GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-03-06 06:47:41 +08:00
Code Issues Packages Projects Releases Wiki Activity
1,667 Commits 16 Branches 89 Tags
108d34f6132227c10888e4c10086601c9fd58a3d
Commit Graph

109 Commits

Author SHA1 Message Date
Nikos Mavrogiannopoulos
afef74fa23 removed the certificate[optional] auth type 2015-02-19 11:47:20 +01:00
Nikos Mavrogiannopoulos
3d55134215 when opening a session forward the received cookie to sec-module 
That allows to verify that the cookie hasn't been tampered
without relying only on the MAC.
 2015-02-12 21:44:32 +01:00
Nikos Mavrogiannopoulos
38206d6e93 eliminate double books for session expiration 
Session expiration is now handled only by security
module. That simplifies the logic significantly.
 2015-02-09 11:25:48 +01:00
Nikos Mavrogiannopoulos
ee81ffa10d when we detect user disconnection, set the proper expiration time on their cookies 2015-02-09 10:07:46 +01:00
Nikos Mavrogiannopoulos
bcea928abe Added support for no-routes (X-Split-Exclude) 2015-02-06 14:05:10 +01:00
Nikos Mavrogiannopoulos
6f714d6f2e report the compression algorithms to occtl 2015-01-15 19:04:43 +01:00
Nikos Mavrogiannopoulos
406c171069 avoid repeating username in logs 2015-01-11 12:28:01 +01:00
Nikos Mavrogiannopoulos
04ec372f4f save MTU in main, and report it to occtl 2015-01-11 10:34:13 +01:00
Nikos Mavrogiannopoulos
9fc8568107 ensure that stats are only updated if they increase 
That is, transferred bytes will not decrease in an update
due to miscommunication between main and workers.
 2014-12-14 20:00:33 +01:00
Nikos Mavrogiannopoulos
07e01d06b5 use strlcpy() instead of snprintf() where it make sense 
That should reduce wasted cycles.
 2014-12-14 19:24:14 +01:00
Nikos Mavrogiannopoulos
853f7876cd radius: increase the info sent during accounting requests 
Based on suggestions by Niels Peen. That adds:
Calling-Station-Id in auth message, and Service-Type,
Framed-Protocol, Framed-IP-Address, Acct-Authentic,
NAS-Port-Type, Acct-Session-Time in acct messages.
 2014-12-14 15:03:59 +01:00
Nikos Mavrogiannopoulos
baa3e4701e Supplementary configuration is now read by the security module. 
That allows sec-mod to handle both authentication and accounting.
That deprecates the session-control configuration option.
 2014-12-08 13:52:28 +01:00
Nikos Mavrogiannopoulos
7abfb3e800 call disconnect script only if the user was on connected state 2014-12-02 08:34:20 +01:00
Nikos Mavrogiannopoulos
53005a2cfd use hash tables to locate proc entries 
That would avoid a walk on all connected clients, when a
new UDP session starts.
 2014-10-27 15:01:05 +01:00
Nikos Mavrogiannopoulos
ef7fb7d594 Revert "use force_close() on server to avoid descriptor leaks" 
This reverts commit f622f6696c.
 2014-10-02 09:36:22 +02:00
Nikos Mavrogiannopoulos
1cb35b8b09 use more reasonable names to open and close a session 2014-09-25 16:41:54 +02:00
Nikos Mavrogiannopoulos
30bcf35576 Revert "license upgraded to GPLv3" 
This reverts commit 213f9a63ee.

