GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 08:46:58 +08:00
Code Issues Packages Projects Releases Wiki Activity
3,238 Commits 19 Branches 88 Tags
10e3136a43f2cf72b8c2a6705a69d0e96a92a378
Commit Graph

3238 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Nikos Mavrogiannopoulos
10e3136a43 Merge branch 'tmp-eperm' into 'master' 
worker: allow filtered calls to fail with signal

See merge request openconnect/ocserv!175
 2020-05-11 19:15:30 +00:00
Nikos Mavrogiannopoulos
f9d8b3afc8 worker: enable all system calls used by worker 
This allows the set of non-blocking sockets in worker processes.

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-05-10 21:45:18 +02:00
Nikos Mavrogiannopoulos
350250ea82 worker: allow filtered calls to fail with a trap 
This adds a fedora CI run to with filtered calls failing
with a signal in order to detect missing syscalls from our filters.

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-05-10 21:45:05 +02:00
Nikos Mavrogiannopoulos
4e00087b57 .gitlab-ci.yml: the freebsd system became unavailable 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-05-02 06:10:08 +02:00
Nikos Mavrogiannopoulos
783c240998 ocsigaltstack: posix_memaligns does not return negative on failure 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-05-02 06:09:16 +02:00
Nikos Mavrogiannopoulos
7d4190a0a3 seccomp: fail with ENOSYS instead of EPERM 
When new calls are introduced in the kernel a libc may
chose to move to them. Having our filter return ENOSYS
will signal libc to fallback to the previous call which
exists in the filter.

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-05-02 06:03:53 +02:00
Alan Jowett
75470d99c3 When setting up the DTLS session, close the previous DTLS session if it exists. 
Resolves: #293

Signed-off-by: Alan Jowett alanjo@microsoft.com
 2020-04-29 13:39:28 +02:00
Nikos Mavrogiannopoulos
d2def367c3 Merge branch 'issue291' into 'master' 
Remove unused code when --disable-compression is set.

Closes #291

See merge request openconnect/ocserv!170
 2020-04-27 19:56:56 +00:00
Alan Jowett
7e5052782e Remove unused code when --disable-compression is set. 
Resolves: #291

Singed-off-by: Alan Jowett <alanjo@microsoft.com>
 2020-04-27 09:18:09 -06:00
Nikos Mavrogiannopoulos
df5ea8bd3d Merge branch 'isssue290' into 'master' 
Remove unused code when --disable-anyconnect-compat is set.

Closes #290

See merge request openconnect/ocserv!169
 2020-04-27 11:35:58 +00:00
Alan Jowett
8cac05dac2 Remove unused code when --disable-anyconnect-compat is set. 
Resolves: #290

Signed-off-by: Alan Jowett alanjo@microsoft.com
 2020-04-26 13:10:10 -06:00
Nikos Mavrogiannopoulos
c407ef9cc5 doc update 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-04-22 21:36:48 +02:00
Nikos Mavrogiannopoulos
626ca7f377 configure: fixed enable-oidc-auth help message 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
 2020-04-22 13:01:43 +02:00
Alan Jowett
b63ecb7717 Kill ocserv workers before ocserv-main or ocserv-secmod 
On systems that are running low on memory, the ocserv worker processes
should be killed before the ocserv-main or ocserv-sm process.

To achieve this, we set /proc/self/oom_score_adj to 1000

Resolves: #283

Signed-off-by: Alan TG Jowett <alan.jowett@microsoft.com>
 2020-04-22 12:59:07 +02:00
Nikos Mavrogiannopoulos
deef4603a0 Merge branch 'issue284' into 'master' 
Attempt to download updated JWKs if the client presents an unknown key.

Closes #284

See merge request openconnect/ocserv!168
 2020-04-22 10:56:55 +00:00
Alan Jowett
9d9907ef5e Attempt to download updated JWKs if the client presents an unknown key. 
Limit the download of keys to every 900s.

