commit ocserv for openSUSE:Factory

29 Sep 2023

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package ocserv for openSUSE:Factory checked in at 2023-09-29 21:14:04
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/ocserv (Old)
 and      /work/SRC/openSUSE:Factory/.ocserv.new.28202 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "ocserv"

Fri Sep 29 21:14:04 2023 rev:22 rq:1114117 version:1.2.2

Changes:
--------

--- /work/SRC/openSUSE:Factory/ocserv/ocserv.changes	2023-09-02 22:08:32.553170775 +0200
+++ /work/SRC/openSUSE:Factory/.ocserv.new.28202/ocserv.changes	2023-09-29 21:15:31.053956387 +0200
@@ -1,0 +2,9 @@
+Mon Sep 25 08:41:26 UTC 2023 - Martin Hauke <mardnh@gmx.de>
+
+- Update to version 1.2.2
+  * Fix session and accounting data tracking of ocserv. This
+  reverts fix for #444 (#541)
+  * No longer account ICMP and IGMP data for idle session detection
+- Update URL
+
+-------------------------------------------------------------------

Old:
----
  ocserv-1.2.1.tar.xz
  ocserv-1.2.1.tar.xz.sig

New:
----
  ocserv-1.2.2.tar.xz
  ocserv-1.2.2.tar.xz.sig

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ ocserv.spec ++++++
--- /var/tmp/diff_new_pack.oQ6dMl/_old	2023-09-29 21:15:32.850021189 +0200
+++ /var/tmp/diff_new_pack.oQ6dMl/_new	2023-09-29 21:15:32.850021189 +0200
@@ -17,12 +17,13 @@
 
 
 Name:           ocserv
-Version:        1.2.1
+Version:        1.2.2
 Release:        0
 Summary:        OpenConnect VPN Server
 License:        GPL-2.0-only
 Group:          Productivity/Networking/Security
-URL:            http://www.infradead.org/ocserv
+URL:            https://ocserv.gitlab.io/www/
+#Git-Clone:     https://gitlab.com/openconnect/ocserv.git
 Source:         ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz
 Source1:        ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig
 Source2:        ca.tmpl
@@ -40,15 +41,14 @@
 Patch3:         %{name}-LZ4_compress_default.patch
 BuildRequires:  autogen
 BuildRequires:  dbus-1-devel
-%if 0%{suse_version} >= 1500
 BuildRequires:  firewall-macros
-%endif
 BuildRequires:  freeradius-client-devel
 BuildRequires:  gperf
 BuildRequires:  gpg2
 BuildRequires:  libev-devel
 #!BuildIgnore:  libevent-devel
 BuildRequires:  libgnutls-devel >= 3.1.10
+BuildRequires:  liblz4-devel
 BuildRequires:  libmaxminddb-devel
 BuildRequires:  libnl3-devel
 BuildRequires:  libprotobuf-c-devel
@@ -64,11 +64,7 @@
 BuildRequires:  rubygem(ronn)
 # /usr/bin/certtool for generating certificates
 Requires:       gnutls >= 3.1.10
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %{?systemd_requires}
-%if 0%{?suse_version} > 1310
-BuildRequires:  liblz4-devel
-%endif
 
 %description
 OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to
@@ -110,9 +106,7 @@
 make %{?_smp_mflags} DESTDIR=%{buildroot} install
 
 install -Dm 0755 %{SOURCE5} %{buildroot}%{_sbindir}/ocserv-forwarding
-%if 0%{suse_version} >= 1500
 install -D -m 644 %{SOURCE6} %{buildroot}%{_prefix}/lib/firewalld/services/ocserv.xml
-%endif
 
 install -d %{buildroot}%{_sysconfdir}/ocserv/certificates
 install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/ocserv/certificates
@@ -136,9 +130,7 @@
 
 %post
 %service_add_post ocserv.service ocserv.socket
-%if 0%{suse_version} >= 1500
 %firewalld_reload
-%endif
 
 %preun
 %service_del_preun ocserv.service ocserv.socket
@@ -151,11 +143,9 @@
 %doc AUTHORS NEWS README.md
 %license COPYING
 %config %{_sysconfdir}/ocserv
-%if 0%{suse_version} >= 1500
 %dir %{_prefix}/lib/firewalld
 %dir %{_prefix}/lib/firewalld/services
 %{_prefix}/lib/firewalld/services/ocserv.xml
-%endif
 %{_bindir}/occtl
 %{_bindir}/ocpasswd
 %{_bindir}/ocserv-script


