ocserv

mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-11 17:26:58 +08:00

Author	SHA1	Message	Date
Alan Jowett	c9662282a1	Prevent tampering of our_ip, ip, session_start_time in SEC_AUTH_INIT from ocserv-worker to ocserv->sm and reject replay of auth_init_messages from old sessions. Resolves: #252 Signed-off-by: Alan Jowett <alanjo@microsoft.com>	2020-02-28 11:20:30 -07:00
Alan Jowett	6518965129	CMD_BAN_IP should not use the IP address provided by worker process as it is not verified. Resolves: #245 Signed-off-by: Alan Jowett <alanjo@microsoft.com>	2020-02-27 12:18:09 -07:00
Nikos Mavrogiannopoulos	12c69171a8	steal_ip_leases: reorg to avoid null pointer dereference Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>	2020-02-25 08:25:24 +01:00
Nikos Mavrogiannopoulos	cc651b9de5	Ensure scripts have all the information on all disconnection types When a client re-uses a cookie and takes over a previous connection previously the disconnect script of the old connection wouldn't receive the IP information. Ensure that all information is provided to scripts at this case. Resolves: #231 Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>	2020-02-23 13:44:19 +01:00
Nikos Mavrogiannopoulos	2932043dd9	Merge branch 'issue244' into 'master' ocserv-main should limit the maximum message size a client can send Closes #244 See merge request openconnect/ocserv!132	2020-02-20 16:47:52 +00:00
Nikos Mavrogiannopoulos	f333e600b5	Merge branch 'issue247' into 'master' Resolves: #247 - Bound negotiated MTU between RFC 791 defined minimum and configured maximum. Closes #247 See merge request openconnect/ocserv!135	2020-02-20 16:46:07 +00:00
Alan Jowett	87b1dc65ba	Bound negotited MTU between RFC 791 defined minumum and configured maximum. Resolves: #247 Signed-off-by: Alan Jowett <alanjo@microsoft.com>	2020-02-19 15:26:55 -07:00
Alan Jowett	f410a5c637	ocserv-main should limit the maximum message size a client can send Resolves: #244 Signed-off-by: Alan Jowett <alanjo@microsoft.com>	2020-02-19 15:11:03 -07:00
Alan Jowett	8d1aa343b4	Ban score should always increase. Resolves: #246 Signed-off-by: Alan Jowett <alanjo@microsoft.com>	2020-02-15 21:12:19 +01:00
Nikos Mavrogiannopoulos	cd4aac2305	inih: updated to latest version Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>	2020-02-07 22:43:51 +01:00
Nikos Mavrogiannopoulos	0402df11de	config: avoid crash on invalid entries Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>	2020-02-07 22:43:51 +01:00
Nikos Mavrogiannopoulos	a3fe249541	Merge branch 'tmp-add-openat' into 'master' seccomp: allow openat() Closes #185 See merge request openconnect/ocserv!123	2019-12-17 15:05:27 +00:00
Nikos Mavrogiannopoulos	58836af0f3	seccomp: allow openat() It seems some libc uses openat() directly when open() is called. Resolves: #185 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>	2019-12-16 21:30:37 +01:00
Nikos Mavrogiannopoulos	55d5af2ebc	check_multiple_users: do not account disconnected ones When max-same-clients is set to 1 and a user re-using a cookie connects, check_multiple_users() would prevent the user from reconnecting. This corrects the issue by taking into account only valid sessions that have not yet been disconnected. Resolves: #223 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>	2019-12-16 21:30:24 +01:00
Nikos Mavrogiannopoulos	935818346d	seccomp: work around API breakage in libseccomp 2.4.2 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>	2019-12-16 21:30:11 +01:00
Nikos Mavrogiannopoulos	714688879d	maxmind: added license Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>	2019-12-12 14:59:53 +01:00
Nikos Mavrogiannopoulos	f68a44e5fd	Merge branch 'new-ua' into 'master' Adapt UA detection for newer AnyConnect versions See merge request openconnect/ocserv!121	2019-12-07 13:23:07 +00:00
