do not do that, and thus this option should be
# Legacy CISCO clients do not do that, and thus this option should be
# set for them.
#cisco-client-compat = false
@@ -301,6 +301,5 @@ route = fc13:71:ea31:4b4e::/64
# This option allows you to specify a URL location where a client can
# post using MS-KKDCP, and the message will be forwarded to the provided
# KDC server. That is a translation URL between HTTP and Kerberos.
# This option is available if ocserv is compiled with GSSAPI support.
# This option is available if ocserv is compiled with GSSAPI support.
kkdcp = /kerberos KERBEROS.TEST tcp@@ADDRESS@:88

26
tests/data/multiple-routes.config
View File

@@ -1,6 +1,6 @@
# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam.
# Options: certificate, pam.
auth = "certificate"
#auth = "plain[./data/test1.passwd]"
#auth = "pam"
@@ -19,7 +19,7 @@ use-dbus = no
#max-clients = 1024
max-clients = 16
# Limit the number of client connections to one every X milliseconds
# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
@@ -41,7 +41,7 @@ dpd = 440
try-mtu-discovery = false
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
@@ -78,14 +78,14 @@ ca-cert = ./certs/ca.pem
# The object identifier that will be used to read the user ID in the client certificate.
# The object identifier should be part of the certificate's DN
# Useful OIDs are:
# Useful OIDs are:
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the client
# The object identifier that will be used to read the user group in the client
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
# Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
#cert-group-oid = 2.5.4.11
# A revocation list of ca-cert is set
@@ -101,7 +101,7 @@ tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
# to authentication
auth-timeout = 40
# The time (in seconds) that a client is not allowed to reconnect after
# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
#min-reauth-time = 2
@@ -113,7 +113,7 @@ cookie-validity = 172800
# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
# may be "connect" or "disconnect".
@@ -153,16 +153,16 @@ ipv4-dns = 192.168.5.1
# The NBNS server (if any)
#ipv4-nbns = 192.168.2.3
#ipv6-address =
#ipv6-mask =
#ipv6-dns =
#ipv6-address =
#ipv6-mask =
#ipv6-dns =
# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
ping-leases = false
# Leave empty to assign the default MTU of the device
# mtu =
# mtu =
no-route = 192.168.98.0/255.255.255.0
route = 10.10.0.0/24

33
tests/data/no-route-default.config
View File

@@ -1,6 +1,6 @@
# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam.
# Options: certificate, pam.
auth = "certificate"
#auth = "plain[@SRCDIR@/data/test-group.passwd]"
#auth = "pam"
@@ -19,7 +19,7 @@ use-dbus = no
#max-clients = 1024
max-clients = 16
# Limit the number of client connections to one every X milliseconds
# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
@@ -41,7 +41,7 @@ dpd = 440
try-mtu-discovery = false
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
@@ -90,14 +90,14 @@ ca-cert = @SRCDIR@/certs/ca.pem
# The object identifier that will be used to read the user ID in the client certificate.
# The object identifier should be part of the certificate's DN
# Useful OIDs are:
# Useful OIDs are:
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the client
# The object identifier that will be used to read the user group in the client
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
# Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
#cert-group-oid = 2.5.4.11
# A revocation list of ca-cert is set
@@ -113,13 +113,13 @@ tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
# to authentication
auth-timeout = 40
# The time (in seconds) that a client is not allowed to reconnect after
# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
#min-reauth-time = 2
# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
# may be "connect" or "disconnect".
@@ -159,28 +159,28 @@ ipv4-dns = 192.168.1.1
# The NBNS server (if any)
#ipv4-nbns = 192.168.2.3
#ipv6-address =
#ipv6-mask =
#ipv6-dns =
#ipv6-address =
#ipv6-mask =
#ipv6-dns =
# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
ping-leases = false
# Leave empty to assign the default MTU of the device
# mtu =
# mtu =
no-route = 192.168.98.0/255.255.255.0
route = default
#
# The following options are for (experimental) AnyConnect client
# compatibility. They are only available if the server is built
# The following options are for (experimental) AnyConnect client
# compatibility. They are only available if the server is built
# with --enable-anyconnect
#
# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot.
# This file must be accessible from inside the worker's chroot.
# The profile is ignored by the openconnect client.
#user-profile = profile.xml
@@ -189,4 +189,3 @@ route = default
# cookie. Legacy CISCO clients do not do that, and thus this option
# should be set for them.
#always-require-cert = false