++++++ ocserv-1.2.1.tar.xz -> ocserv-1.2.2.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/AUTHORS new/ocserv-1.2.2/AUTHORS
--- old/ocserv-1.2.1/AUTHORS	2023-08-22 15:11:05.000000000 +0200
+++ new/ocserv-1.2.2/AUTHORS	2023-09-21 21:14:26.000000000 +0200
@@ -16,11 +16,11 @@
 William Dauchy <w.dauchy at criteo.com>
 Alexey Dotsenko <lex at rwx.su>
 Daniel Lenski <daniel.lenski at finalphasesystems.com>
+Dimitri Papadopoulos <3234522+DimitriPapadopoulos at users.noreply.github.com>
 Frank Huang <chuang213 at gmail.com>
 Joerg Mayer <jmayer at loplof.de>
 Björn Ketelaars <bjorn.ketelaars at hydroxide.nl>
 David Woodhouse <dwmw2 at infradead.org>
-Dimitri Papadopoulos <3234522+DimitriPapadopoulos at users.noreply.github.com>
 Faidon Liambotis <paravoid at debian.org>
 John Thiltges <jthiltges2 at unl.edu>
 Leendert van Doorn <leendert at paramecium.org>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/ChangeLog new/ocserv-1.2.2/ChangeLog
--- old/ocserv-1.2.1/ChangeLog	2023-08-22 15:11:06.000000000 +0200
+++ new/ocserv-1.2.2/ChangeLog	2023-09-21 21:14:27.000000000 +0200
@@ -1,3 +1,181 @@
+commit f616475643783995c4208ae205e288019eec18e5
+Author: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
+Date:   Thu Sep 21 21:14:05 2023 +0200
+
+    released 1.2.2
+    
+    Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
+
+commit ac49187a7ce4735d1de6c629558963e8b28e9b6e
+Author: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
+Date:   Wed Sep 20 22:10:53 2023 +0200
+
+    doc update
+    
+    Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
+
+commit 747940238dce29775aedec7a19f138065caaef8a
+Author: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
+Date:   Mon Sep 18 17:10:35 2023 +0200
+
+    tests: added test for idle and session timeout
+    
+    This checks the functionality of idle-timeout and
+    session-timeout as well as whether the cookies are
+    invalidated after the user is disconnected.
+    
+    Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
+
+commit 049d9e520e42575cfb56c951376b241635823be6
+Author: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
+Date:   Mon Sep 18 20:12:37 2023 +0200
+
+    worker: do not account ICMP/IGMP data for idle detection
+    
+    Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
+
+commit b0c9ef1e0e45e126e3ed6e896b81f696772c46b7
+Merge: f71538d2 61b6f0a9
+Author: Dimitri Papadopoulos Orfanos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
+Date:   Fri Sep 15 13:57:33 2023 +0000
+
+    Merge branch 'static' into 'master'
+    
+    Make functions static where it makes sense
+    
+    See merge request openconnect/ocserv!370
+
+commit f71538d226d46e5dd7430f0b8733df43a09d1733
+Merge: a12873af d21d2c45
+Author: Dimitri Papadopoulos Orfanos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
+Date:   Fri Sep 15 13:57:00 2023 +0000
+
+    Merge branch 'static_camouflage' into 'master'
+    
+    Make check_camouflage_url() static
+    
+    See merge request openconnect/ocserv!368
+
+commit a12873af21f031a693be9438f8867a6a58fa6191
+Merge: 8f4e2de4 b29d9156
+Author: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
+Date:   Fri Sep 15 13:29:41 2023 +0000
+
+    Merge branch 'codespell' into 'master'
+    
+    Fix misspelling newly reported by codespell
+    
+    See merge request openconnect/ocserv!369
+
+commit 8f4e2de4b561147ed44d11441c7cc7db42ea908f
+Merge: fbfbdc05 fec6cc99
+Author: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
+Date:   Fri Sep 15 13:29:04 2023 +0000
+
+    Merge branch 'rc_avpair_add' into 'master'
+    
+    worker: check the return value of rc_avpair_add()
+    
+    Closes #546
+    
+    See merge request openconnect/ocserv!372
+
+commit fbfbdc058ac3fb40f5d0bca3fc766a791b7d6ed6
+Author: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
+Date:   Fri Sep 15 15:06:01 2023 +0200
+
+    tests: use sec-mod-scale on cookie tests
+    
+    This ensures we catch issues similar to !288.
+    
+    Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
+
+commit 26258d7cb120939a92c5bfa6ebca016725b21c98
+Author: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
+Date:   Fri Sep 15 11:11:50 2023 +0200
+
+    Revert "Fixing issue: Authentication requests from the same IP address are not load balanced among security modules"
+    
+    Each cookie is valid for its IP address and when reconnected it must
+    reach the same sec-mod that contains the corresponding session
+    information.
+    
+    This reverts commit 4ec99609ca1d1ba986ee58a0695bab87c12ae7c7.
+    
+    Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
+
+commit fec6cc99083f4f7b9064a23d33f1f30f89221224
+Author: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
+Date:   Fri Sep 15 13:43:27 2023 +0200
+
+    worker: check the return value of rc_avpair_add()
+    
+    We have been checking the return value of rc_avpair_add() in all cases,
+    except the PW_NAS_IP_ADDRESS/PW_NAS_IPV6_ADDRESS cases.
+    
+    Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
+
+commit 61b6f0a9248a82742ff1961f09b06ab4a97926b8
+Author: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
+Date:   Mon Sep 11 19:38:44 2023 +0200
+
+    Make functions static where it makes sense
+    
+    Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
+
+commit b29d9156996fb8356093571357d68d6e2fa014b3
+Author: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
+Date:   Mon Sep 11 19:18:00 2023 +0200
+
+    Fix misspelling newly reported by codespell
+    
+    Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
+
+commit d21d2c455c6041bef294e2bb9b43c86680a31b40
+Author: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
+Date:   Mon Sep 11 19:03:27 2023 +0200
+
+    Make check_camouflage_url() static
+    
+    It is called only from worker-vpn.c.
+    
+    Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
+
+commit 6dd533a10c37eb000056b774a02b55aaa31f578e
+Author: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
+Date:   Sat Sep 2 20:54:15 2023 +0200
+
+    bumped version
+    
+    Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
+
+commit 16b86e751ae3232a5420b8dbbb3416310f9b8d18
+Merge: 6aad62e2 ab8a05e4
+Author: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
+Date:   Sat Sep 2 18:52:26 2023 +0000
+
+    Merge branch 'TODO' into 'master'
+    
+    Why not delete TODO instead of only emptying it?
+    
+    See merge request openconnect/ocserv!365
+
+commit ab8a05e4c2eef5e20defe7a64e8e5145926f2efd
+Author: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com>
+Date:   Fri Sep 1 18:26:29 2023 +0300
+
+    Why not delete TODO instead of only emptying it?
+    
+    Signed-off-by: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com>
+
+commit 6aad62e2666044f23d0364d5696c852414181e78
+Author: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
+Date:   Mon Aug 28 20:48:02 2023 +0200
+
+    debug: increased default log-level to debug
+    
+    Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
+
 commit 895a23f372fd2ef7f29c8ccd635e33b32de0915f
 Author: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 Date:   Tue Aug 22 15:10:32 2023 +0200
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/Makefile.in new/ocserv-1.2.2/Makefile.in
--- old/ocserv-1.2.1/Makefile.in	2023-07-27 22:41:32.000000000 +0200
+++ new/ocserv-1.2.2/Makefile.in	2023-09-15 10:47:16.000000000 +0200
@@ -168,7 +168,7 @@
 	$(top_srcdir)/tests/data/pam/nss-passwd.in \
 	$(top_srcdir)/tests/data/pam/ocserv.in \
 	$(top_srcdir)/tests/data/raddb/radiusd.conf.in AUTHORS COPYING \
-	ChangeLog INSTALL NEWS README.md TODO build-aux/ar-lib \
+	ChangeLog INSTALL NEWS README.md build-aux/ar-lib \
 	build-aux/compile build-aux/config.guess \
 	build-aux/config.rpath build-aux/config.sub build-aux/depcomp \
 	build-aux/install-sh build-aux/missing
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/NEWS new/ocserv-1.2.2/NEWS
--- old/ocserv-1.2.1/NEWS	2023-08-22 15:10:12.000000000 +0200
+++ new/ocserv-1.2.2/NEWS	2023-09-21 21:13:51.000000000 +0200
@@ -1,3 +1,9 @@
+* Version 1.2.2 (released 2023-09-21)
+- Fix session and accounting data tracking of ocserv. This
+  reverts fix for #444 (#541)
+- No longer account ICMP and IGMP data for idle session detection
+
+
 * Version 1.2.1 (released 2023-08-22)
 - Accept the Clavister OneConnect VPN Android client (#485)
 - No longer require to set device name per vhost (#480)
@@ -242,7 +248,7 @@
 
 
 * Version 0.11.7 (released 2017-02-12)
-- Fixed compilation issue related to autogen file re-use
+- Fixed compilation issue related to autogen file reuse
 - Send the "vpn-profile-manifest" fields after successful authentication.
   This enables openconnect to retrieve the XML configuration.
 - Enhanced the cert-user-oid config option to read the SAN(rfc822name) value.
@@ -574,7 +580,7 @@
 - Added configuration option 'listen-host-is-dyndns'. That,
   if set, notifies the client with "X-CSTP-DynDNS: true", in
   CSTP headers.
-- When a client's IP is re-used by the same client connecting with
+- When a client's IP is reused by the same client connecting with
   the cookie (e.g., when roaming), call the disconnect script.
 
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/configure new/ocserv-1.2.2/configure
--- old/ocserv-1.2.1/configure	2023-07-27 22:41:31.000000000 +0200
+++ new/ocserv-1.2.2/configure	2023-09-15 10:47:15.000000000 +0200
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for ocserv 1.2.1.
+# Generated by GNU Autoconf 2.71 for ocserv 1.2.2.
 #
 # Report bugs to <openconnect-devel@lists.infradead.org>.
 #
@@ -611,8 +611,8 @@
 # Identity of this package.
 PACKAGE_NAME='ocserv'
 PACKAGE_TARNAME='ocserv'
-PACKAGE_VERSION='1.2.1'
-PACKAGE_STRING='ocserv 1.2.1'
+PACKAGE_VERSION='1.2.2'
+PACKAGE_STRING='ocserv 1.2.2'
 PACKAGE_BUGREPORT='openconnect-devel@lists.infradead.org'
 PACKAGE_URL=''
 
@@ -1559,7 +1559,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures ocserv 1.2.1 to adapt to many kinds of systems.
+\`configure' configures ocserv 1.2.2 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1630,7 +1630,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of ocserv 1.2.1:";;
+     short | recursive ) echo "Configuration of ocserv 1.2.2:";;
    esac
   cat <<\_ACEOF
 
