GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 16:57:00 +08:00
Code Issues Packages Projects Releases Wiki Activity
2,010 Commits 19 Branches 88 Tags
33bcfb178e15b261408ef4ece76ebbace99e7888
Commit Graph

41 Commits

Author SHA1 Message Date
Nikos Mavrogiannopoulos
33bcfb178e main: use two sockets to communicate with sec-mod 
That allows to have a reliable synchronous socket, and
a socket where messages are sent and received asynchronously.
 2015-05-13 14:04:22 +02:00
Nikos Mavrogiannopoulos
df5a67b5c7 radius: set NAS_PORT on accounting requests 2015-05-11 14:26:58 +02:00
Nikos Mavrogiannopoulos
18134a87d5 radius: advertise the correct NAS IP in accounting messages 2015-05-11 14:26:42 +02:00
Nikos Mavrogiannopoulos
d1d83d909c sec-mod: eliminated redundant parameters 2015-05-11 14:25:51 +02:00
Nikos Mavrogiannopoulos
41bcc9d0c0 radius: put the process ID into NAS-Port 2015-05-11 14:15:25 +02:00
Nikos Mavrogiannopoulos
f89525ff94 added config option 'persistent-cookies' 
When it is set, it doesn't invalidate cookies after
user disconnection.
 2015-05-06 20:41:42 +02:00
Nikos Mavrogiannopoulos
6e336431fe radius: distinguish between user disconnect and admin reset of worker process 2015-04-29 11:45:29 +02:00
Nikos Mavrogiannopoulos
7ea22d3aac receive SM_CMD_AUTH_BAN_IP_REPLY asynchronously to prevent race conditions 2015-03-23 11:13:26 +01:00
Nikos Mavrogiannopoulos
cc16a65819 separated permanent configuration options from the reloaded ones 2015-03-02 13:18:52 +01:00
Nikos Mavrogiannopoulos
a617485232 enforce of IP banning was moved to main 2015-02-25 13:16:56 +01:00
Nikos Mavrogiannopoulos
3222cedb99 simplify the communication between main and sec-mod 2015-02-25 10:33:25 +01:00
Nikos Mavrogiannopoulos
40e96aae45 Separated accounting from authentication. 2015-02-23 15:19:44 +01:00
Nikos Mavrogiannopoulos
e7f0b1f947 keep statistics over the lifetime of a session rather than closing and opening the session multiple times 2015-02-22 22:01:47 +01:00
Nikos Mavrogiannopoulos
f1bc754169 add part of the session ID in logs to differentiate them 2015-02-21 17:14:09 +01:00
Nikos Mavrogiannopoulos
2557944bf0 eliminated unneeded variable 2015-02-19 19:29:03 +01:00
Nikos Mavrogiannopoulos
108d34f613 Ban an IP only when the MAX_PASSWORD_TRIES attempts have been exceeded 2015-02-19 11:47:20 +01:00
Nikos Mavrogiannopoulos
bfeab4b015 Additional data are passed only to auth module's global_init 2015-02-19 11:47:20 +01:00
Nikos Mavrogiannopoulos
11f43f144a eliminated auth message upper limit 2015-02-19 11:47:20 +01:00
Nikos Mavrogiannopoulos
8bb0af61bc Added GSSAPI as an additional password auth mechanism 
That also adds the ability to support an OR composition of multiple
authentication methods. That is using the 'enable-auth' config option.
 2015-02-19 11:47:20 +01:00
Nikos Mavrogiannopoulos
d348caacc2 added seclog_hex 2015-02-12 21:43:40 +01:00
Nikos Mavrogiannopoulos
6c8174668d moved LOG_DEBUG messages to debug level 3 or higher 2015-01-28 11:48:58 +01:00
Nikos Mavrogiannopoulos
414c5d94da harmonize the time cookies are stored in security module and main server 2015-01-25 18:48:49 +01:00
Nikos Mavrogiannopoulos
853f7876cd radius: increase the info sent during accounting requests 
Based on suggestions by Niels Peen. That adds:
Calling-Station-Id in auth message, and Service-Type,
Framed-Protocol, Framed-IP-Address, Acct-Authentic,
NAS-Port-Type, Acct-Session-Time in acct messages.
 2014-12-14 15:03:59 +01:00
Nikos Mavrogiannopoulos
065753bd57 undid ed5b177691 
It is not currently possible to reload only a part of the
configuration. If the back-end module changes, the server will
bail out instead.
 2014-12-10 15:28:14 +01:00
Nikos Mavrogiannopoulos
0551338a7a sec-mod: preparations for thread safety 2014-12-10 14:10:17 +01:00
Nikos Mavrogiannopoulos
320773e80a Added support for radius interim updates 2014-12-10 11:18:29 +01:00
Nikos Mavrogiannopoulos
35e93c6341 added option to send statistics periodically to sec-mod 2014-12-10 11:18:23 +01:00
Nikos Mavrogiannopoulos
2194e11b39 Added support for radius authentication 2014-12-09 10:59:18 +01:00
Nikos Mavrogiannopoulos
baa3e4701e Supplementary configuration is now read by the security module. 
That allows sec-mod to handle both authentication and accounting.
That deprecates the session-control configuration option.
 2014-12-08 13:52:28 +01:00
Nikos Mavrogiannopoulos
7b0e20e6ad sec-mod: made logging consistent with the main server 2014-12-01 22:49:09 +01:00
Nikos Mavrogiannopoulos
1cb35b8b09 use more reasonable names to open and close a session 2014-09-25 16:41:54 +02:00
Nikos Mavrogiannopoulos
365ca267d4 added new authentication mode optional-certificate 
That mode allows having only specific group of users that are required
to present a certificate.
 2014-09-24 12:41:31 +02:00
Nikos Mavrogiannopoulos
28dca2aa0c Added support for session control (relevant for PAM for now) 
That in effect will utilize the pam_open_session() and pam_close_session().
It is disabled by default as it requires more resources from the security module.
 2014-06-10 15:16:40 +02:00
Nikos Mavrogiannopoulos
6ca3c4761c Cookies are packed using protocol buffers to reduce their size. 2014-05-21 16:11:05 +02:00
Kevin Cernekee
8e67f959ed Add missing GnuTLS header file 
sec-mod.h now uses gnutls_privkey_t, so include <gnutls/abstract.h> to
fix this error:

