GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-19 21:36:59 +08:00
Code Issues Packages Projects Releases Wiki Activity
1,181 Commits 19 Branches 88 Tags
0f0cf31a79e03220602fb19a01340174913c18ac
Commit Graph

86 Commits

Author SHA1 Message Date
Nikos Mavrogiannopoulos
0f0cf31a79 zeroize cookies and TLS session data after read. 2014-05-28 10:11:17 +02:00
Nikos Mavrogiannopoulos
25fbdfbf70 Keep track of cookies internally. 
That allows to restrict the cookie validity time to the absolutely minimum
required to establish and reconnect a recently disconnected session.
That deprecates the cookie-validity option and introduces the cookie-timeout
option.
 2014-05-27 16:00:57 +02:00
Nikos Mavrogiannopoulos
7ba0fffb07 Added the configuration option deny-roaming. 
That required moving the read of the group configuration during the
cookie authentication phase.
 2014-05-25 10:17:28 +02:00
Nikos Mavrogiannopoulos
213f9a63ee license upgraded to GPLv3 2014-05-23 11:50:56 +02:00
Nikos Mavrogiannopoulos
d99c527758 memory reorganization in sec-mod. 
It no longer relies on main pool, it uses it's own pool.
In addition the DEBUG_LEAKS definition was added to allow debugging
leaks.
 2014-05-15 16:44:43 +02:00
Nikos Mavrogiannopoulos
739a2126d0 Clean-up all memory on deinitialization of sec-mod and worker. 
That will allow to easier spot any unintentional memory leaks.
 2014-05-15 15:36:03 +02:00
Nikos Mavrogiannopoulos
e7171ac859 Supplementary group/user configuration is now modular. 
That will ease the addition of other backends that can be used to
read the user/group configuration. The only backend supported now
is file.
 2014-05-15 11:36:30 +02:00
Nikos Mavrogiannopoulos
53f3129da9 Authentication modules were moved to subdirectory auth/ 2014-05-14 14:35:50 +02:00
Nikos Mavrogiannopoulos
788560b9ce Added default-user-config and default-group-config configuration options. 
These allow setting a configuration file that will be loaded if a
user-specific or group-specific configuration file isn't found.
 2014-05-14 13:27:51 +02:00
Nikos Mavrogiannopoulos
09704b8819 Password authentication is now delegated to sec-mod. 
That prevents any memory from the authentication modules to be leaked
to a worker process. As a result, the status zombie and dead no longer
exists.
 2014-05-14 11:37:01 +02:00
Nikos Mavrogiannopoulos
df7b124df4 include malloc.h when needed. 2014-05-13 21:19:56 +02:00
Nikos Mavrogiannopoulos
07559df432 Corrected the removal of socket files in chrooted environment. 
In addition remove the occtl_socket_file.
 2014-05-12 11:14:53 +02:00
Nikos Mavrogiannopoulos
929bf5e211 Fixes in talloc usage in occtl in combination with readline. 2014-05-09 16:52:16 +02:00
Nikos Mavrogiannopoulos
969e684960 Use talloc() for all allocations to reduce the possibility of memory leaks. 2014-05-09 16:13:11 +02:00
Nikos Mavrogiannopoulos
2a0cc77c2e Export TUN device statistics from the worker process. 
When a worker process terminates in authenticated state, then
export statistics from the tun device (currently bytes_in and
bytes_out). These statistics are sent to main process using an
informational message just prior to process exit. The statistics
are also exported to the disconnect script using the STATS_BYTES_IN
and STATS_BYTES_OUT environment variables.
 2014-04-28 17:32:51 +02:00
Nikos Mavrogiannopoulos
62110975a7 Revert "Delay the cleanup of resources of a worker if a disconnect script is set." 
This reverts commit 7e0ee385c2.
 2014-04-16 12:00:16 +02:00
Nikos Mavrogiannopoulos
e6364e8e52 Revert "When a disconnect script is set, the main process will close the tun device on client exit." 
This reverts commit e50051b435.
 2014-04-15 10:33:53 +02:00
Nikos Mavrogiannopoulos
bec93731eb Simplified group configuration file loading. 2014-04-14 13:40:37 +02:00
Nikos Mavrogiannopoulos
c410891421 send ID as signed integer over dbus. 2014-04-13 08:56:36 +02:00
Nikos Mavrogiannopoulos
7e0ee385c2 Delay the cleanup of resources of a worker if a disconnect script is set. 
In that case use the intermediate state PS_AUTH_DEAD to delay the
release of resources for few seconds. That would allow the disconnect
script to gather any required statistics from the device, IPs etc.
 2014-04-12 21:29:14 +02:00
Nikos Mavrogiannopoulos
6410f6864c The tun device will be closed only after the disconnect script has been called. 
This allows gathering statistics from it. In addition, changed behavior of
script calling, and now will always contain the IP information.
 2014-04-12 12:44:13 +02:00
Nikos Mavrogiannopoulos
e50051b435 When a disconnect script is set, the main process will close the tun device on client exit. 
That allows the disconnect script to gather statistics from the client session.
 2014-04-12 12:37:47 +02:00
Nikos Mavrogiannopoulos
1185cb07ee Execute disconnect script for user that their IP was hijacked by a cookie reconnection 
This will prevent having the script be called to initiate connections
that are never disconnected. This patch also introduces IPV6_LOCAL and
IPV6_REMOTE script environment variables that allow passing both addresses
in case both IPv4 and IPv6 are assigned.
 2014-04-12 08:43:10 +02:00
Nikos Mavrogiannopoulos
c84452fe8f Added limits.h for POSIX_PATH_MAX 2014-03-31 16:58:02 +02:00
Nikos Mavrogiannopoulos
317fe62a56 Added sys/uio.h 2014-03-31 16:57:24 +02:00
Nikos Mavrogiannopoulos
35c31bc0b7 Allow TUN_MTU command only in authenticated state 2014-03-10 10:41:27 +01:00
Nikos Mavrogiannopoulos
6028e5d81d simplified handle_auth_res() 2014-03-10 10:41:27 +01:00
Nikos Mavrogiannopoulos
bc10b97207 added debug message in remove_proc 2014-02-18 09:04:21 +01:00
Nikos Mavrogiannopoulos
991455065f simplified handling of CISCO reconnecting clients. 
Instead of having a client use the initial SID over and over,
re-set the SID cookie, during authentication when needed. That
way we avoid having expensive checks to ensure uniqueness of SID.
 2014-02-16 22:47:45 +01:00
Nikos Mavrogiannopoulos
3b9971b7e8 Added support for the "new" type of IP6 support in AnyConnect. 
If the client sends "X-CSTP-Full-IPv6-Capability: true", then we
use the headers:
     X-CSTP-Address-IP6: 2001:db8:1000:1000::1/64
     X-CSTP-Split-Include-IP6: 2001:db8:1000:1001::/64
     X-CSTP-Split-Include-IP6: 2001:db8:1000:1002::/64