@@ -1864,7 +1864,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-ocserv configure 1.2.1
+ocserv configure 1.2.2
 generated by GNU Autoconf 2.71
 
 Copyright (C) 2021 Free Software Foundation, Inc.
@@ -2469,7 +2469,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by ocserv $as_me 1.2.1, which was
+It was created by ocserv $as_me 1.2.2, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   $ $0$ac_configure_args_raw
@@ -3873,7 +3873,7 @@
 
 # Define the identity of the package.
  PACKAGE='ocserv'
- VERSION='1.2.1'
+ VERSION='1.2.2'
 
 
 printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -19739,7 +19739,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by ocserv $as_me 1.2.1, which was
+This file was extended by ocserv $as_me 1.2.2, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -19807,7 +19807,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config='$ac_cs_config_escaped'
 ac_cs_version="\\
-ocserv config.status 1.2.1
+ocserv config.status 1.2.2
 configured by $0, generated by GNU Autoconf 2.71,
   with options \\"\$ac_cs_config\\"
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/configure.ac new/ocserv-1.2.2/configure.ac
--- old/ocserv-1.2.1/configure.ac	2023-07-27 15:50:33.000000000 +0200
+++ new/ocserv-1.2.2/configure.ac	2023-09-02 20:54:07.000000000 +0200
@@ -1,5 +1,5 @@
 AC_PREREQ(2.61)
-AC_INIT([ocserv], [1.2.1], [openconnect-devel@lists.infradead.org])
+AC_INIT([ocserv], [1.2.2], [openconnect-devel@lists.infradead.org])
 PKG_PROG_PKG_CONFIG
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_MACRO_DIR([m4])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/doc/Makefile.in new/ocserv-1.2.2/doc/Makefile.in
--- old/ocserv-1.2.1/doc/Makefile.in	2023-07-27 22:41:32.000000000 +0200
+++ new/ocserv-1.2.2/doc/Makefile.in	2023-09-15 10:47:16.000000000 +0200
@@ -383,9 +383,9 @@
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu doc/Makefile'; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign doc/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu doc/Makefile
+	  $(AUTOMAKE) --foreign doc/Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/doc/ocserv.8 new/ocserv-1.2.2/doc/ocserv.8
--- old/ocserv-1.2.1/doc/ocserv.8	2023-07-11 17:04:53.000000000 +0200
+++ new/ocserv-1.2.2/doc/ocserv.8	2023-09-18 17:11:01.000000000 +0200
@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.9.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1
-.TH "OCSERV" "8" "July 2023" ""
+.TH "OCSERV" "8" "September 2023" ""
 .SH "NAME"
 \fBocserv\fR \- OpenConnect VPN server
 .SH "SYNOPSIS"
@@ -550,7 +550,7 @@
 #persistent\-cookies = true
 
 # Whether roaming is allowed, i\.e\., if true a cookie is
-# restricted to a single IP address and cannot be re\-used
+# restricted to a single IP address and cannot be reused
 # from a different IP\.
 deny\-roaming = false
 
@@ -622,7 +622,7 @@
 #   4 http
 #   8 sensitive
 #   9 TLS
-log\-level = 1
+log\-level = 3
 
 # Set the protocol\-defined priority (SO_PRIORITY) for packets to
 # be sent\. That is a number from 0 to 6 with 0 being the lowest
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/doc/sample.config new/ocserv-1.2.2/doc/sample.config
--- old/ocserv-1.2.1/doc/sample.config	2023-07-11 14:54:03.000000000 +0200
+++ new/ocserv-1.2.2/doc/sample.config	2023-09-15 15:59:02.000000000 +0200
@@ -376,7 +376,7 @@
 #persistent-cookies = true
 
 # Whether roaming is allowed, i.e., if true a cookie is
-# restricted to a single IP address and cannot be re-used
+# restricted to a single IP address and cannot be reused
 # from a different IP.
 deny-roaming = false
 
@@ -448,7 +448,7 @@
 #   4 http
 #   8 sensitive
 #   9 TLS
-log-level = 1
+log-level = 3
 
 # Set the protocol-defined priority (SO_PRIORITY) for packets to
 # be sent. That is a number from 0 to 6 with 0 being the lowest
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/src/Makefile.in new/ocserv-1.2.2/src/Makefile.in
--- old/ocserv-1.2.1/src/Makefile.in	2023-07-27 22:41:32.000000000 +0200
+++ new/ocserv-1.2.2/src/Makefile.in	2023-09-15 10:47:16.000000000 +0200
@@ -839,9 +839,9 @@
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/Makefile'; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/Makefile
+	  $(AUTOMAKE) --foreign src/Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/src/auth/radius.c new/ocserv-1.2.2/src/auth/radius.c
--- old/ocserv-1.2.1/src/auth/radius.c	2023-06-17 06:37:42.000000000 +0200
+++ new/ocserv-1.2.2/src/auth/radius.c	2023-09-15 15:59:02.000000000 +0200
@@ -287,9 +287,21 @@
 
 		if (inet_pton(AF_INET, pctx->our_ip, &in) != 0) {
 			in.s_addr = ntohl(in.s_addr);
-			rc_avpair_add(pctx->vctx->rh, &send, PW_NAS_IP_ADDRESS, (char*)&in, sizeof(struct in_addr), 0);
+			if (rc_avpair_add(pctx->vctx->rh, &send, PW_NAS_IP_ADDRESS, (char*)&in, sizeof(struct in_addr), 0) == NULL) {
+				syslog(LOG_ERR,
+				       "%s:%u: error in constructing radius message for user '%s'", __func__, __LINE__,
+				       pctx->username);
+				ret = ERR_AUTH_FAIL;
+				goto cleanup;
+			}
 		} else if (inet_pton(AF_INET6, pctx->our_ip, &in6) != 0) {
-			rc_avpair_add(pctx->vctx->rh, &send, PW_NAS_IPV6_ADDRESS, (char*)&in6, sizeof(struct in6_addr), 0);
+			if (rc_avpair_add(pctx->vctx->rh, &send, PW_NAS_IPV6_ADDRESS, (char*)&in6, sizeof(struct in6_addr), 0) == NULL) {
+				syslog(LOG_ERR,
+				       "%s:%u: error in constructing radius message for user '%s'", __func__, __LINE__,
+				       pctx->username);
+				ret = ERR_AUTH_FAIL;
+				goto cleanup;
+			}
 		}
 	}
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/src/ip-lease.c new/ocserv-1.2.2/src/ip-lease.c
--- old/ocserv-1.2.1/src/ip-lease.c	2023-06-16 19:01:24.000000000 +0200
+++ new/ocserv-1.2.2/src/ip-lease.c	2023-09-15 15:59:02.000000000 +0200
@@ -27,7 +27,7 @@
 #include <icmp-ping.h>
 #include <arpa/inet.h>
 
-void ip_from_seed(uint8_t *seed, unsigned seed_size,
+static void ip_from_seed(uint8_t *seed, unsigned seed_size,
 		void *ip, size_t ip_size)
 {
 	uint8_t digest[20];
@@ -104,7 +104,7 @@
 void steal_ip_leases(struct proc_st* proc, struct proc_st *thief)
 {
 	/* here we reset the old tun device, and assign the old addresses
-	 * to a new device. We cannot re-use the old device because the
+	 * to a new device. We cannot reuse the old device because the
 	 * fd is only available to the worker process and not here (main)
 	 */
 	reset_tun(proc);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/src/main-auth.c new/ocserv-1.2.2/src/main-auth.c
--- old/ocserv-1.2.1/src/main-auth.c	2023-06-09 15:21:22.000000000 +0200
+++ new/ocserv-1.2.2/src/main-auth.c	2023-09-15 15:59:02.000000000 +0200
@@ -201,7 +201,7 @@
 		put_into_cgroup(s, proc->config->cgroup, proc->pid);
 	}
 
