- Fixes an issue #599 where the session timeout could be bypassed
by reconnecting, such as through a laptop lid close/open cycle.
- Adds 'Session started at:' field to 'occtl show user' output.
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
The hostname validation was rejecting any hostname containg a '.'
character (eg: 'MacBook-Air.local'). This was overly restrictive and
prevented the HOSTNAME environment variable from being populated for
a signifficant number of clients, particularly on macOS.
Strip the domain suffix from such hostnames instead of discarding them.
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
- Replaced strcpy() with strlcpy() in test files
- Added linking to libcommon.a (and its dependency libnettle)
as not all systems provide strlcpy()
- Centralized syslog_open variable by moving it from multiple definitions
in main.c, worker.c, and test files into log.c. This avoids duplication
and resolves a linking conflict with libcommon.a
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
- Increase the width from 14 to 15 characters for 'show bans' and
'show ban points' commands. This ensures proper column alignment
for all valid IPv4 addresses.
- Reduce Score column to 10 characters since UINT_MAX is typically
10 digits.
- Remove unnecessary (unsinged int) cast since 'score' is an actual
unsigned int.
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
Fixes issue #551.
This patch combines the initial username and password text fields
into a single form. Subsequent requests due to a wrong password
would receive only the password field as before. This mimicks
AnyConnect's default behaviour.
Signed-off-by: Lee Keitel <lee@keitel.xyz>
Currently 'ocserv' sends session accounting statistics at irregular intervals.
For example, if 'stats-report-time' is set to 60, the actual intervals may vary
between 50, 60, 70, or even 80 seconds. Moreover, these intervals are not
constant - they fluctuate arbitrarily with each statistics update.
This behavior was intentionally introduced to avoid worker processes acting
simultaneously in scenarios like server restarts, where all clients reconnect
at the same time, which could impose heavy load on the secmod process.
However, it causes issues for RADIUS servers that require accurate and
consistent timing.
Summary of changes:
- Apply randomization only once when the timer is initially set up, affecting
only the first timer firing. All subsequent firings will occur at regular
intervals relative to the first one.
- Remove fuzzing from 'interim_update_secs'. This value originates either from
RADIUS or from 'stats-report-time' and should not be altered.
Closes: #630
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
When ban period is minimal, the 'now > e->expires' condition alone
cleared scores before a client was banned.
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
This ensures all subsequent worker communications reach the original
secmod instance that authenticated the client, enabling correct session
accounting after IP address changes.
Closes: #674
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
The previous condition for resetting a ban score was insufficient.
It failed to reset the score for a client that had just exited a ban,
and also incorrectly reset the score of a currently banned client,
causing premature unbans.
Closes: #678
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
Added current timestamp comparison to ensure only active bans
are shown by 'occtl show ip bans'.
Closes: #675.
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
Existing code used the loop index 'i == 0' to determine when to print
column headers. However, a 'continue' statement inside the loop could
skip the 'i = 0' iteration, causing the headers to never be printed.
Introduced a separate boolean 'header_printed' variable to track
whether headers have been printed.
Closes: #677
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
Remove IPV6_V6ONLY flag from per-client UDP sockets as it prevents
IPv4 traffic on systemd-provided IPv6 sockets. This was a legacy
from the old reopen_udp_port() code and is no longer needed.
Fixes: #647
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
Return proper values (1 for success, 0 for error) from iroutes_handler()
to prevent premature parser termination
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
A misplaced bracket passed 'sizeof(*addr1) == -1' instead of 'sizeof(*addr1)'
to sendto(), causing it to fail. This prevented icmp_ping4() from sending
ICMP echo requests.
Consequently, the 'ping-leases' option has been non-functional since
this bug was introduced in commit 2aaa287a.
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
Silence misleading debug message on server startup since absence
of the socket file is normal and expected.
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
Correct the argument order passed to the printf-like function
to match the format string "expected %d, received %d".
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
This reverts commit 6fea92a961.
The URL consolidation caused worker to no longer recognize either of the original URLs.
This led to "unexpected URL" errors and immediate worker termination.
The original change was intended to simplify URL configuration,
but it inadvertently broke functionality for both endpoints.
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
