GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 08:46:58 +08:00
Code Issues Packages Projects Releases Wiki Activity
3,586 Commits 19 Branches 88 Tags
03b71ca57f314a67140e41e600377b104738df42
Commit Graph

2183 Commits

Author SHA1 Message Date
Russ Young
7864798b59 Changed logging levels to reduce noise. 2021-03-01 10:41:30 -07:00
Russ Young
e9ddacde59 Changes offensive messages. 
Changed noisy messages to be logged at LOG_DEBUG level.
 2021-02-24 11:45:36 -07:00
Alan Jowett
25e899017a Merge branch 'cookie-httponly' into 'master' 
Added HttpOnly flag to cookie

See merge request openconnect/ocserv!258
 2021-02-22 16:25:42 +00:00
Russ Young
90e08cc12d Added HttpOnly flag to cookie 2021-02-17 12:15:09 -07:00
Nikos Mavrogiannopoulos
3e47d192ed Merge branch 'openbsd-devname' into 'master' 
OpenBSD Devname changes

Closes #399

See merge request openconnect/ocserv!256
 2021-02-11 10:24:31 +00:00
Jake S
a2775715ec OpenBSD Devname changes 2021-02-10 22:17:46 +00:00
Stefan Bühler
4cea55c6d6 dtls connection setup: fix memory corruption, proper watcher setup 
ev_init and ev_io_set must never be called on active watchers - we
need to cleanup previous connection state before setting a new one.

ev_init clears the "active" flag, but doesn't remove the watcher from
libev internal linked lists (and doesn't clear the "next" pointer for
it).  This can for example lead to (unexpected) cyclic lists in libev,
and libev can loop forever trying to deal with them.
 2021-02-10 13:23:42 +01:00
Alan Jowett
c53cc97395 Close fd and stop ev_io on failed handshake. 
Signed-off-by: Alan Jowett <alanjo@microsoft.com>
 2021-02-04 10:18:34 -07:00
Nikos Mavrogiannopoulos
9d3ac17073 Change how stdin and stdout are closed 
We only close the descriptors on the main process
as this could close other unrelated descriptors.

Resolves: #394

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2021-01-25 21:19:40 +01:00
Nikos Mavrogiannopoulos
acf31f5dde parse_data: print unknown bye packets 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-12-27 21:58:18 +01:00
Nikos Mavrogiannopoulos
1657781caf Merge branch 'tmp-share-vars' into 'master' 
worker.h: share OCSERV_ENV_WORKER_STARTUP_MSG between main and worker

See merge request openconnect/ocserv!250
 2020-12-14 23:10:08 +00:00
Nikos Mavrogiannopoulos
8d4a5924e4 worker.h: share OCSERV_ENV_WORKER_STARTUP_MSG between main and worker 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-12-14 23:26:17 +01:00
Nikos Mavrogiannopoulos
b2a5688bf7 Makefile.am: cleanup 
This rearranges variables so they are set before they are used.

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-12-14 21:20:22 +01:00
Nikos Mavrogiannopoulos
5869006ce1 Replaced redundant checked with asserts 
Although the checks where strictly redundant, an update
or restructuring of the loops/files could cause a signficant
issues. For that keep them but within an assert() statement
to be clear what it is about.

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-12-12 22:47:43 +01:00
Nikos Mavrogiannopoulos
47c6638286 ocserv-worker: renamed loop to worker_loop 
This avoids warnings and static analyzers complains about
the libev functions hiding the global 'loop' variable

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-12-12 22:41:57 +01:00
Daniel Lenski
dd34f85875 OpenConnect will interpret these headers once https://gitlab.com/openconnect/openconnect/-/merge_requests/156 is merged 
Examples of newly-authenticated sessions from Cisco servers:

- Default value of `Session-Timeout` is 1209600 seconds (14 days) per
  https://www.cisco.com/assets/sol/sb/RV345P_Emulators/RV345P_Emulator_v1-0-01-17/help/help/t_SSL_VPN.html
- https://www.mail-archive.com/openconnect-devel@lists.infradead.org/msg00968.html:
  `Lease-Duration` having the default value, while `Session-Timeout`
  and `Session-Timeout-Remaining` are `none`
- https://gitlab.com/openconnect/openconnect/-/issues/43#note_177677716:
  `Lease-Duration`, `Session-Timeout`, and `Session-Timeout-Remaining` all with
  same value

My own testing of *reconnected* sessions (on a newer Cisco server supporting
DTLS 1.2) shows that Session-Timeout-Remaining will have a value less than
Session-Timeout, such that the expiration timestamp remains constant from one
reconnection to the next.

Signed-off-by: Daniel Lenski <dlenski@amazon.com>
 2020-12-09 17:27:00 -08:00
Nikos Mavrogiannopoulos
3d7c846ecd ocserv: renamed main_loop 
This avoids warnings and static analyzers complains about
libev functions hiding the global 'loop' variable.