(see corresponding openconnect change)
 2014-02-15 13:51:03 +01:00
Nikos Mavrogiannopoulos
af6714605b when a user is rejected due to multiple connections set an appropriate status. 2014-02-14 10:37:35 +01:00
Nikos Mavrogiannopoulos
0ec67882c0 Added support for multiple DNS and NBNS servers. 
This patch also combines ipv4-dns and ipv6-dns options
that are now handled as aliases to dns.

A side-effect of this patch is that the local keyword is no
longer supported.
 2014-02-01 14:50:52 +01:00
Nikos Mavrogiannopoulos
30d656ad92 code cleanup 2014-01-20 22:02:09 +01:00
Nikos Mavrogiannopoulos
baf12348d4 Added proc_st status PS_AUTH_FAILED to prevent users that failed authentication to leave a zombie proc_st. 2014-01-19 04:14:56 +01:00
Nikos Mavrogiannopoulos
f174f655db remove zombie proc_st when its state has been 'stolen' 2014-01-19 04:00:02 +01:00
Nikos Mavrogiannopoulos
90a9286b88 send auth reply failure when needed. 2014-01-18 16:06:37 +01:00
Nikos Mavrogiannopoulos
b1af6f2829 enabling cisco-client-compat allows 'stealing' of processes. 
This change puts a proc_st that its client has terminated to a "zombie"
state. That state will allow a client that connects later using the
same TLS session ID to reclaim it. That way clients that try to authenticate
by sending their credentials in different sessions can still authenticate with
ocserv. That however puts more trust to worker processes (as the main
process has no way of telling whether a TLS session is certainly
resumed).
 2014-01-18 15:06:10 +01:00
Nikos Mavrogiannopoulos
823190475b print textual name of messages exchanged. 2014-01-12 18:23:29 +01:00
Nikos Mavrogiannopoulos
39572b3d48 Store User-Agent information and send to occtl. 2014-01-12 14:35:58 +01:00
Nikos Mavrogiannopoulos
ea45e710d0 Better error checking and cleaned up support for scripts. 2014-01-11 20:37:46 +01:00
Nikos Mavrogiannopoulos
33dfbdea56 worker will send information on the negotiated TLS/DTLS ciphersuites to main. 2014-01-10 09:17:59 +01:00
Nikos Mavrogiannopoulos
49b4eaa7dd eliminated memory leaks 2014-01-09 16:56:01 +01:00
Nikos Mavrogiannopoulos
80e5d84c6d remove_proc() calls remove_from_script_list(). 
This will prevent a race in the case where a proc is deleted (i.e.,
user is disconnected) but a running script terminates afterwards and
tries to reference the deleted proc.
 2014-01-08 20:21:45 +01:00
Nikos Mavrogiannopoulos
3561f7f34a when disconnecting a user make sure that no race conditions exist when killing the process. 2014-01-08 11:17:51 +01:00
Nikos Mavrogiannopoulos
058b986967 Converted IPC messaging to protocolbuffers-c 
That adds a dependency on protocolbuffers-c, but simplifies
the worker-main communication protocol handling.
 2013-12-21 12:38:01 +01:00
Nikos Mavrogiannopoulos
c6a08db6db Added support for cgroups 2013-12-10 11:07:08 +01:00
Nikos Mavrogiannopoulos
6cb553e9a8 Added the net-priority configuration option. 
That option allows setting the protocol-defined priority (via SO_PRIORITY)
for the UDP and TCP sockets, per user/group or globally.
 2013-12-09 14:40:55 +01:00
Nikos Mavrogiannopoulos
d4a56c6a33 initialize values prior to list_for_each() calls, to avoid static analysers complaints on garbage values. 2013-12-06 14:50:48 +01:00
Nikos Mavrogiannopoulos
8bb4e81f6f When a new connection presents a cookie of an existing session the previous session is disconnected. 2013-12-05 20:53:27 +01:00
Nikos Mavrogiannopoulos
b1633b2eb1 updated code to avoid memory leaks. 2013-11-05 20:07:09 +01:00