This avoids warnings and static analyzers complains about
the libev functions hiding the global 'loop' variable
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Previously when we were disconnecting a user there were few seconds
after which the cookie was still valid, so a reconnect would succeed
by the same user. This change ensures that a disconnected (via occtl)
user cannot re-use the same cookie to connect. That enables a safe
user removal from the authentication database, and from run-time.
Resolves: #59
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This makes the CSTP connection more interactive for clients that
cannot run over UDP.
See openconnect#122 for discussion.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
In openconnect client the BYE packet indicates an explicit
user disconnect by sending 0x0b as payload. In anyconnect clients it
may indicate an intention to reconnect (e.g., because network was changed).
We introduce a check for 0x0b to identify the user disconnect and
add debugging output for other disconnect reasons.
Relates: #281
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
When IPv6 is requested by iphone we provide a special route that is
necessary by these clients to use IPv6.
Resolves: #254
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This ensures that the main process receives the TLS channel information
early and does not depend on DTLS channel establishment. Furthermore,
we refactor to make setup_dtls_psk_keys() fail early when no TLS channel
is available.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This avoids a crash when no DTLS ciphersuite is selected and adds a
test case for negotiation without DTLS.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This adds support for DTLS1.2 ciphersuite header as sent by anyconnect
clients.
Resolves#188Resolves#193
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This provides virtualized server configurations which take
effect after client connection when client hello is received.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
When checking the events returned from poll, handle the POLLERR
condition. This fixes an infinite loop on the worker's main
loop.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
That in effect enables the default timeouts described in
gnutls_dtls_set_timeouts which are 60 seconds, and sets
retransmissions to occur in half a second.
Relates #122
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
It is not possible to derive PSK keys when only the TCP CSTP session
is available, without the TLS session.
Relates #22
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
This provides a more accurate value than the one obtained using the
TCP MSS value. The latter is affected by many factors (such as tcp
options), to provide a reliable value.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
That is, if the header contains "android" or "apple-ios" mark it as
a mobile client. The header X-AnyConnect-Identifier-DeviceType is only
considered for logging purposes and appended to the user-agent name
if present.
When this option is set to false, the DTLS-PSK protocol
will not be negotiated by worker processes. The process will fallback
to the legacy protocol in that case.
The server sends the X-DTLS-App-ID header in the new protocol;
the X-DTLS-Session-ID is only used in the legacy protocol. The
server expects the Application identifier to be placed in a TLS
extension.
There the DTLS ciphersuite and DTLS version are negotiated and
we cannot accurately predict the actual tunnel size. In that
case the client must rely on the Base-MTU.
This was changed so that it is explicitly made incompatible with
existing openconnect patch. The new openconnect client patch for
PSK negotiation is incompatible with the protocol as implemented
in 0.11.4 and requires the option match-tls-and-dtls-ciphers for its
openssl variant.
