- Fixes an issue #599 where the session timeout could be bypassed
by reconnecting, such as through a laptop lid close/open cycle.
- Adds 'Session started at:' field to 'occtl show user' output.
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
The hostname validation was rejecting any hostname containg a '.'
character (eg: 'MacBook-Air.local'). This was overly restrictive and
prevented the HOSTNAME environment variable from being populated for
a signifficant number of clients, particularly on macOS.
Strip the domain suffix from such hostnames instead of discarding them.
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
This test was improved to test resumption with TLS 1.3 in addition to TLS 1.2
as well as improve fallback on centos10. This patch introduces validation using
the right CA file.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
- Replaced strcpy() with strlcpy() in test files
- Added linking to libcommon.a (and its dependency libnettle)
as not all systems provide strlcpy()
- Centralized syslog_open variable by moving it from multiple definitions
in main.c, worker.c, and test files into log.c. This avoids duplication
and resolves a linking conflict with libcommon.a
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
At least my machine was generating IDs that were to long and any test
that required networking wouldn't work. This patch restricts the
namespace names to 4 digits.
Signed-off-by: Lee Keitel <lee@keitel.xyz>
This introduces the 'select-group-by-url' config option
that allows selecting an authgroup just by connecting to
a dedicated URI.
Signed-off-by: Marcin Ochab <marcin.ochab@gmail.com>
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
As added in c1a6f2b04a, this test verifies
that ocserv will NOT send IPv6 routes to OpenConnect v3 clients, which can't
handle them correctly.
Additionally, we can also verify that ocserv DOES send IPv6 routes to
totally unknown clients, which is the intended outcome resulting from
8b8a1a7b53.
Signed-off-by: Daniel Lenski <dlenski@amazon.com>
Hijack Roaring Penguin's RADIUS attributes for that purpose:
* RP-Upstream-Speed-Limit → rx_per_sec
* RP-Downstream-Speed-Limit → tx_per_sec
While the ocserv configuration options use b/s, ocserv uses kb/s
internally. The radius attributes are already expressed in kb/s,
so we don't need to convert them.
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
The main benefit is that there is less manual work to add a
test (discovery of unique random addresses is not necessary),
but it also ensures that the tests can run on environments where the
previously hard-coded addresses were present.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Include the radiusd output with debugging information on stdout
for the radius tests. This allows better visibility to potential
configuration issues of radiusd.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This makes oc_syslog respect the configured log-level. This also introduces
a clear separation of the logging function between the two processes.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Separated the logging logically from any remaining debugging
features. Introduced command line option for logging to stderr
only (for systemd and containers). The default log level is set
to (2) info.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Once a client has progressed through the initial
auth checks (and successfully passed the initial
camouflage check), it's safe to skip further camouflage
checks. This allows the Cisco Secure client continue
successfully through HTTP requests for /profiles//etc/ocserv/profile.xml
and /1/VPNManifest.xml.
Resolves: #544
Signed-off-by: Rob van Oostenrijk <robvanoostenrijk@users.noreply.github.com>
* this test allows to validate the occtl output (JSON format) returns
expected fields
* we only test 2 fields for now (ID and raw_connected_at), but could
be expanded easily
Signed-off-by: Florian Domain <f.domain@criteo.com>
This checks the functionality of idle-timeout and
session-timeout as well as whether the cookies are
invalidated after the user is disconnected.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Also measure whether ban points are credited to the right
address for failed attempts.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
iperf3 is consistently included in all distributions we
are testing at, in contrast with nuttcp.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
It is not necessary to specify the device config directive on
each virtual host configuration. Ensure that we don't require it
by mistake. This also introduces a traffic test when operating
with virtual hosts.
Resolves: #480
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
The VPN client that comes with the Cisco IP-Phone Enterprise
firmware is based on AnyConnect but was unable to authenticate
with ocserv.
The phone makes an initial GET request and looks for a cookie
named 'webvpn' that has an expiry attribute and a cookie named
'webvpnlogin' containing a non-empty value.
When username+password mode is configured, the phone will then
send a POST request containing those credentials. When using
certificate authentication an empty POST request is sent.
A handler that implements this new behaviour has been added
under the '/svc' path.
To use DTLS 'dtls-legacy' must be enabled and 'udp-port' must
be 443, a new 'cisco-svc-client-compat' option automatically
checks those settings.
New test cases test-pass-svc and test-cert-svc check the above
behaviour.
Older versions of the phone's firmware will fail to create the
DTLS tunnel if the cipher negotiated for HTTPS does not match
that selected for DTLS.
To work-around this either disable DTLS or only allow the
RSA-AES-256-CBC/SHA1 or RSA-AES-128-CBC/SHA1 cipher to be used.
doc/README-cisco-svc.md includes additional information.
Note: 'Enterprise' here is used to differentiate between that
firmware and the MPP (Multi-Platform) firmware which uses the
same hardware.
Signed-off-by: Gareth Palmer <gareth.palmer3@gmail.com>
Added test-group-cert and test-fork tests that were
present but were never included in the CI test suite.
Removed unix-test which was an obsolete test present
in tests/.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This adds a test for the available multi-group options as
well as documentation for the feature. This tests two options:
* Separate group names in separate class attributes
* Separate group names in separate class attributes with the OU= format
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Supporting gnulib brought a whole class of problems due to its complexity.
Removing its support eliminates this class of problems and simplifies the
code significantly.
This sets the locale explicitly on server startup to eliminate the
need for custom string comparison functions.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
