GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 16:57:00 +08:00
Code Issues Packages Projects Releases Wiki Activity
1,187 Commits 19 Branches 88 Tags
5759032ef963903b101a1680df2e6cdb22ec1c91
Commit Graph

853 Commits

Author SHA1 Message Date
Nikos Mavrogiannopoulos
5759032ef9 worker: only check for friendly names, if there are any 2014-05-29 00:14:28 +02:00
Nikos Mavrogiannopoulos
d11d8ae47c increased the maintainance time to 15 mins 2014-05-28 10:56:03 +02:00
Nikos Mavrogiannopoulos
3dd67c3f19 inline revive_cookie() 2014-05-28 10:48:27 +02:00
Nikos Mavrogiannopoulos
9eb68a381a No need for safe_memset() of the cookie hash. 2014-05-28 10:34:26 +02:00
Nikos Mavrogiannopoulos
e5c60a7a44 Limit the number of TLS resumption requests to one. 2014-05-28 10:32:35 +02:00
Nikos Mavrogiannopoulos
3a18882a40 Store a hash of the client's cookie instead of the cookie itself. 
That ensures that the cookies cannot be leaked from the server.
On a hash collision, the IP of the other cookie in use will be
hijacked.
 2014-05-28 10:13:08 +02:00
Nikos Mavrogiannopoulos
0f0cf31a79 zeroize cookies and TLS session data after read. 2014-05-28 10:11:17 +02:00
Nikos Mavrogiannopoulos
7ccdba8234 doc update 2014-05-27 16:04:53 +02:00
Nikos Mavrogiannopoulos
aaa06e3157 TLS sessions expire the at cookie timeout. 2014-05-27 16:01:14 +02:00
Nikos Mavrogiannopoulos
a872850b1e better printing of module name. 2014-05-27 16:01:09 +02:00
Nikos Mavrogiannopoulos
68071646c6 Report the number of active cookies and TLS resumed sessions to occtl 2014-05-27 16:01:03 +02:00
Nikos Mavrogiannopoulos
25fbdfbf70 Keep track of cookies internally. 
That allows to restrict the cookie validity time to the absolutely minimum
required to establish and reconnect a recently disconnected session.
That deprecates the cookie-validity option and introduces the cookie-timeout
option.
 2014-05-27 16:00:57 +02:00
Nikos Mavrogiannopoulos
a2728265b3 corrected safe_memset() of expired sessions. 2014-05-27 15:59:22 +02:00
Nikos Mavrogiannopoulos
01211c610c Allow memset of zero 2014-05-27 15:58:12 +02:00
Nikos Mavrogiannopoulos
0586e4c5fa Simplified the TLS hash table initialization. 2014-05-27 15:00:13 +02:00
Nikos Mavrogiannopoulos
8c82e8c96c Overwrite TLS session data prior to release. 2014-05-27 14:56:30 +02:00
Nikos Mavrogiannopoulos
b4fcf4df82 use macros for reason messages 2014-05-27 11:00:30 +02:00
Nikos Mavrogiannopoulos
2e1c1bb29f require the certificate being present on the sec-mod session initialization. 2014-05-27 10:46:16 +02:00
Nikos Mavrogiannopoulos
cdddc3df0a Better HTTP error messages. 2014-05-27 10:45:28 +02:00
Joerg Mayer
d879c9761a ocserv: Fix out of tree builds 
Signed-off-by: Joerg Mayer <jmayer@loplof.de>
 2014-05-27 09:32:29 +02:00
Nikos Mavrogiannopoulos
b5d5e3cb36 do not deny roaming by default 2014-05-26 13:04:16 +02:00
Nikos Mavrogiannopoulos
7e06e1acfb Return 401 error on cookie authentication failure. 2014-05-25 18:50:43 +02:00
Nikos Mavrogiannopoulos
7ba0fffb07 Added the configuration option deny-roaming. 
That required moving the read of the group configuration during the
cookie authentication phase.
 2014-05-25 10:17:28 +02:00
Nikos Mavrogiannopoulos
78132e2a6d Added auto group listing on PAM authentication as well. 
In addition a configuration option to print group IDs over a
