GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-14 10:56:59 +08:00
Code Issues Packages Projects Releases Wiki Activity
1,921 Commits 19 Branches 88 Tags
35b9d4364de3182a756efbfbd86e20e8ace904d2
Commit Graph

118 Commits

Author SHA1 Message Date
Nikos Mavrogiannopoulos
35b9d4364d improved log messages and levels 2015-04-25 10:10:36 +02:00
Nikos Mavrogiannopoulos
adc8473328 chroot_dir, occtl_socket_file and socket_file_prefix were moved to permanent config options 2015-03-03 11:50:48 +01:00
Nikos Mavrogiannopoulos
cc16a65819 separated permanent configuration options from the reloaded ones 2015-03-02 13:18:52 +01:00
Nikos Mavrogiannopoulos
4eafc3c847 client stats are conveyed to master through sec-mod 
That way both can keep a more accurate picture of user statistics.
 2015-02-27 22:33:58 +01:00
Nikos Mavrogiannopoulos
fa55722897 connects and disconnects to main are logged with LOG_INFO 2015-02-27 21:37:12 +01:00
Nikos Mavrogiannopoulos
7a675ff5e2 When sending BAN IP messages to main receive a reply on whether further actions should continue 
That allows to BAN a user even during an open connection.
 2015-02-25 20:08:51 +01:00
Nikos Mavrogiannopoulos
0aa2c86f08 Added points in KKDCP connections to prevent DoS attacks. 2015-02-25 14:31:21 +01:00
Nikos Mavrogiannopoulos
3222cedb99 simplify the communication between main and sec-mod 2015-02-25 10:33:25 +01:00
Nikos Mavrogiannopoulos
5f1f0ce87e reduced level of command socket closed error 2015-02-19 15:27:52 +01:00
Nikos Mavrogiannopoulos
afef74fa23 removed the certificate[optional] auth type 2015-02-19 11:47:20 +01:00
Nikos Mavrogiannopoulos
3d55134215 when opening a session forward the received cookie to sec-module 
That allows to verify that the cookie hasn't been tampered
without relying only on the MAC.
 2015-02-12 21:44:32 +01:00
Nikos Mavrogiannopoulos
38206d6e93 eliminate double books for session expiration 
Session expiration is now handled only by security
module. That simplifies the logic significantly.
 2015-02-09 11:25:48 +01:00
Nikos Mavrogiannopoulos
ee81ffa10d when we detect user disconnection, set the proper expiration time on their cookies 2015-02-09 10:07:46 +01:00
Nikos Mavrogiannopoulos
bcea928abe Added support for no-routes (X-Split-Exclude) 2015-02-06 14:05:10 +01:00
Nikos Mavrogiannopoulos
6f714d6f2e report the compression algorithms to occtl 2015-01-15 19:04:43 +01:00
Nikos Mavrogiannopoulos
406c171069 avoid repeating username in logs 2015-01-11 12:28:01 +01:00
Nikos Mavrogiannopoulos
04ec372f4f save MTU in main, and report it to occtl 2015-01-11 10:34:13 +01:00
Nikos Mavrogiannopoulos
9fc8568107 ensure that stats are only updated if they increase 
That is, transferred bytes will not decrease in an update
due to miscommunication between main and workers.
 2014-12-14 20:00:33 +01:00
Nikos Mavrogiannopoulos
07e01d06b5 use strlcpy() instead of snprintf() where it make sense 
That should reduce wasted cycles.
 2014-12-14 19:24:14 +01:00
Nikos Mavrogiannopoulos
853f7876cd radius: increase the info sent during accounting requests 
Based on suggestions by Niels Peen. That adds:
Calling-Station-Id in auth message, and Service-Type,
Framed-Protocol, Framed-IP-Address, Acct-Authentic,
NAS-Port-Type, Acct-Session-Time in acct messages.
 2014-12-14 15:03:59 +01:00
Nikos Mavrogiannopoulos
baa3e4701e Supplementary configuration is now read by the security module. 
That allows sec-mod to handle both authentication and accounting.
That deprecates the session-control configuration option.
 2014-12-08 13:52:28 +01:00
Nikos Mavrogiannopoulos
7abfb3e800 call disconnect script only if the user was on connected state 2014-12-02 08:34:20 +01:00
Nikos Mavrogiannopoulos
53005a2cfd use hash tables to locate proc entries 
That would avoid a walk on all connected clients, when a
new UDP session starts.
 2014-10-27 15:01:05 +01:00
Nikos Mavrogiannopoulos
ef7fb7d594 Revert "use force_close() on server to avoid descriptor leaks" 
This reverts commit f622f6696c.
 2014-10-02 09:36:22 +02:00
Nikos Mavrogiannopoulos
1cb35b8b09 use more reasonable names to open and close a session 2014-09-25 16:41:54 +02:00
Nikos Mavrogiannopoulos
30bcf35576 Revert "license upgraded to GPLv3" 
This reverts commit 213f9a63ee.