-	/* disconnect and re-use previous session's IPs*/
+	/* disconnect and reuse previous session's IPs*/
 	if (old_proc != NULL) {
 		if (strcmp(proc->username, old_proc->username) != 0) {
 			mslog(s, old_proc, LOG_ERR, "the user of the new session doesn't match the old (new: %s)",
@@ -209,7 +209,7 @@
 			return -1;
 		}
 
-		mslog(s, old_proc, LOG_INFO, "disconnecting previous user session due to session re-use");
+		mslog(s, old_proc, LOG_INFO, "disconnecting previous user session due to session reuse");
 
 		/* steal its leases */
 		steal_ip_leases(old_proc, proc);
@@ -245,7 +245,7 @@
  * users are found.
  *
  * In addition this function will also check whether the cookie
- * used had been re-used before, and then disconnect the old session
+ * used had been reused before, and then disconnect the old session
  * (cookies are unique).
  */
 int check_multiple_users(main_server_st *s, struct proc_st* proc)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/src/main.c new/ocserv-1.2.2/src/main.c
--- old/ocserv-1.2.1/src/main.c	2023-06-16 19:01:03.000000000 +0200
+++ new/ocserv-1.2.2/src/main.c	2023-09-19 11:08:49.000000000 +0200
@@ -1078,7 +1078,6 @@
 		pid = fork();
 		if (pid == 0) {	/* child */
 			unsigned int sec_mod_instance_index;
-			char buf[MAX_IP_STR]; // buffer holding human readable sockaddr
 			/* close any open descriptors, and erase
 			 * sensitive data before running the worker
 			 */
@@ -1096,10 +1095,12 @@
 
 			set_self_oom_score_adj(s);
 
-			sec_mod_instance_index = hash_any(&ws->remote_addr, ws->remote_addr_len, 0) % s->sec_mod_instance_count;
-			mslog(s, NULL, LOG_DEBUG, "map worker serving remote address %s to secmod instance %u",
-				human_addr((struct sockaddr*)&ws->remote_addr, ws->remote_addr_len, buf, sizeof(buf)),
-				sec_mod_instance_index);
+			/* Each cookie is valid for its IP address and when resuming it must
+			 * reach the same sec-mod process that contains the corresponding
+			 * session information under the SID. */
+			sec_mod_instance_index = hash_any(
+				SA_IN_P_GENERIC(&ws->remote_addr, ws->remote_addr_len),
+				SA_IN_SIZE(ws->remote_addr_len), 0) % s->sec_mod_instance_count;
 
 			/* write sec-mod's address */
 			memcpy(&ws->secmod_addr, &s->sec_mod_instances[sec_mod_instance_index].secmod_addr, s->sec_mod_instances[sec_mod_instance_index].secmod_addr_len);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/src/sec-mod.h new/ocserv-1.2.2/src/sec-mod.h
--- old/ocserv-1.2.1/src/sec-mod.h	2023-07-18 11:31:59.000000000 +0200
+++ new/ocserv-1.2.2/src/sec-mod.h	2023-09-15 15:59:02.000000000 +0200
@@ -86,7 +86,7 @@
 typedef struct client_entry_st {
 	/* A unique session identifier used to distinguish sessions
 	 * prior to authentication. It is sent as cookie to the client
-	 * who re-uses it when it performs authentication in multiple
+	 * who reuses it when it performs authentication in multiple
 	 * sessions.
 	 */
 	uint8_t sid[SID_SIZE];
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/src/version.inc new/ocserv-1.2.2/src/version.inc
--- old/ocserv-1.2.1/src/version.inc	2023-08-16 13:04:35.000000000 +0200
+++ new/ocserv-1.2.2/src/version.inc	2023-09-20 17:23:35.000000000 +0200
@@ -1 +1 @@
-version = "1.2.1";
+version = "1.2.2";
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/src/worker-vpn.c new/ocserv-1.2.2/src/worker-vpn.c
--- old/ocserv-1.2.1/src/worker-vpn.c	2023-08-22 15:08:45.000000000 +0200
+++ new/ocserv-1.2.2/src/worker-vpn.c	2023-09-20 11:22:18.000000000 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2018 Nikos Mavrogiannopoulos
+ * Copyright (C) 2013-2023 Nikos Mavrogiannopoulos
  * Copyright (C) 2015, 2016 Red Hat, Inc.
  *
  * This file is part of ocserv.
@@ -493,6 +493,7 @@
 	ban_ip_reply_msg__free_unpacked(reply, &pa);
 }
 
+static
 void send_stats_to_secmod(worker_st * ws, time_t now, unsigned discon_reason)
 {
 	CliStatsMsg msg = CLI_STATS_MSG__INIT;
@@ -753,7 +754,7 @@
 }
 #endif
 
-void check_camouflage_url(struct worker_st *ws)
+static void check_camouflage_url(struct worker_st *ws)
 {
 	if (WSCONFIG(ws)->camouflage_secret == NULL)
 		return;
@@ -1615,6 +1616,23 @@
 	return ret;
 }
 
+/* Returns true if the data provided are not IP control messages
+ * (ICMP, IGMP). */
+static bool is_data(const uint8_t *data, size_t size)
+{
+	if (size > 20) {
+		uint8_t version = data[0] >> 4;
+		if (version == 0x04) {
+			if (data[9] == 0x01 || data[9] == 0x02) /* ICMP/IGMP */
+				return 0;
+		} else if (version == 0x06) {
+			if (data[9] == 0x3A || data[9] == 0x80)
+				return 0;
+		}
+	}
+	return 1;
+}
+
 static int tun_mainloop(struct worker_st *ws, struct timespec *tnow)
 {
 	int ret, l, e;
@@ -1643,7 +1661,6 @@
 		return 0;
 	}
 
-
 	dtls_to_send.data = ws->buffer;
 	dtls_to_send.size = l;
 
@@ -1730,7 +1747,9 @@
 			ret = cstp_send(ws, cstp_to_send.data, cstp_to_send.size + 8);
 			CSTP_FATAL_ERR_CMD(ws, ret, exit_worker_reason(ws, REASON_ERROR));
 		}
-		ws->last_nc_msg = tnow->tv_sec;
+
+		if (is_data(ws->buffer + 8, l)) /* do not account ICMP */
+			ws->last_nc_msg = tnow->tv_sec;
 	}
 
 	return 0;
@@ -2595,7 +2614,9 @@
 			return -1;
 		}
 		ws->tun_bytes_in += plain_size;
-		ws->last_nc_msg = now;
+
+		if (is_data(plain, plain_size)) /* do not account ICMP */
+			ws->last_nc_msg = now;
 
 		break;
 	default:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/tests/Makefile.am new/ocserv-1.2.2/tests/Makefile.am
--- old/ocserv-1.2.1/tests/Makefile.am	2023-07-27 15:50:33.000000000 +0200
+++ new/ocserv-1.2.2/tests/Makefile.am	2023-09-19 11:08:59.000000000 +0200
@@ -46,7 +46,8 @@
 	data/haproxy-proxyproto-v1.cfg scripts/proxy-connectscript-v1 data/test-multiple-client-ip.config \
 	data/test-client-bypass-protocol.config asan.supp certs/ca.tmpl certs/server-cert.tmpl \
 	certs/user-cert.tmpl data/test-camouflage.config data/test-camouflage-norealm.config \
-	data/radius-multi-group.config data/test-group-cert.config
+	data/radius-multi-group.config data/test-group-cert.config data/session-timeout.config \
+	data/idle-timeout.config
 
