GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-03-06 06:47:41 +08:00
Code Issues Packages Projects Releases Wiki Activity
2,768 Commits 16 Branches 89 Tags
37f8ebc8c923864665fc0156b93d464c6169a502
Commit Graph

2768 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Nikos Mavrogiannopoulos
37f8ebc8c9 tests: added unit test for proxy protocol v1 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-03-28 08:15:35 +02:00
Nikos Mavrogiannopoulos
0c18e122e6 tests: added check for proxy protocol v1 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-03-28 08:11:53 +02:00
Nikos Mavrogiannopoulos
18fa25fea2 doc update 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-03-28 08:08:49 +02:00
Nikos Mavrogiannopoulos
a45f358af3 worker: added support for proxy protocol v1 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-03-28 08:08:45 +02:00
Nikos Mavrogiannopoulos
fa3dad2e37 doc: document limitations of listen-clear-file 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-03-25 19:55:46 +01:00
Nikos Mavrogiannopoulos
de0823f01e worker-proxyproto: improved error message 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-03-24 20:07:49 +01:00
Nikos Mavrogiannopoulos
83bea71e38 tests: added unit test for cstp_recv_nb() 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-03-24 20:07:47 +01:00
Nikos Mavrogiannopoulos
0792d7a135 cstp_recv_nb: improve operation under receiving from UNIX socket 
That is, ensure that all possible packet size combinations are
correctly received.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-03-24 19:07:51 +01:00
Nikos Mavrogiannopoulos
50c551b56e tests: kerberos tests use F25 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
 2017-03-23 09:33:14 +01:00
Nikos Mavrogiannopoulos
8e66136a1b tests: test-user-config: fixed check for 401 error 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
 2017-03-23 09:28:43 +01:00
Nikos Mavrogiannopoulos
e8a07e402e Revert "cstp_recv_nb: improve operation under receiving from UNIX socket" 
This reverts commit 409f114d9e.
 2017-03-23 09:06:40 +01:00
Nikos Mavrogiannopoulos
fa00c52809 doc update 2017-03-20 09:28:01 +01:00
Nikos Mavrogiannopoulos
9938056f6c Disable DTLS-PSK protocol when run under a unix socket 
It is not possible to derive PSK keys when only the TCP CSTP session
is available, without the TLS session.

Relates #22

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
 2017-03-20 09:27:46 +01:00
Nikos Mavrogiannopoulos
409f114d9e cstp_recv_nb: improve operation under receiving from UNIX socket 
That is, ensure that all possible packet size combinations are
correctly received.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-03-20 08:20:40 +01:00
Nikos Mavrogiannopoulos
aa28f0b9d2 doc update 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-03-11 21:27:32 +01:00
Nikos Mavrogiannopoulos
c1d86d5577 doc update 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-02-23 10:06:37 +01:00
Nikos Mavrogiannopoulos
4d9cdf7610 worker-vpn: use TCP_INFO on linux to obtain accurate MTU information 
This provides a more accurate value than the one obtained using the
TCP MSS value. The latter is affected by many factors (such as tcp
options), to provide a reliable value.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
 2017-02-23 10:05:45 +01:00
Nikos Mavrogiannopoulos
fdfad2fa7e worker-vpn: corrected calculation for MTU via TCP MSS 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
 2017-02-22 22:01:49 +01:00
Nikos Mavrogiannopoulos
6986a97d12 tests: added missing file to dist files ocserv_0_11_7 2017-02-12 10:19:02 +01:00
Nikos Mavrogiannopoulos
996f6068be updated auto-generated files 2017-02-12 10:19:02 +01:00
Nikos Mavrogiannopoulos
d23215b584 bumped version 2017-02-12 10:19:02 +01:00
Nikos Mavrogiannopoulos
f2714d1950 occtl: added compatibility with the 0.11.6 output 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-02-12 10:19:02 +01:00
Nikos Mavrogiannopoulos
c59cf15052 occtl: renamed cookie to session 
That reflects more close the actual use of the printed identifier.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-02-12 10:19:02 +01:00
Nikos Mavrogiannopoulos
4bbf5129ee worker: do not log real session ID but rather the masked one 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-02-12 10:19:02 +01:00
Nikos Mavrogiannopoulos
145ba5c14d Explicitly specify the protocol buffers syntax used in .proto files. 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-02-12 10:19:02 +01:00
Nikos Mavrogiannopoulos
cb60edcf84 sec-mod: Do not log any received invalid SID 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-02-12 10:19:02 +01:00
Nikos Mavrogiannopoulos
12c4970c9e tests: removed firewall tests 
These were no longer up-to-date and were not checking the provided
functionality.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
 2017-02-06 01:54:48 +01:00
Nikos Mavrogiannopoulos
66f8b57af9 doc update 2017-01-29 15:54:54 +01:00
Nikos Mavrogiannopoulos
fdea01f4f5 Do not log the internal session ID nor re-use it in radius 
Use instead a value derived from it, to avoid access to the debugging
log files, or radius result to access to the server.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-01-29 15:48:46 +01:00
Nikos Mavrogiannopoulos
3033591343 doc update [ci skip] 2017-01-29 15:29:51 +01:00
Nikos Mavrogiannopoulos
550599e098 doc update 2017-01-29 15:17:20 +01:00
Nikos Mavrogiannopoulos
bc6f3dc69c radius: use the reply message from server on rejection 
That is, log it, and forward it to the worker process in order
to deliver it to the user.

