GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 08:46:58 +08:00
Code Issues Packages Projects Releases Wiki Activity
3,586 Commits 19 Branches 88 Tags
03b71ca57f314a67140e41e600377b104738df42
Commit Graph

2183 Commits

Author SHA1 Message Date
Zhiyuan Wan
3bc39e40c0 seccomp: allow essential syscalls on 32-bit platform. 
This fix ocserv auth issue on armv7 platform.
Not tested with other 32-bit platforms, be careful.

Solves issue #474

Signed-off-by: Zhiyuan Wan <h@iloli.bid>
 2022-11-24 15:18:10 +08:00
Nikos Mavrogiannopoulos
a299300e67 seccomp: allow setitimer 
This enables ocserv on musl/alpine.

Resolves #455

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2022-10-09 20:12:13 +02:00
Tara Mallesh
cfe2ea06d9 Allow HTTP headers to be configurable 2022-07-02 04:02:56 +00:00
Marc West
e0a2fa4c3c Base /dev/tunN iteration on max-clients for OSes that do not have the /dev/tun special control device 2022-03-16 22:47:29 +00:00
Tara Mallesh
73307e2dac Update worker-http.c 2022-03-14 05:25:11 +00:00
Tara Mallesh
c60c7cad98 Fix typo to remove extra closing bracket 2022-03-07 21:16:11 +00:00
Tara Mallesh
49a03419e8 Add Pragma and Cache-control HTTP headers. 2022-03-07 19:57:46 +00:00
Nikos Mavrogiannopoulos
a1bd01169f Merge branch 'groovyfengx-master-patch-69245' into 'master' 
Fixing memory leak in OpenID Connect auth module

See merge request openconnect/ocserv!289
 2022-03-02 08:48:55 +00:00
Feng Xie
030163fbbe Fixing memory leak in OpenConnect auth module 2022-03-01 22:28:47 +00:00
Nikos Mavrogiannopoulos
3d19078be6 Merge branch 'groovyfengx-master-patch-58049' into 'master' 
Fixing issue: Authentication requests from the same IP address are not load balanced among security modules

Closes #444

See merge request openconnect/ocserv!288
 2022-03-01 20:26:44 +00:00
Feng Xie
4ec99609ca Fixing issue: Authentication requests from the same IP address are not load balanced among security modules 2022-02-28 16:00:13 +00:00
Feng Xie
765472bd2c Fixing memory deallocation issue in auth. 2022-02-28 15:54:18 +00:00
Nikos Mavrogiannopoulos
eb6d1c0aef sec-mod: increased max groups to 128 
Relates to #219

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2022-02-17 08:53:30 +01:00
Nikos Mavrogiannopoulos
1b826069eb str_rep_tab: added explicit initializer 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2022-02-15 10:34:18 +01:00
Nikos Mavrogiannopoulos
53b08d2433 forward_udp_to_owner: sanity check of session_id_size 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2022-02-15 10:33:45 +01:00
Nikos Mavrogiannopoulos
c1030512a7 load_keys: work around GnuTLS 3.7.3 regression 
GnuTLS 3.7.3 introduces a backwards incompatible change and
GNUTLS_E_PKCS11_PIN_ERROR is returned when an encrypted
file is loaded.

Reported at https://gitlab.com/gnutls/gnutls/-/issues/1321

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2022-02-10 16:05:35 +01:00
Nikos Mavrogiannopoulos
94af87c7a2 libtasn1: use NULL instead of ASN1_TYPE_EMPTY 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2022-02-10 15:31:39 +01:00
Nikos Mavrogiannopoulos
a2fbdabf5e seccomp: allow futex() 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2022-02-10 15:03:23 +01:00
Nikos Mavrogiannopoulos
f65bb80e9a Merge branch 'Openconnect' into 'master' 
Openconnect → OpenConnect

See merge request openconnect/ocserv!282
 2022-01-27 10:35:55 +00:00
David Madole
bfeab649c8 Make compatible with AnyConnect client on Windows ARM64 2022-01-26 01:46:57 +00:00
Dimitri Papadopoulos
feffac374a Openconnect → OpenConnect 
Spell OpenConnect products consistently.

This will modify the README file, but not the online documentation.

Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
 2021-12-27 12:48:20 +01:00
Dimitri Papadopoulos
44bb12bb1a Revert previous typo fixes to CCAN and PCL 
Revert !271 / 81df79a9 and !276 / 3a92062b.

These are vendored files that need to be fixed upstream.

Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
 2021-12-23 10:04:29 +01:00
Nikos Mavrogiannopoulos
db505b373c Merge branch 'visual_studio_spell_checker' into 'master' 
Typos found by Visual Studio Code Checker

See merge request openconnect/ocserv!276
 2021-12-22 18:41:17 +00:00
Dimitri Papadopoulos
3a92062b44 Typos found by Visual Studio Code Checker 
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
 2021-12-22 19:21:02 +01:00
Dimitri Papadopoulos
a5d79fc230 Improve const char declarations 
Declare C string constants using array syntax, avoid pointer syntax
when possible. They are different, the array syntax generates smaller,
faster code.

Also, const char[] should usually be static, again to avoid poor
compilation and runtime performance where compilers tend to
initialize the const declaration for every call instead of using
.rodata for the string.

Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
 2021-12-17 10:26:17 +01:00
Dimitri Papadopoulos
47c1e1be84 Fix repeated words in comments 2021-11-18 06:21:14 +01:00
Dimitri Papadopoulos
1dcd78d05f Fix typo found by codespell 2021-11-13 13:17:51 +01:00
Nikos Mavrogiannopoulos
697f5f9bc2 maxmind: ensure that asprintf is checked 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2021-11-13 08:45:14 +01:00
Nikos Mavrogiannopoulos
4f9c4de805 lgtm: ignore unuseful warnings 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2021-11-13 08:41:30 +01:00
Nikos Mavrogiannopoulos
8ac992d273 Do not assign the same local and remote IPs 
Resolves: #430

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2021-10-31 17:18:42 +01:00
Dimitri Papadopoulos
81df79a95b Typos found by codespell 
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
 2021-10-09 17:57:11 +02:00
Nikos Mavrogiannopoulos
53dfa056a4 hash.c: removed self-test 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2021-10-07 09:30:23 +02:00
Luo Bo
ec14f60b79 seccomp: Add epoll_pwait to allow list. AArch64 requires this. 
Signed-off-by: Luo Bo <luobodi@hotmail.com>
 2021-09-13 22:07:08 +02:00
Nikos Mavrogiannopoulos
3c783faaa2 .gitlab-ci.yml: removed epel RPM builds on second stage 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2021-06-12 22:55:19 +02:00
Nikos Mavrogiannopoulos
add3272c1d disable_system_calls: added newfstatat unconditionally 
It is required in newer glibc.

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2021-06-12 22:23:36 +02:00
Nikos Mavrogiannopoulos
4bfb42cb34 pcl: removed code causing use-after-free 
Found by static analyzer.

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2021-06-12 21:46:28 +02:00
Nikos Mavrogiannopoulos
29995ebd43 log: simplified logging process 
This combines duplicate logic, and allows uncovering errors
when the wrong log level is specified.

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2021-06-12 21:42:51 +02:00
Nikos Mavrogiannopoulos
bcf6ed7204 worker: minor improvements in log messages 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2021-06-12 21:42:21 +02:00
Nikos Mavrogiannopoulos
6daa24f010 worker: correct log message 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2021-06-12 10:16:27 +02:00
Daniel Lenski
fac0244f3e Do not set X-CSTP-Lease-Duration header 
This header was added in dd34f85875.
The intention was to allow clients to accurately determine the remaining
lifetime of the authentication session by replicating the headers that Cisco
servers were observed to send. See https://gitlab.com/openconnect/openconnect/-/merge_requests/156
for the client-side implementation in OpenConnect.

However, two users of ocserv have now reported that the *presence* of this
header *breaks* compatibility with newer Cisco AnyConnect clients
(https://gitlab.com/openconnect/ocserv/-/issues/414#note_581221384,
https://gitlab.com/openconnect/ocserv/-/issues/232#note_477714207).

This patch removes the `X-CSTP-Lease-Duration` header, while leaving behind
the `X-CSTP-Session-Timeout` and `X-CSTP-Session-Timeout-Remaining` headers.
With

(a) Cisco AnyConnect clients are able to correct (tested at
    https://gitlab.com/openconnect/ocserv/-/issues/414#note_581563460)
(b) OpenConnect clients are still able to determine the authentication session
    lifetime (https://gitlab.com/openconnect/ocserv/-/issues/414#note_582314323)

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
 2021-05-22 10:32:52 -07:00
Russell Young
658ffb47df Separated logging level from debug-ability 
Modified code to separate logging level from the debug-ability. Added new command line option -x or --traceable to control the pr_dumpable state (default is pr_dumpable false) Added config parameter for controlling the log-level the option is "log-level" it can also be specified on the commandline with -d or --debug.

Signed-off-by: Russell Young <ruyoung@microsoft.com>
 2021-05-18 18:38:49 +00:00
fdomain
b3fe0d85c2 Added client-bypass-protocol config option 
By default, anyconnect clients will drop all traffic of a given IP
version if there is no IP address in that version assigned to the
client. The client-bypass-protocol option, if enabled, will send an
extra header to the clients telling anyconnect client to bypass VPN
tunnel if there is no IP assigned. No impact for openconnect clients,
this header will simply be ignored.

Signed-off-by: Florian Domain <f.domain@criteo.com>
 2021-05-18 07:15:43 +00:00
Nikos Mavrogiannopoulos
2584222a3f Merge branch 'owasp-headers' into 'master' 
Owasp headers

See merge request openconnect/ocserv!263
 2021-05-14 17:41:14 +00:00
Russ Young
c4bc01766d Removed conditional code for OWASP headers 2021-05-12 11:56:09 -06:00
Russ Young
065f51e6af Added build flags and Test for OWASP headers 2021-04-20 11:55:28 -06:00
Russ Young
f3e23793a7 Added the default OWASP http headers to http responses. 2021-04-14 13:59:04 -06:00
Nikos Mavrogiannopoulos
3f0ece492f set_self_oom_score_adj: corrected error handling 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2021-04-01 17:16:12 +02:00
Nikos Mavrogiannopoulos
2d1bd947e2 ctl_handler_init: fixed resource leaks 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2021-04-01 17:09:25 +02:00
Nikos Mavrogiannopoulos
6677ac04fa occtl: fixed uninitialized value 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2021-04-01 14:52:27 +02:00
Russ Young
cbd858081e Changed logging level to reduce noise. 2021-03-01 10:42:43 -07:00