ocserv

mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-13 02:16:59 +08:00

Author	SHA1	Message	Date
Nikos Mavrogiannopoulos	2473633b8d	Added cookie key rotation	2015-11-17 08:33:38 +01:00
Nikos Mavrogiannopoulos	65004a55df	Added configuration option tunnel-all-dns	2015-11-10 13:50:03 +01:00
Nikos Mavrogiannopoulos	0b8f4beb8b	Added user-specific configuration options dpd, mobile-dpd, keepalive, max-same-clients	2015-11-10 13:49:13 +01:00
Nikos Mavrogiannopoulos	40bd1550c1	ipv6: introduced ipv6-subnet-prefix config option That option allows to specify the IPv6 subnet prefix to be given to client. That is, allow providing the clients networks larger than /128. Set the option to 128 to simulate the previous behavior of ocserv.	2015-10-24 19:26:48 +02:00
Nikos Mavrogiannopoulos	0abc1ee2db	Allow overriding session-timeout from radius	2015-05-19 15:35:46 +02:00
Nikos Mavrogiannopoulos	046d1e65ea	set ipv6 prefix only if it is set	2015-05-11 19:25:45 +02:00
Nikos Mavrogiannopoulos	69181d0cf3	use an 127-bit prefix for IPv6 leases	2015-05-11 16:10:38 +02:00
Nikos Mavrogiannopoulos	df4425a7d2	radius: consider Acct-Interim-Interval by default That can also be overriden by specifying 'override-interim-updates=true' in the radius subconfig.	2015-05-05 11:24:34 +02:00
Nikos Mavrogiannopoulos	35b9d4364d	improved log messages and levels	2015-04-25 10:10:36 +02:00
Nikos Mavrogiannopoulos	18e50de9e8	fixed debugging message	2015-04-20 12:05:52 +02:00
Nikos Mavrogiannopoulos	f64e373084	worker: when receiving auth_cookie_reply from main update the SID That fixes an issue where the worker didn't know its correct SID, because (1) we didn't always send the SID as cookie - corrected in the previous patch, and (2) openconnect client doesn't honour all cookies, only the webvpnc one. In all cases it is more trustworthy to check our view of the SID rather than rely on the cookie. Resolves issue with stats not being transmitted to sec-module when using certificate authentication.	2015-03-16 15:47:23 +01:00
Nikos Mavrogiannopoulos	87fe1747b8	call session_close only when session_open has succeeded	2015-03-14 19:19:41 +01:00
Nikos Mavrogiannopoulos	cc16a65819	separated permanent configuration options from the reloaded ones	2015-03-02 13:18:52 +01:00
Nikos Mavrogiannopoulos	fa55722897	connects and disconnects to main are logged with LOG_INFO	2015-02-27 21:37:12 +01:00
Nikos Mavrogiannopoulos	646b4ee1ec	main print username in new cookie session	2015-02-21 17:14:23 +01:00
Nikos Mavrogiannopoulos	afef74fa23	removed the certificate[optional] auth type	2015-02-19 11:47:20 +01:00
Nikos Mavrogiannopoulos	3d55134215	when opening a session forward the received cookie to sec-module That allows to verify that the cookie hasn't been tampered without relying only on the MAC.	2015-02-12 21:44:32 +01:00
Nikos Mavrogiannopoulos	0d999f5424	Added failure codes for proc_table_add()	2015-02-10 18:36:40 +01:00
Nikos Mavrogiannopoulos	85483e98e8	added hash table to search via 'real' SID	2015-02-10 18:33:02 +01:00
Nikos Mavrogiannopoulos	38206d6e93	eliminate double books for session expiration Session expiration is now handled only by security module. That simplifies the logic significantly.	2015-02-09 11:25:48 +01:00
Nikos Mavrogiannopoulos	dcb7068c19	Before allowing the steal of leases, check that usernames match	2015-02-09 10:20:25 +01:00
Nikos Mavrogiannopoulos	ee81ffa10d	when we detect user disconnection, set the proper expiration time on their cookies	2015-02-09 10:07:46 +01:00
Nikos Mavrogiannopoulos	bcea928abe	Added support for no-routes (X-Split-Exclude)	2015-02-06 14:05:10 +01:00
Nikos Mavrogiannopoulos	406c171069	avoid repeating username in logs	2015-01-11 12:28:01 +01:00
Nikos Mavrogiannopoulos	07e01d06b5	use strlcpy() instead of snprintf() where it make sense That should reduce wasted cycles.	2014-12-14 19:24:14 +01:00
Nikos Mavrogiannopoulos	baa3e4701e	Supplementary configuration is now read by the security module. That allows sec-mod to handle both authentication and accounting. That deprecates the session-control configuration option.	2014-12-08 13:52:28 +01:00