32
tests/data/no-route-group.config
View File

@@ -1,6 +1,6 @@
# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam.
# Options: certificate, pam.
#auth = "certificate"
auth = "plain[@SRCDIR@/data/test-group.passwd]"
#auth = "pam"
@@ -19,7 +19,7 @@ use-dbus = no
#max-clients = 1024
max-clients = 16
# Limit the number of client connections to one every X milliseconds
# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
@@ -41,7 +41,7 @@ dpd = 440
try-mtu-discovery = false
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
@@ -90,14 +90,14 @@ ca-cert = @SRCDIR@/certs/ca.pem
# The object identifier that will be used to read the user ID in the client certificate.
# The object identifier should be part of the certificate's DN
# Useful OIDs are:
# Useful OIDs are:
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the client
# The object identifier that will be used to read the user group in the client
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
# Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
#cert-group-oid = 2.5.4.11
# A revocation list of ca-cert is set
@@ -113,13 +113,13 @@ tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
# to authentication
auth-timeout = 40
# The time (in seconds) that a client is not allowed to reconnect after
# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
#min-reauth-time = 2
# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
# may be "connect" or "disconnect".
@@ -159,27 +159,27 @@ ipv4-dns = 192.168.1.1
# The NBNS server (if any)
#ipv4-nbns = 192.168.2.3
#ipv6-address =
#ipv6-mask =
#ipv6-dns =
#ipv6-address =
#ipv6-mask =
#ipv6-dns =
# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
ping-leases = false
# Leave empty to assign the default MTU of the device
# mtu =
# mtu =
route = default
#
# The following options are for (experimental) AnyConnect client
# compatibility. They are only available if the server is built
# The following options are for (experimental) AnyConnect client
# compatibility. They are only available if the server is built
# with --enable-anyconnect
#
# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot.
# This file must be accessible from inside the worker's chroot.
# The profile is ignored by the openconnect client.
#user-profile = profile.xml

33
tests/data/ping-leases.config
View File

@@ -1,6 +1,6 @@
# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam.
# Options: certificate, pam.
#auth = "certificate"
auth = "plain[@SRCDIR@/data/test1.passwd]"
#auth = "pam"
@@ -23,7 +23,7 @@ use-dbus = no
#max-clients = 1024
max-clients = 16
# Limit the number of client connections to one every X milliseconds
# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
@@ -45,7 +45,7 @@ dpd = 440
try-mtu-discovery = false
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
@@ -82,14 +82,14 @@ server-key = @SRCDIR@/certs/server-key.pem
# The object identifier that will be used to read the user ID in the client certificate.
# The object identifier should be part of the certificate's DN
# Useful OIDs are:
# Useful OIDs are:
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
#cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the client
# The object identifier that will be used to read the user group in the client
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
# Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
#cert-group-oid = 2.5.4.11
# A revocation list of ca-cert is set
@@ -105,13 +105,13 @@ tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
# to authentication
auth-timeout = 40
# The time (in seconds) that a client is not allowed to reconnect after
# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
#min-reauth-time = 2
# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
# may be "connect" or "disconnect".
@@ -145,28 +145,28 @@ ipv4-dns = 192.168.1.1
# The NBNS server (if any)
#ipv4-nbns = 192.168.2.3
#ipv6-address =
#ipv6-mask =
#ipv6-dns =
#ipv6-address =
#ipv6-mask =
#ipv6-dns =
# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
ping-leases = true
# Leave empty to assign the default MTU of the device
# mtu =
# mtu =
route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
#
# The following options are for (experimental) AnyConnect client
# compatibility. They are only available if the server is built
# The following options are for (experimental) AnyConnect client
# compatibility. They are only available if the server is built
# with --enable-anyconnect
#
# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot.
# This file must be accessible from inside the worker's chroot.
# The profile is ignored by the openconnect client.
#user-profile = profile.xml
@@ -175,4 +175,3 @@ route = 192.168.1.0/255.255.255.0
# cookie. Legacy CISCO clients do not do that, and thus this option
# should be set for them.
#always-require-cert = false

2
tests/data/raddb/radiusd.conf.in
View File

@@ -1029,7 +1029,7 @@ authorize {
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/mods-config/preprocess/hints'
# It takes care of processing the 'raddb/mods-config/preprocess/hints'
# and the 'raddb/mods-config/preprocess/huntgroups' files.
#preprocess

