AM_PROG_CC_C_O is obsolescent starting with Automake 1.14.
CentOS 7 ships Automake 1.13.4. Keep AM_PROG_CC_C_O as long as we need
to support CentOS 7, to avoid this warning:
src/Makefile.am:170: warning: compiling 'ccan/hash/hash.c' in
subdir requires 'AM_PROG_CC_C_O'
in 'configure.ac'
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
The main benefit is that there is less manual work to add a
test (discovery of unique random addresses is not necessary),
but it also ensures that the tests can run on environments where the
previously hard-coded addresses were present.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Include the radiusd output with debugging information on stdout
for the radius tests. This allows better visibility to potential
configuration issues of radiusd.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
The first argument is the full package name. Change it to match the
GitLab home page and documentation:
ocserv → OpenConnect VPN Server
The package tarname differs from the package name: the latter designates
the full package name, while the former is the distribution tarball name.
Because the tarname cannot be inferred from the newly modified full
package name, we have to set it explicitly:
ocserv
The last argument url should be the home page for the package.
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
The warning is:
configure.ac:94: warning: gl_HOST_CPU_C_ABI_32BIT is
m4_require'd but not m4_defun'd
The reason was that m4/lib-prefix.m4 was missing this depedency:
m4/host-cpu-c-abi.m4
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
From the Automake manual:
This is an obsolescent macro that checks that the C compiler
supports the -c and -o options together. Note that, since
Automake 1.14, the AC_PROG_CC is rewritten to implement such
checks itself, and thus the explicit use of AM_PROG_CC_C_O
should no longer be required.
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
While each `syslog()` adds a new entry to the system log,
`fprintf(stder, ...)` does not automatically add a newline
to distinguish between entries. We need to add the newline
ourselves.
We tried to make _oc_syslog() as atomic as possible in the
context of a multi-process daemonn by keeping a single
`fprtinf()` call. Probably not perfect, but the best we
can do when printing to stderr instead of using the system
logger. Works only with the GNU C or compatible compiler.
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
The third argument of the Autoconf macro AC_INIT() is bug-report.
The Autoconf 2.61 manual states this should be an email:
The optional argument bug-report should be the email to
which users should send bug reports.
The Autoconf 2.68 manual relaxes the requirement by adding:
AC_PACKAGE_BUGREPORT, PACKAGE_BUGREPORT
Exactly bug-report, if one was provided. Typically an
email address, or URL to a bug management web page.
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
* Client IPs are essential for abuse handling
* NOTICE instead of INFO means they will be logged by default
Signed-off-by: Stefan Bühler <source@stbuehler.de>
This makes oc_syslog respect the configured log-level. This also introduces
a clear separation of the logging function between the two processes.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Separated the logging logically from any remaining debugging
features. Introduced command line option for logging to stderr
only (for systemd and containers). The default log level is set
to (2) info.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
ocserv has sent IPv6 DNS/routes to AnyConnect clients since
e9b79254e7, but this comment was inadvertently
retained.
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
We are now planning to change the default HTTP user-agent string in
the OpenConnect client. In order to improve compatibility with Cisco
servers, it needs to start with `AnyConnect`; likely, the complete
prefix will be `AnyConnect-compatible OpenConnect VPN Agent`. (Details
in https://gitlab.com/openconnect/openconnect/-/merge_requests/497)
ocserv treats clients differently depending on their user-agent
strings:
1. ocserv makes simplifications/accommodations in its authentication
flow to accommodate old versions of OpenConnect
(`AGENT_OPENCONNECTV3`).
https://gitlab.com/openconnect/ocserv/-/blob/master/src/worker-auth.c
2. `ocserv` entirely disables IPv6 for old versions of OpenConnect
(`AGENT_OPENCONNECTV3`) *and* for unknown client software
(`AGENT_UNKNOWN`).
https://gitlab.com/openconnect/ocserv/-/blob/master/src/worker-vpn.c#L2123-2136
At this point, ocserv seems to be aware of a reasonably-complete list
of compatible client software: AnyConnect, OpenConnect, Clavister
OneConnect, AnyLink, and Cisco SVC IPPhone.
Among these, *only* old OpenConnect clients are known to require special
handling to unconditionally disable IPv6.
This patch modifies ocserv so that the IPv6 is disabled *only* for old
OpenConnect clients, and not for unknown clients. This should make the
transition to OpenConnect's modified UA string go more smoothly.
This should also improve "future-proofness" generally. Accommodations
for buggy clients should specifically list the affected clients,
rather than include unknown clients, since unknown clients are most
likely to be newer clients, in which bugs and incompatibilities may
have been fixed.
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Wait for all processes to terminate within 5 seconds, and
report the number of processes that did not terminate.
Resolves: #563
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