Conflicts:
	configure.ac
 2014-09-24 11:34:15 +02:00
Nikos Mavrogiannopoulos
f622f6696c use force_close() on server to avoid descriptor leaks 2014-09-21 01:40:36 +02:00
Nikos Mavrogiannopoulos
a8b32ed8f0 ensure that in all cases the tun fd is closed 2014-09-21 01:35:50 +02:00
Nikos Mavrogiannopoulos
28dca2aa0c Added support for session control (relevant for PAM for now) 
That in effect will utilize the pam_open_session() and pam_close_session().
It is disabled by default as it requires more resources from the security module.
 2014-06-10 15:16:40 +02:00
Brian Chu
de0388a3f7 Fix tun device usage on *BSD. 
SIOCSIFADDR is deprecated on *BSD. Instead, use SIOCAIFADDR to
add an alias. Also destroy the tun device with SIOCIFDESTROY when
the client disconnects.
 2014-06-02 11:49:08 +02:00
Nikos Mavrogiannopoulos
264114e799 doc update 2014-06-02 09:33:26 +02:00
Nikos Mavrogiannopoulos
e5c60a7a44 Limit the number of TLS resumption requests to one. 2014-05-28 10:32:35 +02:00
Nikos Mavrogiannopoulos
0f0cf31a79 zeroize cookies and TLS session data after read. 2014-05-28 10:11:17 +02:00
Nikos Mavrogiannopoulos
25fbdfbf70 Keep track of cookies internally. 
That allows to restrict the cookie validity time to the absolutely minimum
required to establish and reconnect a recently disconnected session.
That deprecates the cookie-validity option and introduces the cookie-timeout
option.
 2014-05-27 16:00:57 +02:00
Nikos Mavrogiannopoulos
7ba0fffb07 Added the configuration option deny-roaming. 
That required moving the read of the group configuration during the
cookie authentication phase.
 2014-05-25 10:17:28 +02:00
Nikos Mavrogiannopoulos
213f9a63ee license upgraded to GPLv3 2014-05-23 11:50:56 +02:00
Nikos Mavrogiannopoulos
d99c527758 memory reorganization in sec-mod. 
It no longer relies on main pool, it uses it's own pool.
In addition the DEBUG_LEAKS definition was added to allow debugging
leaks.
 2014-05-15 16:44:43 +02:00
Nikos Mavrogiannopoulos
739a2126d0 Clean-up all memory on deinitialization of sec-mod and worker. 
That will allow to easier spot any unintentional memory leaks.
 2014-05-15 15:36:03 +02:00
Nikos Mavrogiannopoulos
e7171ac859 Supplementary group/user configuration is now modular. 
That will ease the addition of other backends that can be used to
read the user/group configuration. The only backend supported now
is file.
 2014-05-15 11:36:30 +02:00
Nikos Mavrogiannopoulos
53f3129da9 Authentication modules were moved to subdirectory auth/ 2014-05-14 14:35:50 +02:00
Nikos Mavrogiannopoulos
788560b9ce Added default-user-config and default-group-config configuration options. 
These allow setting a configuration file that will be loaded if a
user-specific or group-specific configuration file isn't found.
 2014-05-14 13:27:51 +02:00
Nikos Mavrogiannopoulos
09704b8819 Password authentication is now delegated to sec-mod. 
That prevents any memory from the authentication modules to be leaked
to a worker process. As a result, the status zombie and dead no longer
exists.
 2014-05-14 11:37:01 +02:00
Nikos Mavrogiannopoulos
df7b124df4 include malloc.h when needed. 2014-05-13 21:19:56 +02:00
Nikos Mavrogiannopoulos
07559df432 Corrected the removal of socket files in chrooted environment. 
In addition remove the occtl_socket_file.
 2014-05-12 11:14:53 +02:00
Nikos Mavrogiannopoulos
929bf5e211 Fixes in talloc usage in occtl in combination with readline. 2014-05-09 16:52:16 +02:00
Nikos Mavrogiannopoulos
969e684960 Use talloc() for all allocations to reduce the possibility of memory leaks. 2014-05-09 16:13:11 +02:00
Nikos Mavrogiannopoulos
2a0cc77c2e Export TUN device statistics from the worker process. 
When a worker process terminates in authenticated state, then
export statistics from the tun device (currently bytes_in and
bytes_out). These statistics are sent to main process using an
informational message just prior to process exit. The statistics
are also exported to the disconnect script using the STATS_BYTES_IN
and STATS_BYTES_OUT environment variables.
 2014-04-28 17:32:51 +02:00
Nikos Mavrogiannopoulos
62110975a7 Revert "Delay the cleanup of resources of a worker if a disconnect script is set." 
This reverts commit 7e0ee385c2.
 2014-04-16 12:00:16 +02:00
Nikos Mavrogiannopoulos
e6364e8e52 Revert "When a disconnect script is set, the main process will close the tun device on client exit." 
This reverts commit e50051b435.
 2014-04-15 10:33:53 +02:00
Nikos Mavrogiannopoulos
bec93731eb Simplified group configuration file loading. 2014-04-14 13:40:37 +02:00
Nikos Mavrogiannopoulos
c410891421 send ID as signed integer over dbus. 2014-04-13 08:56:36 +02:00
Nikos Mavrogiannopoulos
7e0ee385c2 Delay the cleanup of resources of a worker if a disconnect script is set. 
In that case use the intermediate state PS_AUTH_DEAD to delay the
release of resources for few seconds. That would allow the disconnect
script to gather any required statistics from the device, IPs etc.
 2014-04-12 21:29:14 +02:00
Nikos Mavrogiannopoulos
6410f6864c The tun device will be closed only after the disconnect script has been called. 
This allows gathering statistics from it. In addition, changed behavior of
script calling, and now will always contain the IP information.
 2014-04-12 12:44:13 +02:00
Nikos Mavrogiannopoulos
e50051b435 When a disconnect script is set, the main process will close the tun device on client exit. 
That allows the disconnect script to gather statistics from the client session.
 2014-04-12 12:37:47 +02:00
Nikos Mavrogiannopoulos
1185cb07ee Execute disconnect script for user that their IP was hijacked by a cookie reconnection 
This will prevent having the script be called to initiate connections
that are never disconnected. This patch also introduces IPV6_LOCAL and
IPV6_REMOTE script environment variables that allow passing both addresses
in case both IPv4 and IPv6 are assigned.
 2014-04-12 08:43:10 +02:00
Nikos Mavrogiannopoulos
c84452fe8f Added limits.h for POSIX_PATH_MAX 2014-03-31 16:58:02 +02:00
Nikos Mavrogiannopoulos
317fe62a56 Added sys/uio.h 2014-03-31 16:57:24 +02:00
Nikos Mavrogiannopoulos
35c31bc0b7 Allow TUN_MTU command only in authenticated state 2014-03-10 10:41:27 +01:00
Nikos Mavrogiannopoulos
6028e5d81d simplified handle_auth_res() 2014-03-10 10:41:27 +01:00