40
tests/data/radius-group.config
View File

@@ -1,6 +1,6 @@
# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam.
# Options: certificate, pam.
#auth = "certificate"
#auth = "plain[/etc/ocserv/passwd]"
#auth = "pam"
@@ -36,7 +36,7 @@ acct = "radius[config=@SRCDIR@/data/radiusclient/radiusclient.conf]"
stats-report-time = 30
# Use listen-host to limit to specific IPs or to the IPs of a provided
# Use listen-host to limit to specific IPs or to the IPs of a provided
# hostname.
#listen-host = @ADDRESS@
@@ -44,11 +44,11 @@ stats-report-time = 30
#max-clients = 1024
max-clients = 16
# Limit the number of client connections to one every X milliseconds
# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
# Limit the number of identical clients (i.e., users connecting
# Limit the number of identical clients (i.e., users connecting
# multiple times). Unset or set to zero for unlimited.
max-same-clients = 2
@@ -63,7 +63,7 @@ keepalive = 32400
dpd = 240
# Dead peer detection for mobile clients. The needs to
# be much higher to prevent such clients being awaken too
# be much higher to prevent such clients being awaken too
# often by the DPD messages, and save battery.
# (clients that send the X-AnyConnect-Identifier-DeviceType)
mobile-dpd = 1800
@@ -72,7 +72,7 @@ mobile-dpd = 1800
try-mtu-discovery = false
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
@@ -97,7 +97,7 @@ server-key = @SRCDIR@/certs/server-key.pem
#ocsp-response = /path/to/ocsp.der
# In case PKCS #11 or TPM keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only, and is the
# in files. The srk-pin-file is applicable to TPM keys only, and is the
# storage root key.
#pin-file = /path/to/pin.txt
#srk-pin-file = /path/to/srkpin.txt
@@ -107,16 +107,16 @@ server-key = @SRCDIR@/certs/server-key.pem
# is set.
ca-cert = /etc/ocserv/ca.pem
# The object identifier that will be used to read the user ID in the client
# The object identifier that will be used to read the user ID in the client
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are:
# Useful OIDs are:
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the
# The object identifier that will be used to read the user group in the
# client certificate. The object identifier should be part of the certificate's
# DN. Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
# DN. Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
cert-group-oid = 2.5.4.11
# The revocation list of the certificates issued by the 'ca-cert' above.
@@ -140,7 +140,7 @@ auth-timeout = 40
# traffic) before being disconnected. Unset to disable.
#mobile-idle-timeout = 2400
# The time (in seconds) that a client is not allowed to reconnect after
# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
#min-reauth-time = 2
@@ -160,7 +160,7 @@ rekey-method = ssl
# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
@@ -232,7 +232,7 @@ ipv6-network = @VPNNET6@
ping-leases = false
# Unset to assign the default MTU of the device
# mtu =
# mtu =
# Unset to enable bandwidth restrictions (in bytes/sec). The
# setting here is global, but can also be set per user or per group.
@@ -245,7 +245,7 @@ ping-leases = false
#output-buffer = 10
# Routes to be forwarded to the client. If you need the
# client to forward routes to the server, you may use the
# client to forward routes to the server, you may use the
# config-per-user/group or even connect and disconnect scripts.
#
# To set the server as the default gateway for the client just
@@ -278,11 +278,11 @@ route = fc13:71:ea31:4b4e::/64
#route-del-cmd = "ip route delete %R dev %D"
#
# The following options are for (experimental) AnyConnect client
# compatibility.
# The following options are for (experimental) AnyConnect client
# compatibility.
# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot.
# This file must be accessible from inside the worker's chroot.
# It is not used by the openconnect client.
#user-profile = profile.xml
@@ -293,7 +293,7 @@ route = fc13:71:ea31:4b4e::/64
# Unless set to false it is required for clients to present their
# certificate even if they are authenticating via a previously granted
# cookie and complete their authentication in the same TCP connection.
# Legacy CISCO clients do not do that, and thus this option should be
# Legacy CISCO clients do not do that, and thus this option should be
# set for them.
#cisco-client-compat = false

