Merge branch 'IPv6_for_unknown_agents' into 'master'

Don't disable IPv6 for unknown client agents

See merge request openconnect/ocserv!377

src/worker-vpn.c

@@ -2114,24 +2114,25 @@ static int connect_handler(worker_st * ws)
 		}
 	}
 
-	/* While anyconnect clients can handle the assignment
-	 * of an IPv6 address, they cannot handle routes or DNS
-	 * in IPv6. So we disable IPv6 after an IP is assigned. */
 	if (ws->full_ipv6 == 0) {
 		req->no_ipv6 = 1;
 		oclog(ws, LOG_INFO, "IPv6 routes/DNS disabled because IPv6 support was not requested.");
 	} else {
 		switch (req->user_agent_type) {
+		case AGENT_OPENCONNECT_V3:
+			req->no_ipv6 = 1;
+			oclog(ws, LOG_INFO, "IPv6 routes/DNS disabled because the agent is known not to support them.");
+			break;
 		case AGENT_OPENCONNECT:
 		case AGENT_ANYCONNECT:
 		case AGENT_OPENCONNECT_CLAVISTER:
 		case AGENT_ANYLINK:
+			oclog(ws, LOG_DEBUG, "Enabling IPv6 routes/DNS because the agent is known to support them.");
 			break;
-		case AGENT_OPENCONNECT_V3:
 		case AGENT_UNKNOWN:
 		default:
-			req->no_ipv6 = 1;
-			oclog(ws, LOG_INFO, "IPv6 routes/DNS disabled because the agent is not known.");
+			oclog(ws, LOG_NOTICE, "Enabling IPv6 routes/DNS although the agent is unknown.");
+			break;
 		}
 	}
 

tests/Makefile.am

@@ -65,7 +65,8 @@ dist_check_SCRIPTS += haproxy-connect test-iroute test-multi-cookie test-pass-sc
 	multiple-routes json test-udp-listen-host test-max-same-1 test-script-multi-user \
 	apple-ios ipv6-iface test-namespace-listen disconnect-user disconnect-user2 \
 	ping-leases test-ban-local test-client-bypass-protocol ipv6-small-net test-camouflage \
-	test-camouflage-norealm vhost-traffic defvhost-traffic session-timeout test-occtl
+	test-camouflage-norealm vhost-traffic defvhost-traffic session-timeout test-occtl \
+	no-ipv6-ocv3
 
 if RADIUS_ENABLED
 dist_check_SCRIPTS += radius-group radius-multi-group radius-otp

tests/data/ipv6-iface.config

@@ -163,3 +163,5 @@ ping-leases = false
 # cookie. Legacy CISCO clients do not do that, and thus this option
 # should be set for them.
 #always-require-cert = false
+
+route = fd63:5c2c:462c:26c2:5ca:d418::/96

tests/no-ipv6-ocv3

@@ -0,0 +1,88 @@
+#!/bin/bash
+#
+# Copyright (C) 2023 Nikos Mavrogiannopoulos
+#
+# This file is part of ocserv.
+#
+# ocserv is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# ocserv is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+SERV="${SERV:-../src/ocserv}"
+srcdir=${srcdir:-.}
+PIDFILE=ocserv-pid.$$.tmp
+CLIPID=oc-pid.$$.tmp
+IP=$(which ip)
+TMPFILE=$(mktemp)
+
+. `dirname $0`/common.sh
+
+eval "${GETPORT}"
+
+if test -z "${IP}";then
+	echo "no IP tool is present"
+	exit 77
+fi
+
+if test "$(id -u)" != "0";then
+	echo "This test must be run as root"
+	exit 77
+fi
+
+
+echo "Testing that ocserv doesn't assign IPv6 address on unknown clients... "
+
+function finish {
+  set +e
+  echo " * Cleaning up..."
+  test -n "${PID}" && kill ${PID} >/dev/null 2>&1
+  test -n "${PIDFILE}" && rm -f ${PIDFILE} >/dev/null 2>&1
+  test -n "${CLIPID}" && kill $(cat ${CLIPID}) >/dev/null 2>&1
+  test -n "${CLIPID}" && rm -f ${CLIPID} >/dev/null 2>&1
+  test -n "${CONFIG}" && rm -f ${CONFIG} >/dev/null 2>&1
+}
+trap finish EXIT
+
+ADDRESS=172.23.236.0
+CLI_ADDRESS=10.119.255.0
+VPNNET6=fd50:efcf:d5e5:636d:ffb2:edad:dfe8:5a5c/127
+VPNADDR6=fd50:efcf:d5e5:636d:ffb2:edad:dfe8:5a5d
+OCCTL_SOCKET=./ipv6-no-$$.socket
+USERNAME=test
+
+. `dirname $0`/ns.sh
+
+update_config ipv6-iface.config
+if test "$VERBOSE" = 1;then
+DEBUG="-d 3"
+fi
+
+${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$!
+wait_server $PID
+
+echo -n "Connecting to setup interface... "
+echo "test" | ${CMDNS1} timeout 15s $OPENCONNECT -v $ADDRESS:$PORT --useragent="Open AnyConnect VPN Agent v3" --passwd-on-stdin -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >${TMPFILE} 2>&1
+
+echo ok
+
+cat ${TMPFILE}|grep X-CSTP-Split-Include|grep 'fd63:' >/dev/null
+if test $? = 0;then
+	cat ${TMPFILE}|grep X-CSTP-Split
+	echo "Found route that shouldn't be there"
+	exit 1
+fi
+
+kill $PID
+wait
+
+exit 0