mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2026-02-09 16:26:59 +08:00
178 lines
4.5 KiB
C
178 lines
4.5 KiB
C
/*
|
|
* Copyright (C) 2015 Red Hat, Inc.
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#include <config.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <talloc.h>
|
|
#include <arpa/inet.h>
|
|
#include <netinet/in.h>
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
|
|
#include "../src/main.h"
|
|
#include "../src/main-ban.h"
|
|
#include "../src/ip-util.h"
|
|
#include "../src/main-ban.c"
|
|
|
|
/* Test the IP banning functionality */
|
|
static
|
|
unsigned check_if_banned_str(main_server_st *s, const char *ip)
|
|
{
|
|
struct sockaddr_storage addr;
|
|
int ret;
|
|
|
|
if (strchr(ip, ':') != 0) {
|
|
ret = inet_pton(AF_INET6, ip, SA_IN6_P(&addr));
|
|
addr.ss_family = AF_INET6;
|
|
} else {
|
|
ret = inet_pton(AF_INET, ip, SA_IN_P(&addr));
|
|
addr.ss_family = AF_INET;
|
|
}
|
|
|
|
if (ret != 1) {
|
|
fprintf(stderr, "cannot convert IP: %s\n", ip);
|
|
exit(1);
|
|
}
|
|
return check_if_banned(s, &addr, addr.ss_family==AF_INET?sizeof(struct sockaddr_in):sizeof(struct sockaddr_in6));
|
|
}
|
|
|
|
int main(void)
|
|
{
|
|
main_server_st *s = talloc(NULL, struct main_server_st);
|
|
vhost_cfg_st *vhost;
|
|
|
|
if (s == NULL)
|
|
exit(1);
|
|
|
|
memset(s, 0, sizeof(*s));
|
|
|
|
s->vconfig = talloc_zero(s, struct list_head);
|
|
if (s->vconfig == NULL)
|
|
exit(1);
|
|
list_head_init(s->vconfig);
|
|
|
|
vhost = talloc_zero(s, struct vhost_cfg_st);
|
|
if (vhost == NULL)
|
|
exit(1);
|
|
vhost->perm_config.config = talloc_zero(vhost, struct cfg_st);
|
|
|
|
list_add(s->vconfig, &vhost->list);
|
|
|
|
vhost->perm_config.config->max_ban_score = 20;
|
|
vhost->perm_config.config->min_reauth_time = 30;
|
|
|
|
main_ban_db_init(s);
|
|
|
|
/* check IPv4 */
|
|
add_str_ip_to_ban_list(s, "192.168.1.1", 5);
|
|
add_str_ip_to_ban_list(s, "192.168.1.1", 10);
|
|
add_str_ip_to_ban_list(s, "192.168.1.1", 5);
|
|
|
|
add_str_ip_to_ban_list(s, "192.168.2.1", 5);
|
|
|
|
add_str_ip_to_ban_list(s, "192.168.3.1", 40);
|
|
|
|
cleanup_banned_entries(s);
|
|
|
|
if (check_if_banned_str(s, "192.168.1.1") == 0) {
|
|
fprintf(stderr, "error in %d\n", __LINE__);
|
|
exit(1);
|
|
}
|
|
|
|
if (check_if_banned_str(s, "192.168.2.1") != 0) {
|
|
fprintf(stderr, "error in %d\n", __LINE__);
|
|
exit(1);
|
|
}
|
|
|
|
if (check_if_banned_str(s, "192.168.3.1") == 0) {
|
|
fprintf(stderr, "error in %d\n", __LINE__);
|
|
exit(1);
|
|
}
|
|
|
|
/* check IPv6 */
|
|
|
|
/* a single /64 */
|
|
add_str_ip_to_ban_list(s, "fc8e:899a:0624:5a89:1a45:63d8:1c92:0bc1", 5);
|
|
add_str_ip_to_ban_list(s, "fc8e:899a:0624:5a89:1a45:63d9:1c92:0bc1", 10);
|
|
add_str_ip_to_ban_list(s, "fc8e:899a:0624:5a89:1a45:63d8:1c93:0bc1", 5);
|
|
|
|
add_str_ip_to_ban_list(s, "fdd9:1ce6:1bee:bdea:5d8c:0840:8666:5942", 5);
|
|
|
|
add_str_ip_to_ban_list(s, "fdc0:c81f:22ab:23a2:4479:f107:1855:bf50", 40);
|
|
|
|
/* check /64 */
|
|
if (check_if_banned_str(s, "fc8e:899a:0624:5a89:1a45:63d8:1c93:0bc1") == 0) {
|
|
fprintf(stderr, "error in %d\n", __LINE__);
|
|
exit(1);
|
|
}
|
|
|
|
if (check_if_banned_str(s, "fc8e:899a:0624:5a89:1a46:63d9:1c93:0bc1") == 0) {
|
|
fprintf(stderr, "error in %d\n", __LINE__);
|
|
exit(1);
|
|
}
|
|
|
|
/* check individual */
|
|
if (check_if_banned_str(s, "fdd9:1ce6:1bee:bdea:5d8c:0840:8666:5942") != 0) {
|
|
fprintf(stderr, "error in %d\n", __LINE__);
|
|
exit(1);
|
|
}
|
|
|
|
if (check_if_banned_str(s, "fdc0:c81f:22ab:23a2:4479:f107:1855:bf50") == 0) {
|
|
fprintf(stderr, "error in %d\n", __LINE__);
|
|
exit(1);
|
|
}
|
|
|
|
/* check expiration of entries */
|
|
sleep(GETCONFIG(s)->min_reauth_time+1);
|
|
|
|
if (check_if_banned_str(s, "192.168.1.1") != 0) {
|
|
fprintf(stderr, "error in %d\n", __LINE__);
|
|
exit(1);
|
|
}
|
|
|
|
if (check_if_banned_str(s, "192.168.2.1") != 0) {
|
|
fprintf(stderr, "error in %d\n", __LINE__);
|
|
exit(1);
|
|
}
|
|
|
|
if (check_if_banned_str(s, "192.168.3.1") != 0) {
|
|
fprintf(stderr, "error in %d\n", __LINE__);
|
|
exit(1);
|
|
}
|
|
|
|
if (check_if_banned_str(s, "fdc0:c81f:22ab:23a2:4479:f107:1855:bf50") != 0) {
|
|
fprintf(stderr, "error in %d\n", __LINE__);
|
|
exit(1);
|
|
}
|
|
|
|
/* check cleanup */
|
|
sleep(GETCONFIG(s)->min_reauth_time+1);
|
|
|
|
cleanup_banned_entries(s);
|
|
|
|
if (main_ban_db_elems(s) != 0) {
|
|
fprintf(stderr, "error in %d: have %d entries\n", __LINE__, main_ban_db_elems(s));
|
|
exit(1);
|
|
}
|
|
|
|
main_ban_db_deinit(s);
|
|
talloc_free(s);
|
|
return 0;
|
|
}
|