The hostname validation was rejecting any hostname containg a '.'
character (eg: 'MacBook-Air.local'). This was overly restrictive and
prevented the HOSTNAME environment variable from being populated for
a signifficant number of clients, particularly on macOS.
Strip the domain suffix from such hostnames instead of discarding them.
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
This test was improved to test resumption with TLS 1.3 in addition to TLS 1.2
as well as improve fallback on centos10. This patch introduces validation using
the right CA file.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
- Replaced strcpy() with strlcpy() in test files
- Added linking to libcommon.a (and its dependency libnettle)
as not all systems provide strlcpy()
- Centralized syslog_open variable by moving it from multiple definitions
in main.c, worker.c, and test files into log.c. This avoids duplication
and resolves a linking conflict with libcommon.a
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
- Increase the width from 14 to 15 characters for 'show bans' and
'show ban points' commands. This ensures proper column alignment
for all valid IPv4 addresses.
- Reduce Score column to 10 characters since UINT_MAX is typically
10 digits.
- Remove unnecessary (unsinged int) cast since 'score' is an actual
unsigned int.
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
At least my machine was generating IDs that were to long and any test
that required networking wouldn't work. This patch restricts the
namespace names to 4 digits.
Signed-off-by: Lee Keitel <lee@keitel.xyz>
Fixes issue #551.
This patch combines the initial username and password text fields
into a single form. Subsequent requests due to a wrong password
would receive only the password field as before. This mimicks
AnyConnect's default behaviour.
Signed-off-by: Lee Keitel <lee@keitel.xyz>
Currently 'ocserv' sends session accounting statistics at irregular intervals.
For example, if 'stats-report-time' is set to 60, the actual intervals may vary
between 50, 60, 70, or even 80 seconds. Moreover, these intervals are not
constant - they fluctuate arbitrarily with each statistics update.
This behavior was intentionally introduced to avoid worker processes acting
simultaneously in scenarios like server restarts, where all clients reconnect
at the same time, which could impose heavy load on the secmod process.
However, it causes issues for RADIUS servers that require accurate and
consistent timing.
Summary of changes:
- Apply randomization only once when the timer is initially set up, affecting
only the first timer firing. All subsequent firings will occur at regular
intervals relative to the first one.
- Remove fuzzing from 'interim_update_secs'. This value originates either from
RADIUS or from 'stats-report-time' and should not be altered.
Closes: #630
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
When ban period is minimal, the 'now > e->expires' condition alone
cleared scores before a client was banned.
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
This ensures all subsequent worker communications reach the original
secmod instance that authenticated the client, enabling correct session
accounting after IP address changes.
Closes: #674
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
The previous condition for resetting a ban score was insufficient.
It failed to reset the score for a client that had just exited a ban,
and also incorrectly reset the score of a currently banned client,
causing premature unbans.
Closes: #678
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
Added current timestamp comparison to ensure only active bans
are shown by 'occtl show ip bans'.
Closes: #675.
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
Existing code used the loop index 'i == 0' to determine when to print
column headers. However, a 'continue' statement inside the loop could
skip the 'i = 0' iteration, causing the headers to never be printed.
Introduced a separate boolean 'header_printed' variable to track
whether headers have been printed.
Closes: #677
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
Remove IPV6_V6ONLY flag from per-client UDP sockets as it prevents
IPv4 traffic on systemd-provided IPv6 sockets. This was a legacy
from the old reopen_udp_port() code and is no longer needed.
Fixes: #647
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
Return proper values (1 for success, 0 for error) from iroutes_handler()
to prevent premature parser termination
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