 xfail_scripts =
 dist_check_SCRIPTS =  ocpasswd-test
@@ -59,12 +60,12 @@
 if ENABLE_ROOT_TESTS
 #other root requiring tests
 dist_check_SCRIPTS += haproxy-connect test-iroute test-multi-cookie test-pass-script \
-	test-cookie-timeout test-cookie-timeout-2 test-explicit-ip \
+	idle-timeout test-cookie-timeout test-cookie-timeout-2 test-explicit-ip \
 	test-cookie-invalidation test-user-config test-append-routes test-ban \
 	multiple-routes json test-udp-listen-host test-max-same-1 test-script-multi-user \
 	apple-ios ipv6-iface test-namespace-listen disconnect-user disconnect-user2 \
 	ping-leases test-ban-local test-client-bypass-protocol ipv6-small-net test-camouflage \
-	test-camouflage-norealm vhost-traffic defvhost-traffic
+	test-camouflage-norealm vhost-traffic defvhost-traffic session-timeout
 
 if RADIUS_ENABLED
 dist_check_SCRIPTS += radius-group radius-multi-group radius-otp
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/tests/Makefile.in new/ocserv-1.2.2/tests/Makefile.in
--- old/ocserv-1.2.1/tests/Makefile.in	2023-07-27 22:41:32.000000000 +0200
+++ new/ocserv-1.2.2/tests/Makefile.in	2023-09-21 21:14:27.000000000 +0200
@@ -94,12 +94,12 @@
 
 #other root requiring tests
 @ENABLE_ROOT_TESTS_TRUE@am__append_5 = haproxy-connect test-iroute test-multi-cookie test-pass-script \
-@ENABLE_ROOT_TESTS_TRUE@	test-cookie-timeout test-cookie-timeout-2 test-explicit-ip \
+@ENABLE_ROOT_TESTS_TRUE@	idle-timeout test-cookie-timeout test-cookie-timeout-2 test-explicit-ip \
 @ENABLE_ROOT_TESTS_TRUE@	test-cookie-invalidation test-user-config test-append-routes test-ban \
 @ENABLE_ROOT_TESTS_TRUE@	multiple-routes json test-udp-listen-host test-max-same-1 test-script-multi-user \
 @ENABLE_ROOT_TESTS_TRUE@	apple-ios ipv6-iface test-namespace-listen disconnect-user disconnect-user2 \
 @ENABLE_ROOT_TESTS_TRUE@	ping-leases test-ban-local test-client-bypass-protocol ipv6-small-net test-camouflage \
-@ENABLE_ROOT_TESTS_TRUE@	test-camouflage-norealm vhost-traffic defvhost-traffic
+@ENABLE_ROOT_TESTS_TRUE@	test-camouflage-norealm vhost-traffic defvhost-traffic session-timeout
 
 @ENABLE_ROOT_TESTS_TRUE@@RADIUS_ENABLED_TRUE@am__append_6 = radius-group radius-multi-group radius-otp
 @ENABLE_ROOT_TESTS_TRUE@am__append_7 = traffic lz4-compression lzs-compression \
@@ -207,22 +207,23 @@
 valid_hostname_DEPENDENCIES = $(am__DEPENDENCIES_2)
 am__dist_check_SCRIPTS_DIST = ocpasswd-test server-cert-ed25519 \
 	server-cert-rsa-pss haproxy-connect test-iroute \
-	test-multi-cookie test-pass-script test-cookie-timeout \
-	test-cookie-timeout-2 test-explicit-ip \
+	test-multi-cookie test-pass-script idle-timeout \
+	test-cookie-timeout test-cookie-timeout-2 test-explicit-ip \
 	test-cookie-invalidation test-user-config test-append-routes \
 	test-ban multiple-routes json test-udp-listen-host \
 	test-max-same-1 test-script-multi-user apple-ios ipv6-iface \
 	test-namespace-listen disconnect-user disconnect-user2 \
 	ping-leases test-ban-local test-client-bypass-protocol \
 	ipv6-small-net test-camouflage test-camouflage-norealm \
-	vhost-traffic defvhost-traffic radius-group radius-multi-group \
-	radius-otp traffic lz4-compression lzs-compression \
-	aes256-cipher aes128-cipher oc-aes256-gcm-cipher \
-	oc-aes128-gcm-cipher test-config-per-group \
-	ac-aes128-gcm-cipher ac-aes256-gcm-cipher no-dtls-cipher \
-	psk-negotiate psk-negotiate-match test-multiple-client-ip \
-	radius radius-config test-vhost test-pass test-pass-cert \
-	test-cert test-group-pass test-pass-group-cert \
+	vhost-traffic defvhost-traffic session-timeout radius-group \
+	radius-multi-group radius-otp traffic lz4-compression \
+	lzs-compression aes256-cipher aes128-cipher \
+	oc-aes256-gcm-cipher oc-aes128-gcm-cipher \
+	test-config-per-group ac-aes128-gcm-cipher \
+	ac-aes256-gcm-cipher no-dtls-cipher psk-negotiate \
+	psk-negotiate-match test-multiple-client-ip radius \
+	radius-config test-vhost test-pass test-pass-cert test-cert \
+	test-group-pass test-pass-group-cert \
 	test-pass-group-cert-no-pass test-sighup test-enc-key \
 	test-sighup-key-change test-get-cert test-san-cert test-gssapi \
 	test-pass-opt-cert test-cert-opt-pass test-gssapi-opt-pass \
@@ -790,7 +791,8 @@
 	data/haproxy-proxyproto-v1.cfg scripts/proxy-connectscript-v1 data/test-multiple-client-ip.config \
 	data/test-client-bypass-protocol.config asan.supp certs/ca.tmpl certs/server-cert.tmpl \
 	certs/user-cert.tmpl data/test-camouflage.config data/test-camouflage-norealm.config \
-	data/radius-multi-group.config data/test-group-cert.config
+	data/radius-multi-group.config data/test-group-cert.config data/session-timeout.config \
+	data/idle-timeout.config
 