Resolves: #284
Signed-off-by: Alan Jowett <alanjo@microsoft.com>
 2020-04-19 16:30:12 -06:00
Nikos Mavrogiannopoulos
e79348a154 corrected typo 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-04-17 22:14:58 +02:00
Nikos Mavrogiannopoulos
df3b925524 Merge branch 'tmp-disable-nagle' into 'master' 
Disable TCP queuing on the TLS port.

See merge request openconnect/ocserv!165
 2020-04-11 17:31:22 +00:00
Nikos Mavrogiannopoulos
c702227b3b Merge branch 'tmp-enable-kerberos' into 'master' 
Fix kerberos tests

See merge request openconnect/ocserv!149
 2020-04-10 21:44:55 +00:00
Nikos Mavrogiannopoulos
fd2bd42cb2 .gitlab-ci.yml: corrected kerberos tests 
This also corrects the kerberos test script environment
to enable running the test.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2020-04-10 23:06:07 +02:00
Nikos Mavrogiannopoulos
a63164e182 Disable TCP queuing on the TLS port. 
This makes the CSTP connection more interactive for clients that
cannot run over UDP.

See openconnect#122 for discussion.

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-04-10 21:15:39 +02:00
Nikos Mavrogiannopoulos
8cb14b7ebd released 1.0.1 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
1.0.1 		2020-04-09 23:07:19 +02:00
Nikos Mavrogiannopoulos
304dc8af2d doc update [ci skip] 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-04-09 23:06:05 +02:00
Nikos Mavrogiannopoulos
33f225108a config: removed reference of user-profile in group config 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-04-09 22:56:52 +02:00
Nikos Mavrogiannopoulos
b24c427b15 config: document that user-profile cannot be set per user 
Relates: #270
Resolves: #179

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-04-09 22:53:02 +02:00
Nikos Mavrogiannopoulos
87bee0b7cb Merge branch 'tmp-fix-anyconnect-disconnect' into 'master' 
Distinguish the bye packet interpretation

Closes #281

See merge request openconnect/ocserv!162
 2020-04-09 12:30:54 +00:00
Nikos Mavrogiannopoulos
fca41e2fa2 Distinguish the bye packet interpretation 
In openconnect client the BYE packet indicates an explicit
user disconnect by sending 0x0b as payload. In anyconnect clients it
may indicate an intention to reconnect (e.g., because network was changed).
We introduce a check for 0x0b to identify the user disconnect and
add debugging output for other disconnect reasons.

Relates: #281

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
 2020-04-08 21:07:36 +02:00
Nikos Mavrogiannopoulos
2c93618c90 Merge branch 'tmp-tests-updates' into 'master' 
Minor updates in tests

See merge request openconnect/ocserv!164
 2020-04-08 18:15:13 +00:00
Nikos Mavrogiannopoulos
e9251a66e8 tests: test-max-same-1/test-multi-cookie: use update_config 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
 2020-04-08 19:37:57 +02:00
Nikos Mavrogiannopoulos
9246431590 tests: radius tests are not run when radius is disabled 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-04-08 19:25:56 +02:00
Nikos Mavrogiannopoulos
689843e874 tests: separate resources in haproxy-connect in test-udp-listen-host 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-04-08 19:25:47 +02:00
Nikos Mavrogiannopoulos
b6d879d18f Merge branch 'tmp-san-update' into 'master' 
Cleanup get_cert_names()

See merge request openconnect/ocserv!163
 2020-04-06 14:58:52 +00:00
Nikos Mavrogiannopoulos
1e657a618a Cleanup get_cert_names() 
Ensure that we do not recognize unsupported names as
supported.

Relates: #822

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
 2020-04-06 16:21:04 +02:00
Nikos Mavrogiannopoulos
2291a37336 Merge branch 'tmp-fix-vpnc-script' into 'master' 
vpnc-script: added attempt-reconnect

See merge request openconnect/ocserv!161
 2020-04-06 12:26:20 +00:00
Nikos Mavrogiannopoulos
fe99e77ccb vpnc-script: added attempt-reconnect 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-04-06 13:49:01 +02:00
Nikos Mavrogiannopoulos
82dc37df0c Merge branch 'tmp-fix-banned-printing' into 'master' 
occtl: list actual banned entries

Closes #272

See merge request openconnect/ocserv!160
 2020-04-04 13:22:01 +00:00
Nikos Mavrogiannopoulos
2d9bc11f59 occtl: list actual banned entries 
This fixes the ban entries listing from printing all the items in
the database, to all the items that are actually banned from
connecting.