40
tests/data/radius-otp.config
View File

@@ -1,6 +1,6 @@
# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam.
# Options: certificate, pam.
#auth = "certificate"
#auth = "plain[/etc/ocserv/passwd]"
#auth = "pam"
@@ -32,7 +32,7 @@ acct = "radius[config=@SRCDIR@/data/radiusclient/radiusclient.conf]"
stats-report-time = 30
# Use listen-host to limit to specific IPs or to the IPs of a provided
# Use listen-host to limit to specific IPs or to the IPs of a provided
# hostname.
#listen-host = @ADDRESS@
@@ -40,11 +40,11 @@ stats-report-time = 30
#max-clients = 1024
max-clients = 16
# Limit the number of client connections to one every X milliseconds
# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
# Limit the number of identical clients (i.e., users connecting
# Limit the number of identical clients (i.e., users connecting
# multiple times). Unset or set to zero for unlimited.
max-same-clients = 2
@@ -59,7 +59,7 @@ keepalive = 32400
dpd = 240
# Dead peer detection for mobile clients. The needs to
# be much higher to prevent such clients being awaken too
# be much higher to prevent such clients being awaken too
# often by the DPD messages, and save battery.
# (clients that send the X-AnyConnect-Identifier-DeviceType)
mobile-dpd = 1800
@@ -68,7 +68,7 @@ mobile-dpd = 1800
try-mtu-discovery = false
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
@@ -93,7 +93,7 @@ server-key = @SRCDIR@/certs/server-key.pem
#ocsp-response = /path/to/ocsp.der
# In case PKCS #11 or TPM keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only, and is the
# in files. The srk-pin-file is applicable to TPM keys only, and is the
# storage root key.
#pin-file = /path/to/pin.txt
#srk-pin-file = /path/to/srkpin.txt
@@ -103,16 +103,16 @@ server-key = @SRCDIR@/certs/server-key.pem
# is set.
ca-cert = /etc/ocserv/ca.pem
# The object identifier that will be used to read the user ID in the client
# The object identifier that will be used to read the user ID in the client
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are:
# Useful OIDs are:
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the
# The object identifier that will be used to read the user group in the
# client certificate. The object identifier should be part of the certificate's
# DN. Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
# DN. Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
cert-group-oid = 2.5.4.11
# The revocation list of the certificates issued by the 'ca-cert' above.
@@ -136,7 +136,7 @@ auth-timeout = 40
# traffic) before being disconnected. Unset to disable.
#mobile-idle-timeout = 2400
# The time (in seconds) that a client is not allowed to reconnect after
# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
#min-reauth-time = 2
@@ -177,7 +177,7 @@ rekey-method = ssl
# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
@@ -249,7 +249,7 @@ ipv6-network = @VPNNET6@
ping-leases = false
# Unset to assign the default MTU of the device
# mtu =
# mtu =
# Unset to enable bandwidth restrictions (in bytes/sec). The
# setting here is global, but can also be set per user or per group.
@@ -262,7 +262,7 @@ ping-leases = false
#output-buffer = 10
# Routes to be forwarded to the client. If you need the
# client to forward routes to the server, you may use the
# client to forward routes to the server, you may use the
# config-per-user/group or even connect and disconnect scripts.
#
# To set the server as the default gateway for the client just
@@ -295,11 +295,11 @@ route = fc13:71:ea31:4b4e::/64
#route-del-cmd = "ip route delete %R dev %D"
#
# The following options are for (experimental) AnyConnect client
# compatibility.
# The following options are for (experimental) AnyConnect client
# compatibility.
# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot.
# This file must be accessible from inside the worker's chroot.
# It is not used by the openconnect client.
#user-profile = profile.xml
@@ -310,7 +310,7 @@ route = fc13:71:ea31:4b4e::/64
# Unless set to false it is required for clients to present their
# certificate even if they are authenticating via a previously granted
# cookie and complete their authentication in the same TCP connection.
# Legacy CISCO clients do not do that, and thus this option should be
# Legacy CISCO clients do not do that, and thus this option should be
# set for them.
#cisco-client-compat = false