 xfail_scripts = 
 dist_check_SCRIPTS = ocpasswd-test $(am__append_4) $(am__append_5) \
@@ -845,9 +847,9 @@
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu tests/Makefile'; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign tests/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu tests/Makefile
+	  $(AUTOMAKE) --foreign tests/Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -1377,6 +1379,13 @@
 	--log-file $$b.log --trs-file $$b.trs \
 	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
 	"$$tst" $(AM_TESTS_FD_REDIRECT)
+idle-timeout.log: idle-timeout
+	@p='idle-timeout'; \
+	b='idle-timeout'; \
+	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
 test-cookie-timeout.log: test-cookie-timeout
 	@p='test-cookie-timeout'; \
 	b='test-cookie-timeout'; \
@@ -1551,6 +1560,13 @@
 	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
 	--log-file $$b.log --trs-file $$b.trs \
 	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
+session-timeout.log: session-timeout
+	@p='session-timeout'; \
+	b='session-timeout'; \
+	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
 	"$$tst" $(AM_TESTS_FD_REDIRECT)
 radius-group.log: radius-group
 	@p='radius-group'; \
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/tests/data/idle-timeout.config new/ocserv-1.2.2/tests/data/idle-timeout.config
--- old/ocserv-1.2.1/tests/data/idle-timeout.config	1970-01-01 01:00:00.000000000 +0100
+++ new/ocserv-1.2.2/tests/data/idle-timeout.config	2023-09-20 22:09:54.000000000 +0200
@@ -0,0 +1,187 @@
+# User authentication method. Could be set multiple times and in that case
+# all should succeed.
+# Options: certificate, pam.
+#auth = "certificate"
+auth = "plain[./data/test1.passwd]"
+#auth = "pam"
+
+isolate-workers = @ISOLATE_WORKERS@
+
+occtl-socket-file = @OCCTL_SOCKET@
+use-occtl = true
+
+# A banner to be displayed on clients
+#banner = "Welcome"
+
+# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
+#listen-host = [IP|HOSTNAME]
+
+use-dbus = no
+
+# Limit the number of clients. Unset or set to zero for unlimited.
+#max-clients = 1024
+max-clients = 16
+
+# Limit the number of client connections to one every X milliseconds
+# (X is the provided value). Set to zero for no limit.
+#rate-limit-ms = 100
+
+# Limit the number of identical clients (i.e., users connecting multiple times)
+# Unset or set to zero for unlimited.
+max-same-clients = 2
+
+# TCP and UDP port number
+tcp-port = @PORT@
+udp-port = @PORT@
+
+# Keepalive in seconds
+keepalive = 32400
+
+# Dead peer detection in seconds
+dpd = 440
+
+# MTU discovery (DPD must be enabled)
+try-mtu-discovery = false
+
+# The key and the certificates of the server
+# The key may be a file, or any URL supported by GnuTLS (e.g.,
+# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
+# or pkcs11:object=my-vpn-key;object-type=private)
+#
+# There may be multiple certificate and key pairs and each key
+# should correspond to the preceding certificate.
+server-cert = ./certs/server-cert.pem
+server-key = ./certs/server-key.pem
+
+# Diffie-Hellman parameters. Only needed if you require support
+# for the DHE ciphersuites (by default this server supports ECDHE).
+# Can be generated using:
+# certtool --generate-dh-params --outfile /path/to/dh.pem
+#dh-params = /path/to/dh.pem
+
+# If you have a certificate from a CA that provides an OCSP
+# service you may provide a fresh OCSP status response within
+# the TLS handshake. That will prevent the client from connecting
+# independently on the OCSP server.
+# You can update this response periodically using:
+# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
+# Make sure that you replace the following file in an atomic way.
+#ocsp-response = /path/to/ocsp.der
+
+# In case PKCS #11 or TPM keys are used the PINs should be available
+# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
+# root key).
+#pin-file = /path/to/pin.txt
+#srk-pin-file = /path/to/srkpin.txt
+
+# The Certificate Authority that will be used
+# to verify clients if certificate authentication
+# is set.
+#ca-cert = /path/to/ca.pem
+
+# The object identifier that will be used to read the user ID in the client certificate.
+# The object identifier should be part of the certificate's DN
+# Useful OIDs are:
+#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
+#cert-user-oid = 0.9.2342.19200300.100.1.1
+
+# The object identifier that will be used to read the user group in the client
+# certificate. The object identifier should be part of the certificate's DN
+# Useful OIDs are:
+#  OU (organizational unit) = 2.5.4.11
+#cert-group-oid = 2.5.4.11
+
+# A revocation list of ca-cert is set
+#crl = /path/to/crl.pem
+
+# GnuTLS priority string
+tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
+
+# To enforce perfect forward secrecy (PFS) on the main channel.
+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
+
+# The time (in seconds) that a client is allowed to stay connected prior
+# to authentication
+auth-timeout = 40
+
+# The time (in seconds) that a client is not allowed to reconnect after
+# a failed authentication attempt.
+#min-reauth-time = 2
+
+# Cookie timeout (in seconds)
+# Once a client is authenticated he's provided a cookie with
+# which he can reconnect. That cookie will be invalided if not
+# used within this timeout value. On a user disconnection, that
+# cookie will also be active for this time amount prior to be
+# invalid. That should allow a reasonable amount of time for roaming
+# between different networks.
+cookie-timeout = 30
+
+# Script to call when a client connects and obtains an IP
+# Parameters are passed on the environment.
+# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
+# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
+# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
+# may be "connect" or "disconnect".
+#connect-script = /usr/bin/myscript
+#disconnect-script = /usr/bin/myscript
+
+# UTMP
+use-utmp = true
+
+# PID file
+pid-file = /var/run/ocserv.pid
+
+# The default server directory. Does not require any devices present.
+#chroot-dir = /path/to/chroot
+
+# socket file used for IPC, will be appended with .PID
+# It must be accessible within the chroot environment (if any)
+socket-file = /var/run/ocserv-socket
+
+# The user the worker processes will be run as. It should be
+# unique (no other services run as this user).
+run-as-user = nobody
+run-as-group = daemon
+
+# Network settings
+
+device = vpns
+
+# The default domain to be advertised
+default-domain = example.com
+
+ipv4-network = @VPNNET@
+#ipv6-network = @VPNNET6@
+
+# Prior to leasing any IP from the pool ping it to verify that
+# it is not in use by another (unrelated to this server) host.
+ping-leases = false
+
+# Leave empty to assign the default MTU of the device
+# mtu =
+
+#route = 192.168.1.0/255.255.255.0
+#route = 192.168.5.0/255.255.255.0
+
+#
+# The following options are for (experimental) AnyConnect client
+# compatibility. They are only available if the server is built
+# with --enable-anyconnect
+#
+
+# Client profile xml. A sample file exists in doc/profile.xml.
+# This file must be accessible from inside the worker's chroot.
+# The profile is ignored by the openconnect client.
+#user-profile = profile.xml
+
+# Unless set to false it is required for clients to present their
+# certificate even if they are authenticating via a previously granted
+# cookie. Legacy CISCO clients do not do that, and thus this option
+# should be set for them.
+#always-require-cert = false
+
+sec-mod-scale = 6
+