Resolves: #272

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
 2020-04-03 22:09:14 +02:00
Nikos Mavrogiannopoulos
79cb3cb7ff occtl: avoid division by zero 
Resolves: #278

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
 2020-04-03 13:45:36 +02:00
Nikos Mavrogiannopoulos
c34b84e0d1 Merge branch 'tmp-ignore-broken-dtls' into 'master' 
Prevent clients with a broken GnuTLS version from connecting using DTLS

Closes #277

See merge request openconnect/ocserv!157
 2020-04-03 11:39:28 +00:00
Nikos Mavrogiannopoulos
aa9c401cac Prevent clients with a broken GnuTLS version from connecting using DTLS 
That prevents clients that send an all-zero DTLS client hello from being
able to establish a connection.

That also introduces the OCSERV_ALLOW_BROKEN_CLIENTS environment variable
which when set to 1 it allows broken clients to connect. This is used
mainly to allow test cases to pass to existing vulnerable systems in our
CI.

Resolves: #277

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-04-03 12:51:22 +02:00
Nikos Mavrogiannopoulos
f65eb9f318 Merge branch 'tmp-fix-cstp-send' into 'master' 
cstp_send_file: fixed handling of syscall interrupts

See merge request openconnect/ocserv!159
 2020-04-02 13:52:58 +00:00
Nikos Mavrogiannopoulos
d551b8badc cstp_send_file: fixed handling of syscall interrupts 
This also increases the buffer size.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
 2020-04-02 15:05:29 +02:00
Nikos Mavrogiannopoulos
275ab571b3 Merge branch 'master' into 'master' 
Fix hmac hash problem for time_t and unit64_t, they may have different size in 32bit/64bit systems

See merge request openconnect/ocserv!156
 2020-04-01 11:31:01 +00:00
sunnyqeen
899a1323a9 Fix hmac hash problem for time_t and unit64_t, they may have different size in 32bit/64bit systems 2020-03-31 09:58:09 +00:00
Nikos Mavrogiannopoulos
ced7ba9fd3 doc update 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-03-27 08:24:15 +01:00
Stefan Bühler
0e6a791a40 occtl show status: produce machine-readable output for json 
This adds additional variables to include machine-readable output
in json form.

Resolves: #271

Signed-off-by: Stefan Bühler <stbuehler@web.de>
 2020-03-27 08:20:34 +01:00
Nikos Mavrogiannopoulos
07948320ad Merge branch 'fix_compilation_warnings_in_pcl' into 'master' 
Fixed minor compilation warnings

See merge request openconnect/ocserv!153
 2020-03-25 09:24:39 +00:00
Pierre Souchay
f19c3f7d23 Fixed minor compilation warnings 
Warnings outputed by gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0

* pcl/pcl.c:385:17: warning: unused variable ‘r’ [-Wunused-variable]

* Use pre-compilation directive to avoid defining unused function when not needed:

  * pcl/pcl.c:62:12: warning: ‘co_ctx_stackdir’ defined but not used [-Wunused-function]
    static int co_ctx_stackdir(void)

  * pcl/pcl.c:54:12: warning: ‘co_ctx_sdir’ defined but not used [-Wunused-function]
    static int co_ctx_sdir(unsigned long psp)

Signed-off-by: Pierre Souchay <pierre@souchay.net>
 2020-03-23 18:20:08 +01:00
Nikos Mavrogiannopoulos
c142868909 Merge branch 'fix-ban-log' into 'master' 
ban log: only log once when adding, not when increasing score when already banned

See merge request openconnect/ocserv!152
 2020-03-23 07:16:44 +00:00
Stefan Bühler
23430d1118 ban log: only log once when adding, not when increasing score when already banned 
Signed-off-by: Stefan Bühler <stbuehler@web.de>
 2020-03-22 16:01:03 +01:00