When the proxy protocol is used ensure that authentication failure
will credit the right number of points to the actual client IP
address.
Resolves: #529
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Also measure whether ban points are credited to the right
address for failed attempts.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
* `TX` key is present twice in `occtl --json show users` output, the first
key turns out to be the Limit TX configured.
Signed-off-by: Florian Domain <f.domain@criteo.com>
This does the release of the tarballs, the git tagging and
the release of gitlab.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
iperf3 is consistently included in all distributions we
are testing at, in contrast with nuttcp.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
It is not necessary to specify the device config directive on
each virtual host configuration. Ensure that we don't require it
by mistake. This also introduces a traffic test when operating
with virtual hosts.
Resolves: #480
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
The clavister oneconnect VPN client for android issues an
incorrect URL for the connection. Accept it.
Resolves: #485
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
These macros were part of the gnulib, and they are not available
by default on system. They become available pretty randomly as they
get installed by arbitrary software (e.g., gettext-devel on my system).
We now make them available unconditionally ensuring we can compile
ocserv on a freshly installed system.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This also moves any static analyzers checks early in the testing
phases ti catch basic errors faster.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
The VPN client that comes with the Cisco IP-Phone Enterprise
firmware is based on AnyConnect but was unable to authenticate
with ocserv.
The phone makes an initial GET request and looks for a cookie
named 'webvpn' that has an expiry attribute and a cookie named
'webvpnlogin' containing a non-empty value.
When username+password mode is configured, the phone will then
send a POST request containing those credentials. When using
certificate authentication an empty POST request is sent.
A handler that implements this new behaviour has been added
under the '/svc' path.
To use DTLS 'dtls-legacy' must be enabled and 'udp-port' must
be 443, a new 'cisco-svc-client-compat' option automatically
checks those settings.
New test cases test-pass-svc and test-cert-svc check the above
behaviour.
Older versions of the phone's firmware will fail to create the
DTLS tunnel if the cipher negotiated for HTTPS does not match
that selected for DTLS.
To work-around this either disable DTLS or only allow the
RSA-AES-256-CBC/SHA1 or RSA-AES-128-CBC/SHA1 cipher to be used.
doc/README-cisco-svc.md includes additional information.
Note: 'Enterprise' here is used to differentiate between that
firmware and the MPP (Multi-Platform) firmware which uses the
same hardware.
Signed-off-by: Gareth Palmer <gareth.palmer3@gmail.com>
This replaces the logic of using do-while, and the logic of using
no brackets to get the best of both worlds. The reason for using
brackets is to avoid obscure logic bugs when including the macro in
a complex logic, while the replacement of the do-while is to ensure
that we can continue using keywords like 'continue' and 'break' within
the macros.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This reverts commit b5380f2181.
This resolves this issue identified by coverity:
462455 Unexpected control flow
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Added test-group-cert and test-fork tests that were
present but were never included in the CI test suite.
Removed unix-test which was an obsolete test present
in tests/.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Do not define _GNU_SOURCE directly in sources.
We just need to include "config.h" instead.
This is a follow-up to 1ca50d73: autoconf macro AC_USE_SYSTEM_EXTENSIONS
will define _GNU_SOURCE or _XOPEN_SOURCE in "config.h" as needed.
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
This adds a test for the available multi-group options as
well as documentation for the feature. This tests two options:
* Separate group names in separate class attributes
* Separate group names in separate class attributes with the OU= format
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This helps circumvent the 253 characters limit of RADIUS string values.
We distinguish between value strings that start with "OU=" and the rest:
* Value strings that start with "OU=" define multiple groups in a single
AVP. Here, we update the previous logic by taking into account all the
AVPs. We emit a warning when discarding subsequent AVPs, but also when
discarding groups within the current AVP because we have reached the
maximum number of groups.
* Other value strings define a single group. Here, we change the
previous logic. We append to the list of groups instead of silently
discarding subsequent value strings.
We emit a warning when discarding AVPs because we have reached the
maximum number of groups.
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
