This addresses issues with anyconnect clients which send back the descriptive labels.
Resolves#267
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Linux kernel commit 955ec4c ("net/ipv6: Do not allow route add with a
device that is down") rejects attempts to install an IPv6 route on an
interface that is not yet up. This commit is first included in kernel
4.16.
The current code in os_set_ipv6_addr brings up the interface only
after attempting to install the IPv6 route. On kernel 4.16 or later,
this fails with the error "Error setting route to remote IPv6: Network
is down".
Fix by switching the order of code blocks to bring the interface up
before attempting to configure the route.
Resolves: #301
Signed-off-by: Michael Brown <mbrown@fensystems.co.uk>
This adds a fedora CI run to with filtered calls failing
with a signal in order to detect missing syscalls from our filters.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
When new calls are introduced in the kernel a libc may
chose to move to them. Having our filter return ENOSYS
will signal libc to fallback to the previous call which
exists in the filter.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
On systems that are running low on memory, the ocserv worker processes
should be killed before the ocserv-main or ocserv-sm process.
To achieve this, we set /proc/self/oom_score_adj to 1000
Resolves: #283
Signed-off-by: Alan TG Jowett <alan.jowett@microsoft.com>
This makes the CSTP connection more interactive for clients that
cannot run over UDP.
See openconnect#122 for discussion.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
In openconnect client the BYE packet indicates an explicit
user disconnect by sending 0x0b as payload. In anyconnect clients it
may indicate an intention to reconnect (e.g., because network was changed).
We introduce a check for 0x0b to identify the user disconnect and
add debugging output for other disconnect reasons.
Relates: #281
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
This fixes the ban entries listing from printing all the items in
the database, to all the items that are actually banned from
connecting.
Resolves: #272
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
That prevents clients that send an all-zero DTLS client hello from being
able to establish a connection.
That also introduces the OCSERV_ALLOW_BROKEN_CLIENTS environment variable
which when set to 1 it allows broken clients to connect. This is used
mainly to allow test cases to pass to existing vulnerable systems in our
CI.
Resolves: #277
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Warnings outputed by gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0
* pcl/pcl.c:385:17: warning: unused variable ‘r’ [-Wunused-variable]
* Use pre-compilation directive to avoid defining unused function when not needed:
* pcl/pcl.c:62:12: warning: ‘co_ctx_stackdir’ defined but not used [-Wunused-function]
static int co_ctx_stackdir(void)
* pcl/pcl.c:54:12: warning: ‘co_ctx_sdir’ defined but not used [-Wunused-function]
static int co_ctx_sdir(unsigned long psp)
Signed-off-by: Pierre Souchay <pierre@souchay.net>
We were previously asking rc_aaa() to include NAS-Port pair to
the request which has undesirable results.
Resolves: #269
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
When IPv6 is requested by iphone we provide a special route that is
necessary by these clients to use IPv6.
Resolves: #254
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This fixes a regression which prevented DTLS-PSK (or PSK-NEGOTIATE)
from being negotiated.
Resolves: #262
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Export more information to the script, including client device platform,
type and user agent.
Resolves: #256
Signed-off-by: Alan Jowett <alanjo@microsoft.com>
This permits the validation of OpenID Connect auth tokens OpenID
Connect is an OAuth 2.0 protocol used to identify a resource owner
(VPN client end-user) to a resource server (VPN server) intermediated
by an Authorization server.
Resolves: #240
Signed-off-by: Alan TG Jowett <alan.jowett@microsoft.com>
When a client re-uses a cookie and takes over a previous connection
previously the disconnect script of the old connection wouldn't receive
the IP information. Ensure that all information is provided to scripts
at this case.
Resolves: #231
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