40
tests/data/radius.config
View File

@@ -1,6 +1,6 @@
# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam.
# Options: certificate, pam.
#auth = "certificate"
#auth = "plain[/etc/ocserv/passwd]"
#auth = "pam"
@@ -32,7 +32,7 @@ acct = "radius[config=@SRCDIR@/data/radiusclient/radiusclient.conf]"
stats-report-time = 30
# Use listen-host to limit to specific IPs or to the IPs of a provided
# Use listen-host to limit to specific IPs or to the IPs of a provided
# hostname.
#listen-host = @ADDRESS@
@@ -40,11 +40,11 @@ stats-report-time = 30
#max-clients = 1024
max-clients = 16
# Limit the number of client connections to one every X milliseconds
# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
# Limit the number of identical clients (i.e., users connecting
# Limit the number of identical clients (i.e., users connecting
# multiple times). Unset or set to zero for unlimited.
max-same-clients = 2
@@ -59,7 +59,7 @@ keepalive = 32400
dpd = 240
# Dead peer detection for mobile clients. The needs to
# be much higher to prevent such clients being awaken too
# be much higher to prevent such clients being awaken too
# often by the DPD messages, and save battery.
# (clients that send the X-AnyConnect-Identifier-DeviceType)
mobile-dpd = 1800
@@ -68,7 +68,7 @@ mobile-dpd = 1800
try-mtu-discovery = false
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
@@ -93,7 +93,7 @@ server-key = @SRCDIR@/certs/server-key.pem
#ocsp-response = /path/to/ocsp.der
# In case PKCS #11 or TPM keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only, and is the
# in files. The srk-pin-file is applicable to TPM keys only, and is the
# storage root key.
#pin-file = /path/to/pin.txt
#srk-pin-file = /path/to/srkpin.txt
@@ -103,16 +103,16 @@ server-key = @SRCDIR@/certs/server-key.pem
# is set.
ca-cert = /etc/ocserv/ca.pem
# The object identifier that will be used to read the user ID in the client
# The object identifier that will be used to read the user ID in the client
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are:
# Useful OIDs are:
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the
# The object identifier that will be used to read the user group in the
# client certificate. The object identifier should be part of the certificate's
# DN. Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
# DN. Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
cert-group-oid = 2.5.4.11
# The revocation list of the certificates issued by the 'ca-cert' above.
@@ -136,7 +136,7 @@ auth-timeout = 40
# traffic) before being disconnected. Unset to disable.
#mobile-idle-timeout = 2400
# The time (in seconds) that a client is not allowed to reconnect after
# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
#min-reauth-time = 2
@@ -156,7 +156,7 @@ rekey-method = ssl
# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
@@ -228,7 +228,7 @@ ipv6-network = @VPNNET6@
ping-leases = false
# Unset to assign the default MTU of the device
# mtu =
# mtu =
# Unset to enable bandwidth restrictions (in bytes/sec). The
# setting here is global, but can also be set per user or per group.
@@ -241,7 +241,7 @@ ping-leases = false
#output-buffer = 10
# Routes to be forwarded to the client. If you need the
# client to forward routes to the server, you may use the
# client to forward routes to the server, you may use the
# config-per-user/group or even connect and disconnect scripts.
#
# To set the server as the default gateway for the client just
@@ -274,11 +274,11 @@ route = fc13:71:ea31:4b4e::/64
#route-del-cmd = "ip route delete %R dev %D"
#
# The following options are for (experimental) AnyConnect client
# compatibility.
# The following options are for (experimental) AnyConnect client
# compatibility.
# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot.
# This file must be accessible from inside the worker's chroot.
# It is not used by the openconnect client.
#user-profile = profile.xml
@@ -289,7 +289,7 @@ route = fc13:71:ea31:4b4e::/64
# Unless set to false it is required for clients to present their
# certificate even if they are authenticating via a previously granted
# cookie and complete their authentication in the same TCP connection.
# Legacy CISCO clients do not do that, and thus this option should be
# Legacy CISCO clients do not do that, and thus this option should be
# set for them.
#cisco-client-compat = false

5
tests/data/radiusclient/radiusclient.conf
View File

@@ -27,7 +27,7 @@ login_timeout 60
authserver localhost
# RADIUS server to use for accounting requests. All that I
# said for authserver applies, too.
# said for authserver applies, too.
#
acctserver localhost
@@ -62,7 +62,7 @@ radius_retries 3
# server for transaction requests. Server(s) being in the "dead" state
# are tried only after all other non-dead servers have been tried and
# failed or timeouted. The deadtime interval starts when the server
# does not respond to an authentication/accounting request transmissions.
# does not respond to an authentication/accounting request transmissions.
# When the interval expires, the "dead" server would be re-tried again,
# and if it's still down then it will be considered "dead" for another
# such interval and so on. This option is no-op if there is only one
@@ -71,4 +71,3 @@ radius_deadtime 0
# local address from which radius packets have to be sent
bindaddr *

2
tests/data/radiusclient/servers
View File

@@ -1,4 +1,4 @@
## Server Name or Client/Server pair Key
## Server Name or Client/Server pair Key
## ---------------- ---------------
#
localhost/localhost testing123

Some files were not shown because too many files have changed in this diff Show More