Marcos Del Sol Vives	fa253b7741	Adapt UA detection for newer AnyConnect versions Signed-off-by: Marcos Del Sol Vives <marcos@orca.pet>	2019-12-02 17:17:21 +01:00
Nikos Mavrogiannopoulos	4bcf29643d	ocserv: added support for per-user split-dns directive Resolves: #229 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>	2019-11-17 11:06:47 +01:00
Leendert van Doorn	f73269175a	AnyConnect clients expect a different verb (X-CSTP-DNS-IP6) for passing IPv6 DNS addresses. Signed-off-by: Leendert van Doorn <leendert@paramecium.org> Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>	2019-11-17 09:07:16 +01:00
Leendert van Doorn	e9b79254e7	Detect AnyConnect clients and allow IPV6 routes to be passed through. Signed-off-by: Leendert van Doorn <leendert@paramecium.org> Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>	2019-11-17 09:01:53 +01:00
Nikos Mavrogiannopoulos	960032e065	occtl: use maxminddb when available Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>	2019-10-15 12:11:17 +02:00
Trond Endrestøl	aa07f183f2	FreeBSD tun(4) FreeBSD has a mechanism by which a tunnel has a single controlling process, and only that one process may close the tunnel. Kyle Evans of the FreeBSD Project authored these changes. See issue 213. Signed-off-by: Trond Endrestøl <trond.endrestol@ximalas.info>	2019-10-02 14:00:26 +00:00
Lele Long	17ed47488d	Add `udp-listen-host` option for DTLS This option supports different listen addresses for tcp and udp such as haproxy for tcp, but support dtls at the same time (haproxy does not support UDP at the moment)	2019-09-30 09:01:55 +08:00
Nikos Mavrogiannopoulos	c6b24c1898	http-parser: updated to latest version Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>	2019-09-26 23:25:41 +02:00
Nikos Mavrogiannopoulos	708147d60a	ocserv: addressed gcc9 warnings Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>	2019-09-26 23:25:14 +02:00
Nikos Mavrogiannopoulos	92b5db7b26	occtl: fix json in show status This removes a trailing comma from the end of the listing, and adds a missing one. Resolves: #220 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>	2019-09-25 20:37:16 +02:00
Nikos Mavrogiannopoulos	9d7339f317	Perform quicker cleanup of sessions which their user explicitly disconnected When a user explicitly disconnects after the session is open, cleanup its entry immediatelly. That ensures that a radius server will be notified sooner, while anyconnect clients which disconnect early (before session is open), remain unaffected. Resolves: #210 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>	2019-07-01 21:57:08 +02:00
Nikos Mavrogiannopoulos	a1b8d0794a	ocpasswd: address memory leaks Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>	2019-07-01 21:34:03 +02:00
Nikos Mavrogiannopoulos	ee2f5e8c05	remove_proc: remove script watcher from libev list This ensures that libev will not be notified by already terminated and handled scripts. Resolves: #208 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>	2019-07-01 15:04:18 +02:00
Alexey Dotsenko	97592426ce	radius (challenge-response): add MAX_CHALLENGES macro as a limit of password requests max-challenge configuration option removed as redundant; replaced by static constraint via MAX_CHALLENGES macro radius (challenge-response): remove max-challenge configuration parameter Signed-off-by: Alexey Dotsenko <lex@rwx.su>	2019-06-24 17:26:27 +03:00
Alexey Dotsenko	283daffc1a	radius: add access-challenge (multifactor) authentication skip banning each next OTP for modules with allows_retries option: sec_mod_auth: add check - the repeated password or the password of the following factor is entered radius: passwd_count incremention is related to a auth-message change sec-mod-auth: set more descriptive name for password-retries indicator Signed-off-by: Alexey Dotsenko <lex@rwx.su>	2019-06-24 16:10:25 +03:00
Nikos Mavrogiannopoulos	5d226c4f32	ocserv: create its own process group Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>	2019-06-03 22:31:16 +02:00