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-12-09 15:56:29 +01:00
Nikos Mavrogiannopoulos
689b6fa1a4 process_worker_packet: remove FIXME comments; they serve little purpose 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-12-09 15:48:30 +01:00
Nikos Mavrogiannopoulos
85817d38b7 get_session_id: avoid parameter hiding 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-12-09 15:47:52 +01:00
Nikos Mavrogiannopoulos
a9cb1b7f1e headers: added header guards 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-12-09 15:46:12 +01:00
Nikos Mavrogiannopoulos
f6cb0db8e0 get_cert_names: made infinite loop apparent 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-12-09 15:44:12 +01:00
Nikos Mavrogiannopoulos
07606fc2d8 load_keys: avoid hiding a global variable 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-12-09 15:10:41 +01:00
Nikos Mavrogiannopoulos
9482756e6c parse_cfg_file: avoid hiding a global variable 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-12-09 15:10:01 +01:00
Nikos Mavrogiannopoulos
e035221030 update_auth_time_stats: cast operations to avoid overflows 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-12-09 15:05:24 +01:00
Nikos Mavrogiannopoulos
d619c90518 Avoid localtime() in favor of localtime_r() 
This is to keep some static analyzers happy that check for the
thread safe functions, even if in practice we do not need to be
thread safe.

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-12-09 15:01:39 +01:00
Nikos Mavrogiannopoulos
24814ac874 ocserv: avoid the use of ctime 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-12-09 14:55:46 +01:00
Nikos Mavrogiannopoulos
5c53d5f82d Updated bundled http-parser 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-12-09 09:31:07 +01:00
Nikos Mavrogiannopoulos
d08f4832e4 update_fd_limits: removed comment on future raise 
This increases the maximum number of fds by 96 to allow up to
128 scripts being run when close to the maximum limit of clients.

Resolves: #349

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-12-03 23:52:32 +01:00
Nikos Mavrogiannopoulos
86138698fe update_fd_limits: set fd limits for "unlimited" users to 8k 
Relates: #349

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-12-03 23:42:14 +01:00
Russ Young
3055c15c96 Log changes to reduce logging noise 
Signed-off-by: Russell Young <ruyoung@microsoft.com>
 2020-12-03 10:58:22 +01:00
Nikos Mavrogiannopoulos
5cf457b425 Removed the listen-clear-file config option 
This option was almost impossible to use in general and worked with
very few clients only (not including openconnect). That also meant that
it could not be tested. Removed to reduce maintenance to parameters
that are used in practice.

Resolves: #376

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-12-03 10:04:57 +01:00
Nikos Mavrogiannopoulos
6c9615618d Merge branch 'tmp-coverity-fixes' into 'master' 
Several fixes or annotations attributed to coverity scan

See merge request openconnect/ocserv!237
 2020-12-03 09:00:59 +00:00
Alan Jowett
50ab40782a Fix coverty warning in forward_udp_to_owner 
Signed-off-by: Alan Jowett <alan.jowett@microsoft.com>
 2020-12-02 12:58:56 -07:00
Nikos Mavrogiannopoulos
8000de58bd handle_sec_auth_cont: corrected use of ps_status_to_str 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-12-01 21:03:29 +01:00
Nikos Mavrogiannopoulos
6805023bd3 handle_sec_auth_cont: print status in readable form 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-12-01 20:48:22 +01:00
Nikos Mavrogiannopoulos
b797d509fc set_non_block: ensure we log errors 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-11-26 14:38:05 +01:00
Nikos Mavrogiannopoulos
d60cbf53c5 handle_commands_from_main: silence coverity 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-11-26 14:38:03 +01:00
Nikos Mavrogiannopoulos
9680622d86 handle_events_cmd: silence coverity 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-11-26 14:25:14 +01:00
Nikos Mavrogiannopoulos
65a0e595e5 gssapi_vhost_init: simplified 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-11-26 14:22:36 +01:00
Nikos Mavrogiannopoulos
6fe528ec4c post_auth_handler: added error checking to cstp_printf 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-11-26 14:22:25 +01:00
Nikos Mavrogiannopoulos
57c0381269 send_stats_to_secmod: silence coverity 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-11-26 14:22:17 +01:00
Nikos Mavrogiannopoulos
56c6ab9cbf _listen_unix_ports: error when remove fails 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-11-26 14:20:26 +01:00
Nikos Mavrogiannopoulos
4150c2251b pam: silence coverity warning 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-11-26 14:20:22 +01:00
Nikos Mavrogiannopoulos
3be9234cb9 gnutls_rnd(): always check its return value 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-11-19 22:20:19 +01:00
Alan Jowett
01a9815bdf Set disconnect reason when updating ban-ip 
Resolves: #360

Signed-off-by: Alan Jowett alan.jowett@microsoft.com
 2020-11-06 13:16:32 -07:00
Nikos Mavrogiannopoulos
82fc1e4881 Merge branch 'tmp-enhance-syscalls' into 'master' 
worker-privs: enhanced with syscalls used by socket wrapper

See merge request openconnect/ocserv!233
 2020-11-01 22:27:55 +00:00
Nikos Mavrogiannopoulos
9521918143 worker-privs: allow new syscalls 
This adds the syscalls used by socket wrapper as observed
in Fedora builders, as well as syscalls observed in different
platforms such as aarch64.

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-10-30 22:31:59 +01:00
Nikos Mavrogiannopoulos
d83a39da51 set_env_from_ws: ensure there are no uninitialized variables from snapshot 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-10-30 22:11:09 +01:00
Alan Jowett
3436705a9c Allow setup of new DTLS session while processing on old session 
Resolves: #359

Signed-off-by: Alan Jowett alan.jowett@microsoft.com
 2020-10-19 10:36:03 -06:00
Nikos Mavrogiannopoulos
16bfb30586 inih: reintroduced INI_STOP_ON_FIRST_ERROR 
This also introduces better error reporting to inih, and
handling of the errors received by inih.

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-10-18 21:05:08 +02:00