Instead they should be filed on GitLab.
Adapt the relevant explanation to the different tpye of bug reporting mechanism.
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
While each `syslog()` adds a new entry to the system log,
`fprintf(stder, ...)` does not automatically add a newline
to distinguish between entries. We need to add the newline
ourselves.
We tried to make _oc_syslog() as atomic as possible in the
context of a multi-process daemonn by keeping a single
`fprtinf()` call. Probably not perfect, but the best we
can do when printing to stderr instead of using the system
logger. Works only with the GNU C or compatible compiler.
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
Separated the logging logically from any remaining debugging
features. Introduced command line option for logging to stderr
only (for systemd and containers). The default log level is set
to (2) info.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
* useful for machines reading JSON to get directly the unix timestamp of
the users connection start time
Signed-off-by: Florian Domain <f.domain@criteo.com>
Each cookie is valid for its IP address and when reconnected it must
reach the same sec-mod that contains the corresponding session
information.
This reverts commit 4ec99609ca.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
* `TX` key is present twice in `occtl --json show users` output, the first
key turns out to be the Limit TX configured.
Signed-off-by: Florian Domain <f.domain@criteo.com>
It is not necessary to specify the device config directive on
each virtual host configuration. Ensure that we don't require it
by mistake. This also introduces a traffic test when operating
with virtual hosts.
Resolves: #480
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
The clavister oneconnect VPN client for android issues an
incorrect URL for the connection. Accept it.
Resolves: #485
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
The VPN client that comes with the Cisco IP-Phone Enterprise
firmware is based on AnyConnect but was unable to authenticate
with ocserv.
The phone makes an initial GET request and looks for a cookie
named 'webvpn' that has an expiry attribute and a cookie named
'webvpnlogin' containing a non-empty value.
When username+password mode is configured, the phone will then
send a POST request containing those credentials. When using
certificate authentication an empty POST request is sent.
A handler that implements this new behaviour has been added
under the '/svc' path.
To use DTLS 'dtls-legacy' must be enabled and 'udp-port' must
be 443, a new 'cisco-svc-client-compat' option automatically
checks those settings.
New test cases test-pass-svc and test-cert-svc check the above
behaviour.
Older versions of the phone's firmware will fail to create the
DTLS tunnel if the cipher negotiated for HTTPS does not match
that selected for DTLS.
To work-around this either disable DTLS or only allow the
RSA-AES-256-CBC/SHA1 or RSA-AES-128-CBC/SHA1 cipher to be used.
doc/README-cisco-svc.md includes additional information.
Note: 'Enterprise' here is used to differentiate between that
firmware and the MPP (Multi-Platform) firmware which uses the
same hardware.
Signed-off-by: Gareth Palmer <gareth.palmer3@gmail.com>
This helps circumvent the 253 characters limit of RADIUS string values.
We distinguish between value strings that start with "OU=" and the rest:
* Value strings that start with "OU=" define multiple groups in a single
AVP. Here, we update the previous logic by taking into account all the
AVPs. We emit a warning when discarding subsequent AVPs, but also when
discarding groups within the current AVP because we have reached the
maximum number of groups.
* Other value strings define a single group. Here, we change the
previous logic. We append to the list of groups instead of silently
discarding subsequent value strings.
We emit a warning when discarding AVPs because we have reached the
maximum number of groups.
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
We have added open() unconditionally, to be able to open system priority
and FIPS complicance configuration files from workers.
We had already added openat() unconditionally.
Therefore there is no need to re-add them to read XML config files.
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
Required on some version of Suse with GnuTLS 3.7.3, reportedly to open
system priority and FIPS compliance configuration files:
/etc/crypto-policies/back-ends/gnutls.config
/proc/sys/crypto/fips_enabled
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
Supporting gnulib brought a whole class of problems due to its complexity.
Removing its support eliminates this class of problems and simplifies the
code significantly.
This sets the locale explicitly on server startup to eliminate the
need for custom string comparison functions.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This adds a "camouflage" functionality (looking and acting like an ordinary web server),
to prevent OCserv installations from being automatically scanned or blocked with active probing techniques.
Signed-off-by: Kirill Ovchinnikov <kirill.ovchinn@gmail.com>
Make clear hex.c and hex.h are vendored files from CCAN:
https://github.com/rustyrussell/ccan
At the same time, update to commit ba79e21 committed on 9 January 2023,
for consistency with the rest of CCAN vendored files.
Additionally, by including <ccan/str/hex/hex.h> instead of "hex.h",
this fixes my Ubuntu 22.04 build, where including "hex.h" would include
the system Kerberos file /usr/include/heimdal/hex.h instead of
our local CCAN file hex.h.
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