Nikos Mavrogiannopoulos	8365449e9b	deprecated ipv6_netmask	2014-12-08 10:48:25 +01:00
Nikos Mavrogiannopoulos	141bc755ad	when generating the DTLS session ID set its size as well	2014-11-16 12:36:20 +01:00
Nikos Mavrogiannopoulos	78b3685f7a	Generate a new DTLS session ID on every cookie connection That allows openconnect to distinguish when the DTLS key has switched.	2014-11-16 10:00:15 +01:00
Nikos Mavrogiannopoulos	53005a2cfd	use hash tables to locate proc entries That would avoid a walk on all connected clients, when a new UDP session starts.	2014-10-27 15:01:05 +01:00
Nikos Mavrogiannopoulos	1cb35b8b09	use more reasonable names to open and close a session	2014-09-25 16:41:54 +02:00
Nikos Mavrogiannopoulos	4674508188	override the user's group prior to opening the group configuration file That prevented opening group configuration for users that had their group in a certificate. Reported by Norbert Paschedag.	2014-09-25 12:17:03 +02:00
Nikos Mavrogiannopoulos	365ca267d4	added new authentication mode optional-certificate That mode allows having only specific group of users that are required to present a certificate.	2014-09-24 12:41:31 +02:00
Nikos Mavrogiannopoulos	30bcf35576	Revert "license upgraded to GPLv3" This reverts commit `213f9a63ee`. Conflicts: configure.ac	2014-09-24 11:34:15 +02:00
Nikos Mavrogiannopoulos	265e723cdb	send the IPv6 netmask in a compatible with cisco servers way	2014-09-09 09:36:48 +02:00
Nikos Mavrogiannopoulos	c781bea7cd	user-profile is now allowed in per-user configuration	2014-07-31 14:57:09 +02:00
Nikos Mavrogiannopoulos	a144fde0e4	Eliminated the MAX_ROUTES requirement.	2014-06-25 10:05:34 +02:00
Nikos Mavrogiannopoulos	28dca2aa0c	Added support for session control (relevant for PAM for now) That in effect will utilize the pam_open_session() and pam_close_session(). It is disabled by default as it requires more resources from the security module.	2014-06-10 15:16:40 +02:00
Nikos Mavrogiannopoulos	01db3e5817	Include the SID into the cookie and store it in proc_st.	2014-06-10 10:41:10 +02:00
Nikos Mavrogiannopoulos	98ed640258	more debug messages	2014-05-29 00:27:20 +02:00
Nikos Mavrogiannopoulos	3a18882a40	Store a hash of the client's cookie instead of the cookie itself. That ensures that the cookies cannot be leaked from the server. On a hash collision, the IP of the other cookie in use will be hijacked.	2014-05-28 10:13:08 +02:00
Nikos Mavrogiannopoulos	25fbdfbf70	Keep track of cookies internally. That allows to restrict the cookie validity time to the absolutely minimum required to establish and reconnect a recently disconnected session. That deprecates the cookie-validity option and introduces the cookie-timeout option.	2014-05-27 16:00:57 +02:00
Nikos Mavrogiannopoulos	7ba0fffb07	Added the configuration option deny-roaming. That required moving the read of the group configuration during the cookie authentication phase.	2014-05-25 10:17:28 +02:00
Nikos Mavrogiannopoulos	213f9a63ee	license upgraded to GPLv3	2014-05-23 11:50:56 +02:00
Nikos Mavrogiannopoulos	28943341db	Added the proxy-url option to allow sending a proxy URL. This corresponds to the X-CSTP-MSIE-Proxy-Pac-URL CSTP header.	2014-05-23 11:04:30 +02:00
Nikos Mavrogiannopoulos	6dcc9acf77	Restrict cookies to a single IP address.	2014-05-21 16:19:07 +02:00
Nikos Mavrogiannopoulos	6ca3c4761c	Cookies are packed using protocol buffers to reduce their size.	2014-05-21 16:11:05 +02:00
Nikos Mavrogiannopoulos	68c4b2371b	Renamed main-auth.h.	2014-05-15 11:39:02 +02:00
Nikos Mavrogiannopoulos	53f3129da9	Authentication modules were moved to subdirectory auth/	2014-05-14 14:35:50 +02:00
Nikos Mavrogiannopoulos	09704b8819	Password authentication is now delegated to sec-mod. That prevents any memory from the authentication modules to be leaked to a worker process. As a result, the status zombie and dead no longer exists.	2014-05-14 11:37:01 +02:00

1 2 3

120 Commits