+idle-timeout = 25
+mobile-idle-timeout = 25
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/tests/data/raddb/clients.conf new/ocserv-1.2.2/tests/data/raddb/clients.conf
--- old/ocserv-1.2.1/tests/data/raddb/clients.conf	2023-06-02 04:30:07.000000000 +0200
+++ new/ocserv-1.2.2/tests/data/raddb/clients.conf	2023-09-15 15:59:02.000000000 +0200
@@ -364,7 +364,7 @@
 #  the same as above, but they are nested inside of a section.
 #
 #  You can have as many per-socket client lists as you have "listen"
-#  sections, or you can re-use a list among multiple "listen" sections.
+#  sections, or you can reuse a list among multiple "listen" sections.
 #
 #  Un-comment this section, and edit a "listen" section to add:
 #  "clients = per_socket_clients".  That IP address/port combination
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/tests/data/session-timeout.config new/ocserv-1.2.2/tests/data/session-timeout.config
--- old/ocserv-1.2.1/tests/data/session-timeout.config	1970-01-01 01:00:00.000000000 +0100
+++ new/ocserv-1.2.2/tests/data/session-timeout.config	2023-09-20 22:09:54.000000000 +0200
@@ -0,0 +1,186 @@
+# User authentication method. Could be set multiple times and in that case
+# all should succeed.
+# Options: certificate, pam.
+#auth = "certificate"
+auth = "plain[./data/test1.passwd]"
+#auth = "pam"
+
+isolate-workers = @ISOLATE_WORKERS@
+
+occtl-socket-file = @OCCTL_SOCKET@
+use-occtl = true
+
+# A banner to be displayed on clients
+#banner = "Welcome"
+
+# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
+#listen-host = [IP|HOSTNAME]
+
+use-dbus = no
+
+# Limit the number of clients. Unset or set to zero for unlimited.
+#max-clients = 1024
+max-clients = 16
+
+# Limit the number of client connections to one every X milliseconds
+# (X is the provided value). Set to zero for no limit.
+#rate-limit-ms = 100
+
+# Limit the number of identical clients (i.e., users connecting multiple times)
+# Unset or set to zero for unlimited.
+max-same-clients = 2
+
+# TCP and UDP port number
+tcp-port = @PORT@
+udp-port = @PORT@
+
+# Keepalive in seconds
+keepalive = 32400
+
+# Dead peer detection in seconds
+dpd = 440
+
+# MTU discovery (DPD must be enabled)
+try-mtu-discovery = false
+
+# The key and the certificates of the server
+# The key may be a file, or any URL supported by GnuTLS (e.g.,
+# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
+# or pkcs11:object=my-vpn-key;object-type=private)
+#
+# There may be multiple certificate and key pairs and each key
+# should correspond to the preceding certificate.
+server-cert = ./certs/server-cert.pem
+server-key = ./certs/server-key.pem
+
+# Diffie-Hellman parameters. Only needed if you require support
+# for the DHE ciphersuites (by default this server supports ECDHE).
+# Can be generated using:
+# certtool --generate-dh-params --outfile /path/to/dh.pem
+#dh-params = /path/to/dh.pem
+
+# If you have a certificate from a CA that provides an OCSP
+# service you may provide a fresh OCSP status response within
+# the TLS handshake. That will prevent the client from connecting
+# independently on the OCSP server.
+# You can update this response periodically using:
+# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
+# Make sure that you replace the following file in an atomic way.
+#ocsp-response = /path/to/ocsp.der
+
+# In case PKCS #11 or TPM keys are used the PINs should be available
+# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
+# root key).
+#pin-file = /path/to/pin.txt
+#srk-pin-file = /path/to/srkpin.txt
+
+# The Certificate Authority that will be used
+# to verify clients if certificate authentication
+# is set.
+#ca-cert = /path/to/ca.pem
+
+# The object identifier that will be used to read the user ID in the client certificate.
+# The object identifier should be part of the certificate's DN
+# Useful OIDs are:
+#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
+#cert-user-oid = 0.9.2342.19200300.100.1.1
+
+# The object identifier that will be used to read the user group in the client
+# certificate. The object identifier should be part of the certificate's DN
+# Useful OIDs are:
+#  OU (organizational unit) = 2.5.4.11
+#cert-group-oid = 2.5.4.11
+
+# A revocation list of ca-cert is set
+#crl = /path/to/crl.pem
+
+# GnuTLS priority string
+tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
+
+# To enforce perfect forward secrecy (PFS) on the main channel.
+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
+
+# The time (in seconds) that a client is allowed to stay connected prior
+# to authentication
+auth-timeout = 40
+
+# The time (in seconds) that a client is not allowed to reconnect after
+# a failed authentication attempt.
+#min-reauth-time = 2
+
+# Cookie timeout (in seconds)
+# Once a client is authenticated he's provided a cookie with
+# which he can reconnect. That cookie will be invalided if not
+# used within this timeout value. On a user disconnection, that
+# cookie will also be active for this time amount prior to be
+# invalid. That should allow a reasonable amount of time for roaming
+# between different networks.
+cookie-timeout = 30
+
+# Script to call when a client connects and obtains an IP
+# Parameters are passed on the environment.
+# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
+# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
+# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
+# may be "connect" or "disconnect".
+#connect-script = /usr/bin/myscript
+#disconnect-script = /usr/bin/myscript
+
+# UTMP
+use-utmp = true
+
+# PID file
+pid-file = /var/run/ocserv.pid
+
+# The default server directory. Does not require any devices present.
+#chroot-dir = /path/to/chroot
+
+# socket file used for IPC, will be appended with .PID
+# It must be accessible within the chroot environment (if any)
+socket-file = /var/run/ocserv-socket
+
+# The user the worker processes will be run as. It should be
+# unique (no other services run as this user).
+run-as-user = nobody
+run-as-group = daemon
+
+# Network settings
+
+device = vpns
+
+# The default domain to be advertised
+default-domain = example.com
+
+ipv4-network = @VPNNET@
+#ipv6-network = @VPNNET6@
+
+# Prior to leasing any IP from the pool ping it to verify that
+# it is not in use by another (unrelated to this server) host.
+ping-leases = false
+
+# Leave empty to assign the default MTU of the device
+# mtu =
+
+#route = 192.168.1.0/255.255.255.0
+#route = 192.168.5.0/255.255.255.0
+
+#
+# The following options are for (experimental) AnyConnect client
+# compatibility. They are only available if the server is built
+# with --enable-anyconnect
+#
+
+# Client profile xml. A sample file exists in doc/profile.xml.
+# This file must be accessible from inside the worker's chroot.
+# The profile is ignored by the openconnect client.
+#user-profile = profile.xml
+
+# Unless set to false it is required for clients to present their
+# certificate even if they are authenticating via a previously granted
+# cookie. Legacy CISCO clients do not do that, and thus this option
+# should be set for them.
+#always-require-cert = false
+
+sec-mod-scale = 6
+
+session-timeout = 25
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/tests/data/test-cookie-invalidation.config new/ocserv-1.2.2/tests/data/test-cookie-invalidation.config
--- old/ocserv-1.2.1/tests/data/test-cookie-invalidation.config	2023-06-09 14:37:12.000000000 +0200
+++ new/ocserv-1.2.2/tests/data/test-cookie-invalidation.config	2023-09-20 22:09:54.000000000 +0200
@@ -177,3 +177,5 @@