Resolves #72

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-01-29 15:17:17 +01:00
Nikos Mavrogiannopoulos
23189a177a auth: pam: minor cleanups 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-01-28 15:59:04 +01:00
Nikos Mavrogiannopoulos
741f8b22da doc update 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-01-28 15:25:28 +01:00
Nikos Mavrogiannopoulos
b3cbfbbcd5 tests: Added check for certificate alternative name checking 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-01-28 15:23:17 +01:00
Johannes Sjøkvist
ae2fd78580 Add support for oid 2.5.29.17 RFC822Name 
This is needed to be able to retreive email from the Subject
Alternative Name from the certificate.

Signed-off-by: Johannes Sjøkvist <johannes@konsept-it.no>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-01-28 15:04:20 +01:00
Nikos Mavrogiannopoulos
2f65c8c4e9 radius: removed error checking from rc_avpair_add() 
When a dictionary misses an element, we would previously bail
out and not send any following value pairs. With that change
we ensure that we send as many value-pairs as are available
in the dictionary.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
 2017-01-26 15:04:00 +01:00
Nikos Mavrogiannopoulos
3feec67070 worker: avoid sending an X-Reason header 
HTTP/1.x allows sending any arbitrary reason we would like
after the error code. We now do that.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
 2017-01-19 17:40:01 +01:00
Nikos Mavrogiannopoulos
43fb150de9 sec-mod: reduced level of error processing ... in worker commands 
This was providing virtually no information since more specific
errors are typically printed prior to it.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
 2017-01-19 17:36:04 +01:00
Nikos Mavrogiannopoulos
2e65196f1e doc update 2017-01-18 15:26:33 +01:00
Nikos Mavrogiannopoulos
2ceb0ffb47 radius-test: check whether the special IP values are handled 
In particular we check whether 255.255.255.254 is correctly
and the expected IP is assigned to client.
 2017-01-18 15:26:31 +01:00
Nikos Mavrogiannopoulos
d2f07e7c70 tests: use fedora 25 for docker tests 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
 2017-01-18 15:18:49 +01:00
Nikos Mavrogiannopoulos
3f87a93d38 radius: handle the special Framed-IP-Address values 
That is if 0xFFFFFFFF or 0xFFFFFFFE are given ignore the value
and ensure they are allocated from our pool.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
 2017-01-18 15:18:35 +01:00
Nikos Mavrogiannopoulos
3d940695d8 Added contribution guide and require DCO 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
 2017-01-10 16:52:18 +01:00
Nikos Mavrogiannopoulos
dc2994fd40 doc update 2017-01-10 15:06:25 +01:00
John Thiltges
7e3c628785 ocserv-fw should send all traffic to the device-specific forwarding chain 
After adding port-specific rules to FORWARD and creating SEC_FORWARD_CHAIN
with route-specific rules, send any remaining FORWARD traffic to
SEC_FORWARD_CHAIN.
 2017-01-09 15:45:22 -06:00
John Thiltges
fa65740a4c ocserv-fw should still create a chain if restrict-user-to-routes is set 
ocserv-fw only creates SEC_FORWARD_CHAIN if ports are being blocked. This
leads to an error if restrict-user-to-routes is used without any port
blocking.

Since ocserv-fw is only called if restrict-user-to-routes or -ports is set,
remove the conditional check for creating the chain.
 2017-01-09 12:28:19 -06:00
Nikos Mavrogiannopoulos
83f600afda worker: increase the waiting time of cookie auth message 
This allows the connect-script to run for more time than
the default socket timeout, and be limited by the configured
authentication timeout ("auth-timeout").
 2017-01-05 16:08:04 +00:00
Nikos Mavrogiannopoulos
176ba796c5 doc update 2017-01-04 16:24:57 +01:00
Nikos Mavrogiannopoulos
0b47b305de improved documentation of user-profile option 2017-01-04 16:20:57 +01:00