      CC       main-misc.o
    In file included from main-misc.c:43:0:
    ./sec-mod.h:31:2: error: unknown type name ‘gnutls_privkey_t’
      gnutls_privkey_t *key;
      ^
 2014-05-21 06:17:09 +02:00
Nikos Mavrogiannopoulos
d99c527758 memory reorganization in sec-mod. 
It no longer relies on main pool, it uses it's own pool.
In addition the DEBUG_LEAKS definition was added to allow debugging
leaks.
 2014-05-15 16:44:43 +02:00
Nikos Mavrogiannopoulos
739a2126d0 Clean-up all memory on deinitialization of sec-mod and worker. 
That will allow to easier spot any unintentional memory leaks.
 2014-05-15 15:36:03 +02:00
Nikos Mavrogiannopoulos
09704b8819 Password authentication is now delegated to sec-mod. 
That prevents any memory from the authentication modules to be leaked
to a worker process. As a result, the status zombie and dead no longer
exists.
 2014-05-14 11:37:01 +02:00
Nikos Mavrogiannopoulos
85f4db201c updated license information and authors 2013-11-05 19:38:30 +01:00
Nikos Mavrogiannopoulos
82df00f0b0 updates in unix socket creation 2013-03-16 21:27:58 +01:00
Nikos Mavrogiannopoulos
5a4ce846b7 The TLS private keys are kept into a privileged process. 
That process is called security-module (sec-mod) and communicates
with the workers using a unix domain socket.
 2013-03-15 17:47:38 +01:00