 # cookie. Legacy CISCO clients do not do that, and thus this option
 # should be set for them.
 #always-require-cert = false
+
+sec-mod-scale = 6
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/tests/data/test-cookie-timeout-2.config new/ocserv-1.2.2/tests/data/test-cookie-timeout-2.config
--- old/ocserv-1.2.1/tests/data/test-cookie-timeout-2.config	2023-06-09 14:37:12.000000000 +0200
+++ new/ocserv-1.2.2/tests/data/test-cookie-timeout-2.config	2023-09-20 22:09:54.000000000 +0200
@@ -186,3 +186,5 @@
 # cookie. Legacy CISCO clients do not do that, and thus this option
 # should be set for them.
 #always-require-cert = false
+
+sec-mod-scale = 6
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/tests/data/test-cookie-timeout.config new/ocserv-1.2.2/tests/data/test-cookie-timeout.config
--- old/ocserv-1.2.1/tests/data/test-cookie-timeout.config	2023-06-09 14:37:12.000000000 +0200
+++ new/ocserv-1.2.2/tests/data/test-cookie-timeout.config	2023-09-20 22:09:54.000000000 +0200
@@ -186,3 +186,5 @@
 # cookie. Legacy CISCO clients do not do that, and thus this option
 # should be set for them.
 #always-require-cert = false
+
+sec-mod-scale = 6
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/tests/idle-timeout new/ocserv-1.2.2/tests/idle-timeout
--- old/ocserv-1.2.1/tests/idle-timeout	1970-01-01 01:00:00.000000000 +0100
+++ new/ocserv-1.2.2/tests/idle-timeout	2023-09-20 16:46:17.000000000 +0200
@@ -0,0 +1,100 @@
+#!/bin/bash
+#
+# Copyright (C) 2023 Nikos Mavrogiannopoulos
+#
+# This file is part of ocserv.
+#
+# ocserv is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# ocserv is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+OCCTL="${OCCTL:-../src/occtl/occtl}"
+SERV="${SERV:-../src/ocserv}"
+srcdir=${srcdir:-.}
+OCCTL_SOCKET=./occtl-ban-$$.socket
+PIDFILE=ocserv-pid.$$.tmp
+CPIDFILE=openpid.$$.tmp
+OUTFILE=ban.$$.tmp
+
+ADDRESS=10.23.2.1
+CLI_ADDRESS=10.23.1.1
+VPNNET=172.34.215.0/24
+VPNADDR=172.34.215.1
+VPNNET6=fd7b:b45a:eef2:3dee:b86c:b589:fce9:0/112
+VPNADDR6=fd7b:b45a:eef2:3dee:b86c:b589:fce9:0
+
+. `dirname $0`/common.sh
+. `dirname $0`/ns.sh
+
+eval "${GETPORT}"
+
+function finish {
+  set +e
+  echo " * Cleaning up..."
+  test -n "${PID}" && kill ${PID} >/dev/null 2>&1
+  test -n "${PIDFILE}" && rm -f ${PIDFILE} >/dev/null 2>&1
+  test -n "${CPIDFILE}" && rm -f ${CPIDFILE} >/dev/null 2>&1
+  test -n "${CONFIG}" && rm -f ${CONFIG} >/dev/null 2>&1
+  test -n "${OUTFILE}" && rm -f ${OUTFILE} >/dev/null 2>&1
+}
+trap finish EXIT
+
+echo "Testing whether idle timeout works as expected... "
+
+update_config idle-timeout.config
+${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} -d 3 & PID=$!
+
+sleep 5
+
+echo "Connecting to obtain cookie... "
+eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=`
+
+if [ -z "$COOKIE" ];then
+	fail $PID "Could not obtain cookie"
+fi
+
+#echo "Cookie: $COOKIE"
+sleep 1
+echo ""
+echo "Connecting with cookie... "
+${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --background --pid-file "${CPIDFILE}"
+
+sleep 4
+
+if [ ! -f "${CPIDFILE}" ];then
+	fail $PID "It was not possible to establish session!"
+fi
+
+echo "ping remote address"
+
+set -e
+${CMDNS1} ping -c 3 ${VPNADDR}
+${CMDNS2} ${OCCTL} -s ${OCCTL_SOCKET} show user test
+set +e
+
+# We wait more than the configured time as idle timeout is enforced every
+# a couple of seconds.
+echo "Waiting for idle timeout... "
+sleep 60
+
+${CMDNS2} ${OCCTL} -s ${OCCTL_SOCKET} show user test
+if test $? = 0;then
+	fail $PID "Client listed in occtl after timeout!"
+fi
+
+${CMDNS1} ping -c 3 ${VPNADDR}
+if test $? = 0;then
+	fail $PID "Client remains connected after timeout!"
+fi
+
+exit 0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/tests/session-timeout new/ocserv-1.2.2/tests/session-timeout
--- old/ocserv-1.2.1/tests/session-timeout	1970-01-01 01:00:00.000000000 +0100
+++ new/ocserv-1.2.2/tests/session-timeout	2023-09-19 11:08:59.000000000 +0200
@@ -0,0 +1,112 @@
+#!/bin/bash
+#
+# Copyright (C) 2023 Nikos Mavrogiannopoulos
+#
+# This file is part of ocserv.
+#
+# ocserv is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# ocserv is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+OCCTL="${OCCTL:-../src/occtl/occtl}"
+SERV="${SERV:-../src/ocserv}"
+srcdir=${srcdir:-.}
+OCCTL_SOCKET=./occtl-ban-$$.socket
+PIDFILE=ocserv-pid.$$.tmp
+CPIDFILE=openpid.$$.tmp
+OUTFILE=ban.$$.tmp
+
+ADDRESS=10.74.2.1
+CLI_ADDRESS=10.74.1.1
+VPNNET=172.34.135.0/24
+VPNADDR=172.34.135.1
+VPNNET6=fd7b:b45a:eef2:3d3e:b86c:b589:fce9:0/112
+VPNADDR6=fd7b:b45a:eef2:3d3e:b86c:b589:fce9:0
+
+. `dirname $0`/common.sh
+. `dirname $0`/ns.sh
+
+eval "${GETPORT}"
+
+function finish {
+  set +e
+  echo " * Cleaning up..."
+  test -n "${PID}" && kill ${PID} >/dev/null 2>&1
+  test -n "${PIDFILE}" && rm -f ${PIDFILE} >/dev/null 2>&1
+  test -n "${CPIDFILE}" && rm -f ${CPIDFILE} >/dev/null 2>&1
+  test -n "${CONFIG}" && rm -f ${CONFIG} >/dev/null 2>&1
+  test -n "${OUTFILE}" && rm -f ${OUTFILE} >/dev/null 2>&1
+}
+trap finish EXIT
+
+echo "Testing whether session timeout works as expected... "
+
+update_config session-timeout.config
+${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} -d 3 & PID=$!
+
+sleep 5
+
+echo "Connecting to obtain cookie... "
+eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=`
+
+if [ -z "$COOKIE" ];then
+	fail $PID "Could not obtain cookie"
+fi
+
+#echo "Cookie: $COOKIE"
+sleep 1
+echo ""
+echo "Connecting with cookie... "
+${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --background --pid-file "${CPIDFILE}"
+
+sleep 4
+
+if [ ! -f "${CPIDFILE}" ];then
+	fail $PID "It was not possible to establish session!"
+fi
+
+echo "ping remote address"
+
+set -e
+${CMDNS1} ping -c 3 ${VPNADDR}
+${CMDNS2} ${OCCTL} -s ${OCCTL_SOCKET} show user test
+set +e
+
+# We wait more than the configured time as session timeout is enforced every
+# a couple of seconds.
+echo "Waiting for session timeout... "
+sleep 60
+
+${CMDNS2} ${OCCTL} -s ${OCCTL_SOCKET} show user test
+if test $? = 0;then
+	fail $PID "Client listed in occtl after timeout!"
+fi
+
+${CMDNS1} ping -c 3 ${VPNADDR}
+if test $? = 0;then
+	fail $PID "Client remains connected after timeout!"
+fi
+
+sleep 5
+
+echo "Connecting with cookie... "
+rm -f "${CPIDFILE}"
+${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --background --pid-file "${CPIDFILE}"
+
+sleep 4
+
+if [ -f "${CPIDFILE}" ];then
+	fail $PID "Established session with invalidated cookie!"
+fi
+
+exit 0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/tests/test-max-same-1 new/ocserv-1.2.2/tests/test-max-same-1
--- old/ocserv-1.2.1/tests/test-max-same-1	2023-07-17 17:18:04.000000000 +0200
+++ new/ocserv-1.2.2/tests/test-max-same-1	2023-09-15 15:59:02.000000000 +0200
@@ -25,7 +25,7 @@
 
 eval "${GETPORT}"
 
-echo "Testing whether max-same-clients=1 allows cookie re-use... "
+echo "Testing whether max-same-clients=1 allows cookie reuse... "
 
 PIDFILE1="${srcdir}/ci$$-1.pid.tmp"
 PIDFILE2="${srcdir}/ci$$-2.pid.tmp"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ocserv-1.2.1/tests/test-multi-cookie new/ocserv-1.2.2/tests/test-multi-cookie
--- old/ocserv-1.2.1/tests/test-multi-cookie	2023-07-17 17:18:04.000000000 +0200
+++ new/ocserv-1.2.2/tests/test-multi-cookie	2023-09-15 15:59:02.000000000 +0200
@@ -25,7 +25,7 @@
 
 eval "${GETPORT}"
 
-echo "Testing whether cookies are being re-used... "
+echo "Testing whether cookies are being reused... "
 
 PIDFILE1="${srcdir}/ci$$-1.pid.tmp"
 PIDFILE2="${srcdir}/ci$$-2.pid.tmp"

    

Source-Sync

tags

participants (1)