certain number was added.
 2014-05-23 16:36:48 +02:00
Nikos Mavrogiannopoulos
d3f701fba5 ensure that the group table isn't overflowed. 2014-05-23 16:01:26 +02:00
Nikos Mavrogiannopoulos
213f9a63ee license upgraded to GPLv3 2014-05-23 11:50:56 +02:00
Nikos Mavrogiannopoulos
8eec409803 remove const from temp variables. 2014-05-23 11:43:08 +02:00
Nikos Mavrogiannopoulos
de50dd413b Better auth log messages. 2014-05-23 11:36:37 +02:00
Nikos Mavrogiannopoulos
978e89c53f re-use the string replace API for route add/del replacements. 2014-05-23 11:36:37 +02:00
Nikos Mavrogiannopoulos
d51a7cb7e7 re-use the string replace API for route add/del replacements. 2014-05-23 11:32:07 +02:00
Nikos Mavrogiannopoulos
57d848d228 The replaced keywords were put into brackets. 2014-05-23 11:19:42 +02:00
Nikos Mavrogiannopoulos
92565e1f5d check for allocation error in custom header replacement. 2014-05-23 11:11:42 +02:00
Nikos Mavrogiannopoulos
0a1f5f0f55 The custom header options allows %U and %G. 2014-05-23 11:07:39 +02:00
Nikos Mavrogiannopoulos
28943341db Added the proxy-url option to allow sending a proxy URL. 
This corresponds to the X-CSTP-MSIE-Proxy-Pac-URL CSTP header.
 2014-05-23 11:04:30 +02:00
Nikos Mavrogiannopoulos
2276acf57b limit the cookie validity time to 3 hours in the configuration examples. 2014-05-22 13:48:09 +02:00
Nikos Mavrogiannopoulos
6dcc9acf77 Restrict cookies to a single IP address. 2014-05-21 16:19:07 +02:00
Nikos Mavrogiannopoulos
6ca3c4761c Cookies are packed using protocol buffers to reduce their size. 2014-05-21 16:11:05 +02:00
Nikos Mavrogiannopoulos
8ba0d563f0 Do not call close() twice. Issue spotted by coverity. 2014-05-21 14:54:18 +02:00
Nikos Mavrogiannopoulos
11a78970bb Correctly check for network name. Issue spotted using coverity. 2014-05-21 14:52:10 +02:00
Nikos Mavrogiannopoulos
e027dfd422 Corrected check for group list sending to client. 2014-05-21 14:48:19 +02:00
Nikos Mavrogiannopoulos
fce30e0513 doc update 2014-05-21 14:37:50 +02:00
Nikos Mavrogiannopoulos
0ed82312e9 Allow an empty friendly_group_list (in auto-select-group). 2014-05-21 14:23:02 +02:00
Nikos Mavrogiannopoulos
fbdcaa82ca Make pid-file an array to avoid issues with memory allocation. 2014-05-21 14:16:00 +02:00
Nikos Mavrogiannopoulos
5b8b3b1aa7 When a client has already selected a group, re-order our group selection form. 
This is required by some Anyconnect clients and the openconnect android app.
 2014-05-21 12:40:05 +02:00
Nikos Mavrogiannopoulos
177c1c95bd Allow aliases to group names. 2014-05-21 12:25:26 +02:00
Nikos Mavrogiannopoulos
7153ea8ea7 more precise usage of MAX_*_SIZE definitions. 2014-05-21 06:21:34 +02:00
Kevin Cernekee
8e67f959ed Add missing GnuTLS header file 
sec-mod.h now uses gnutls_privkey_t, so include <gnutls/abstract.h> to
fix this error:

      CC       main-misc.o
    In file included from main-misc.c:43:0:
    ./sec-mod.h:31:2: error: unknown type name ‘gnutls_privkey_t’
      gnutls_privkey_t *key;
      ^
 2014-05-21 06:17:09 +02:00
Nikos Mavrogiannopoulos
7133a1cf1b mention the occtl tool instead of who -u 2014-05-20 17:49:12 +02:00
Nikos Mavrogiannopoulos
b6531feee8 Corrected certificate generation instructions. 2014-05-20 15:50:11 +02:00
Nikos Mavrogiannopoulos
5af82e9ff4 fixed unescape code. 2014-05-20 15:50:09 +02:00