Conflicts:
	configure.ac
 2014-09-24 11:34:15 +02:00
Nikos Mavrogiannopoulos
f622f6696c use force_close() on server to avoid descriptor leaks 2014-09-21 01:40:36 +02:00
Nikos Mavrogiannopoulos
a8b32ed8f0 ensure that in all cases the tun fd is closed 2014-09-21 01:35:50 +02:00
Nikos Mavrogiannopoulos
28dca2aa0c Added support for session control (relevant for PAM for now) 
That in effect will utilize the pam_open_session() and pam_close_session().
It is disabled by default as it requires more resources from the security module.
 2014-06-10 15:16:40 +02:00
Brian Chu
de0388a3f7 Fix tun device usage on *BSD. 
SIOCSIFADDR is deprecated on *BSD. Instead, use SIOCAIFADDR to
add an alias. Also destroy the tun device with SIOCIFDESTROY when
the client disconnects.
 2014-06-02 11:49:08 +02:00
Nikos Mavrogiannopoulos
264114e799 doc update 2014-06-02 09:33:26 +02:00
Nikos Mavrogiannopoulos
e5c60a7a44 Limit the number of TLS resumption requests to one. 2014-05-28 10:32:35 +02:00
Nikos Mavrogiannopoulos
0f0cf31a79 zeroize cookies and TLS session data after read. 2014-05-28 10:11:17 +02:00
Nikos Mavrogiannopoulos
25fbdfbf70 Keep track of cookies internally. 
That allows to restrict the cookie validity time to the absolutely minimum
required to establish and reconnect a recently disconnected session.
That deprecates the cookie-validity option and introduces the cookie-timeout
option.
 2014-05-27 16:00:57 +02:00
Nikos Mavrogiannopoulos
7ba0fffb07 Added the configuration option deny-roaming. 
That required moving the read of the group configuration during the
cookie authentication phase.
 2014-05-25 10:17:28 +02:00
Nikos Mavrogiannopoulos
213f9a63ee license upgraded to GPLv3 2014-05-23 11:50:56 +02:00
Nikos Mavrogiannopoulos
d99c527758 memory reorganization in sec-mod. 
It no longer relies on main pool, it uses it's own pool.
In addition the DEBUG_LEAKS definition was added to allow debugging
leaks.
 2014-05-15 16:44:43 +02:00
Nikos Mavrogiannopoulos
739a2126d0 Clean-up all memory on deinitialization of sec-mod and worker. 
That will allow to easier spot any unintentional memory leaks.
 2014-05-15 15:36:03 +02:00
Nikos Mavrogiannopoulos
e7171ac859 Supplementary group/user configuration is now modular. 
That will ease the addition of other backends that can be used to
read the user/group configuration. The only backend supported now
is file.
 2014-05-15 11:36:30 +02:00
Nikos Mavrogiannopoulos
53f3129da9 Authentication modules were moved to subdirectory auth/ 2014-05-14 14:35:50 +02:00
Nikos Mavrogiannopoulos
788560b9ce Added default-user-config and default-group-config configuration options. 
These allow setting a configuration file that will be loaded if a
user-specific or group-specific configuration file isn't found.
 2014-05-14 13:27:51 +02:00
Nikos Mavrogiannopoulos
09704b8819 Password authentication is now delegated to sec-mod. 
That prevents any memory from the authentication modules to be leaked
to a worker process. As a result, the status zombie and dead no longer
exists.
 2014-05-14 11:37:01 +02:00
Nikos Mavrogiannopoulos
df7b124df4 include malloc.h when needed. 2014-05-13 21:19:56 +02:00
Nikos Mavrogiannopoulos
07559df432 Corrected the removal of socket files in chrooted environment. 
In addition remove the occtl_socket_file.
 2014-05-12 11:14:53 +02:00
Nikos Mavrogiannopoulos
929bf5e211 Fixes in talloc usage in occtl in combination with readline. 2014-05-09 16:52:16 +02:00
Nikos Mavrogiannopoulos
969e684960 Use talloc() for all allocations to reduce the possibility of memory leaks. 2014-05-09 16:13:11 +02:00
Nikos Mavrogiannopoulos
2a0cc77c2e Export TUN device statistics from the worker process. 
When a worker process terminates in authenticated state, then
export statistics from the tun device (currently bytes_in and
bytes_out). These statistics are sent to main process using an
informational message just prior to process exit. The statistics
are also exported to the disconnect script using the STATS_BYTES_IN
and STATS_BYTES_OUT environment variables.
 2014-04-28 17:32:51 +02:00
Nikos Mavrogiannopoulos
62110975a7 Revert "Delay the cleanup of resources of a worker if a disconnect script is set." 
This reverts commit 7e0ee385c2.
 2014-04-16 12:00:16 +02:00
Nikos Mavrogiannopoulos
e6364e8e52 Revert "When a disconnect script is set, the main process will close the tun device on client exit." 
This reverts commit e50051b435.
 2014-04-15 10:33:53 +02:00
Nikos Mavrogiannopoulos
bec93731eb Simplified group configuration file loading. 2014-04-14 13:40:37 +02:00