The VPN client that comes with the Cisco IP-Phone Enterprise
firmware is based on AnyConnect but was unable to authenticate
with ocserv.
The phone makes an initial GET request and looks for a cookie
named 'webvpn' that has an expiry attribute and a cookie named
'webvpnlogin' containing a non-empty value.
When username+password mode is configured, the phone will then
send a POST request containing those credentials. When using
certificate authentication an empty POST request is sent.
A handler that implements this new behaviour has been added
under the '/svc' path.
To use DTLS 'dtls-legacy' must be enabled and 'udp-port' must
be 443, a new 'cisco-svc-client-compat' option automatically
checks those settings.
New test cases test-pass-svc and test-cert-svc check the above
behaviour.
Older versions of the phone's firmware will fail to create the
DTLS tunnel if the cipher negotiated for HTTPS does not match
that selected for DTLS.
To work-around this either disable DTLS or only allow the
RSA-AES-256-CBC/SHA1 or RSA-AES-128-CBC/SHA1 cipher to be used.
doc/README-cisco-svc.md includes additional information.
Note: 'Enterprise' here is used to differentiate between that
firmware and the MPP (Multi-Platform) firmware which uses the
same hardware.
Signed-off-by: Gareth Palmer <gareth.palmer3@gmail.com>
This replaces the logic of using do-while, and the logic of using
no brackets to get the best of both worlds. The reason for using
brackets is to avoid obscure logic bugs when including the macro in
a complex logic, while the replacement of the do-while is to ensure
that we can continue using keywords like 'continue' and 'break' within
the macros.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This reverts commit b5380f2181.
This resolves this issue identified by coverity:
462455 Unexpected control flow
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Added test-group-cert and test-fork tests that were
present but were never included in the CI test suite.
Removed unix-test which was an obsolete test present
in tests/.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Do not define _GNU_SOURCE directly in sources.
We just need to include "config.h" instead.
This is a follow-up to 1ca50d73: autoconf macro AC_USE_SYSTEM_EXTENSIONS
will define _GNU_SOURCE or _XOPEN_SOURCE in "config.h" as needed.
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
This adds a test for the available multi-group options as
well as documentation for the feature. This tests two options:
* Separate group names in separate class attributes
* Separate group names in separate class attributes with the OU= format
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This helps circumvent the 253 characters limit of RADIUS string values.
We distinguish between value strings that start with "OU=" and the rest:
* Value strings that start with "OU=" define multiple groups in a single
AVP. Here, we update the previous logic by taking into account all the
AVPs. We emit a warning when discarding subsequent AVPs, but also when
discarding groups within the current AVP because we have reached the
maximum number of groups.
* Other value strings define a single group. Here, we change the
previous logic. We append to the list of groups instead of silently
discarding subsequent value strings.
We emit a warning when discarding AVPs because we have reached the
maximum number of groups.
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This doesn't change anything, we just want to make clear that trimming
the string pointed to by `p2`, after assigning `pctx->groupnames[i]`,
will have an effect on both since they point to the same string.
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
We have added open() unconditionally, to be able to open system priority
and FIPS complicance configuration files from workers.
We had already added openat() unconditionally.
Therefore there is no need to re-add them to read XML config files.
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
Required on some version of Suse with GnuTLS 3.7.3, reportedly to open
system priority and FIPS compliance configuration files:
/etc/crypto-policies/back-ends/gnutls.config
/proc/sys/crypto/fips_enabled
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
Supporting gnulib brought a whole class of problems due to its complexity.
Removing its support eliminates this class of problems and simplifies the
code significantly.
This sets the locale explicitly on server startup to eliminate the
need for custom string comparison functions.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