Nikos Mavrogiannopoulos	72921e5cbf	radius: parse_groupnames: avoid overflow in group parsing Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>	2019-06-03 22:10:06 +02:00
Nikos Mavrogiannopoulos	03c76eb873	worker: workarounds string is made applicable for gnutls 3.3 The %NO_SESSION_HASH priority string does not work with gnutls 3.3. This fix does not include it into the priority string. Resolves: #201 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>	2019-03-12 12:02:24 +01:00
Frank Huang	d3cb2e8f53	Fix the bug of "ocserv-worker: segfault at 0 ip b76d6747 sp bf851c70", https://gitlab.com/openconnect/ocserv/issues/197 It must be some caller does not add extra size for null at the end Signed-off-by: Frank Huang <chuang213@gmail.com>	2019-02-17 08:12:42 +00:00
Nikos Mavrogiannopoulos	2d42c22919	main: removed unused code Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>	2019-01-31 07:57:37 +01:00
Nikos Mavrogiannopoulos	8ba3987f4c	occtl: print the TLS session information, even if no DTLS channel This ensures that the main process receives the TLS channel information early and does not depend on DTLS channel establishment. Furthermore, we refactor to make setup_dtls_psk_keys() fail early when no TLS channel is available. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>	2019-01-19 20:09:53 +01:00
Nikos Mavrogiannopoulos	e0f847b984	worker: added safety check for selected DTLS ciphersuite prior to use This avoids a crash when no DTLS ciphersuite is selected and adds a test case for negotiation without DTLS. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>	2019-01-19 18:19:11 +01:00
Nikos Mavrogiannopoulos	71ef4e4b6a	worker: allow negotiating AC-DTLS12 with openconnect This doesn't have the anyconnect client bug with parsing the server hello. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>	2019-01-19 18:19:11 +01:00
Nikos Mavrogiannopoulos	19cbf2db98	Makefile: allow out-of-tree builds with bundled protobuf Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>	2019-01-10 19:54:38 +01:00
Nikos Mavrogiannopoulos	c02320ee50	worker-http: use the same workaround string for all ciphersuites Resolves #193 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>	2019-01-10 19:11:22 +01:00
Nikos Mavrogiannopoulos	ec5ebd33a4	setup_dtls0_9_keys: renamed and updated log messages for clarity Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>	2019-01-10 13:03:03 +01:00
Nikos Mavrogiannopoulos	21bebfff41	worker-http: dropped txt_version All the versions checked were prior to the minimum gnutls version we require. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>	2019-01-10 13:03:03 +01:00
Nikos Mavrogiannopoulos	acdd6d156b	worker-http: added support for anyconnect DTLS1.2 ciphersuites This adds support for DTLS1.2 ciphersuite header as sent by anyconnect clients. Resolves #188 Resolves #193 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>	2019-01-10 13:02:40 +01:00
Nikos Mavrogiannopoulos	923f697014	cfg_ini_handler: notify static analyzers that defvhost is always non-null Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>	2019-01-06 20:07:53 +01:00
Nikos Mavrogiannopoulos	c1cb9c02f9	Merge branch 'add-logging-ipv6' into 'master' Add logging output when IPv6 is disabled. See merge request openconnect/ocserv!90	2018-11-19 05:42:43 +00:00
pumpkin031	34b39d213c	Add logging output when IPv6 is disabled. Signed-off-by: pumpkin031 <www.carrotsoft@gmail.com>	2018-11-19 10:04:29 +09:00
Nikos Mavrogiannopoulos	d4a4e780fc	plain: skip the empty group Previously we were incorrectly setting the '*' as the group name. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>	2018-11-18 21:06:24 +01:00
Nikos Mavrogiannopoulos	63479d6394	sec-mod: log sucessful authentication Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>	2018-11-18 21:06:24 +01:00

1 2 3 4 5 ...

1989 Commits