GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 16:57:00 +08:00
Code Issues Packages Projects Releases Wiki Activity
1,376 Commits 19 Branches 88 Tags
5fa95fe9e7143e903a28f87b0110c640b87d4ecb
Commit Graph

91 Commits

Author SHA1 Message Date
Nikos Mavrogiannopoulos
5fa95fe9e7 send session information from worker to parent twice 
That allows to account changes after DTLS is established (e.g.,
send the DTLS ciphersuite name).
 2014-10-27 23:49:33 +01:00
Nikos Mavrogiannopoulos
53005a2cfd use hash tables to locate proc entries 
That would avoid a walk on all connected clients, when a
new UDP session starts.
 2014-10-27 15:01:05 +01:00
Nikos Mavrogiannopoulos
1cb35b8b09 use more reasonable names to open and close a session 2014-09-25 16:41:54 +02:00
Nikos Mavrogiannopoulos
4ea5a56ace Allow the CSTP layer to operate without TLS 
That also introduces a unix domain socket under which connections to the
server can occur.
 2014-09-23 16:08:29 +02:00
Nikos Mavrogiannopoulos
a8b32ed8f0 ensure that in all cases the tun fd is closed 2014-09-21 01:35:50 +02:00
Nikos Mavrogiannopoulos
817f757577 after fork restore the default signal mask 2014-08-22 15:23:16 +02:00
Nikos Mavrogiannopoulos
28dca2aa0c Added support for session control (relevant for PAM for now) 
That in effect will utilize the pam_open_session() and pam_close_session().
It is disabled by default as it requires more resources from the security module.
 2014-06-10 15:16:40 +02:00
Nikos Mavrogiannopoulos
01db3e5817 Include the SID into the cookie and store it in proc_st. 2014-06-10 10:41:10 +02:00
Brian Chu
de0388a3f7 Fix tun device usage on *BSD. 
SIOCSIFADDR is deprecated on *BSD. Instead, use SIOCAIFADDR to
add an alias. Also destroy the tun device with SIOCIFDESTROY when
the client disconnects.
 2014-06-02 11:49:08 +02:00
Nikos Mavrogiannopoulos
1e48d0d0de main: removed the inactive ban_list. 2014-05-29 00:20:13 +02:00
Nikos Mavrogiannopoulos
e5c60a7a44 Limit the number of TLS resumption requests to one. 2014-05-28 10:32:35 +02:00
Nikos Mavrogiannopoulos
3a18882a40 Store a hash of the client's cookie instead of the cookie itself. 
That ensures that the cookies cannot be leaked from the server.
On a hash collision, the IP of the other cookie in use will be
hijacked.
 2014-05-28 10:13:08 +02:00
Nikos Mavrogiannopoulos
25fbdfbf70 Keep track of cookies internally. 
That allows to restrict the cookie validity time to the absolutely minimum
required to establish and reconnect a recently disconnected session.
That deprecates the cookie-validity option and introduces the cookie-timeout
option.
 2014-05-27 16:00:57 +02:00
Nikos Mavrogiannopoulos
0586e4c5fa Simplified the TLS hash table initialization. 2014-05-27 15:00:13 +02:00
Nikos Mavrogiannopoulos
d51a7cb7e7 re-use the string replace API for route add/del replacements. 2014-05-23 11:32:07 +02:00
Nikos Mavrogiannopoulos
6ca3c4761c Cookies are packed using protocol buffers to reduce their size. 2014-05-21 16:11:05 +02:00
Nikos Mavrogiannopoulos
4755ee48c5 Added the select-group and auto-select-group config options. 
These options allow to prompt the user for a group prior to login.
That in addition enhances the password file format and multiple groups
can be specified on a comma separated list, as:
user:group1,group2,group3:$5$encodedpassword
 2014-05-19 18:25:25 +02:00
Nikos Mavrogiannopoulos
d99c527758 memory reorganization in sec-mod. 
It no longer relies on main pool, it uses it's own pool.
In addition the DEBUG_LEAKS definition was added to allow debugging
leaks.
 2014-05-15 16:44:43 +02:00
Nikos Mavrogiannopoulos
739a2126d0 Clean-up all memory on deinitialization of sec-mod and worker. 
That will allow to easier spot any unintentional memory leaks.
 2014-05-15 15:36:03 +02:00
Nikos Mavrogiannopoulos
e7171ac859 Supplementary group/user configuration is now modular. 
That will ease the addition of other backends that can be used to
read the user/group configuration. The only backend supported now
is file.
 2014-05-15 11:36:30 +02:00
Nikos Mavrogiannopoulos
09704b8819 Password authentication is now delegated to sec-mod. 
That prevents any memory from the authentication modules to be leaked
to a worker process. As a result, the status zombie and dead no longer
exists.
 2014-05-14 11:37:01 +02:00
Nikos Mavrogiannopoulos
07559df432 Corrected the removal of socket files in chrooted environment. 
In addition remove the occtl_socket_file.
 2014-05-12 11:14:53 +02:00
Nikos Mavrogiannopoulos
5e3afb92ad eliminate the need for a worker_pool variable in main_server_st. 2014-05-12 10:51:18 +02:00
Nikos Mavrogiannopoulos
41561567b5 status cmd will report the server uptime 2014-05-10 23:12:37 +02:00
Nikos Mavrogiannopoulos
969e684960 Use talloc() for all allocations to reduce the possibility of memory leaks. 2014-05-09 16:13:11 +02:00
Nikos Mavrogiannopoulos
71104b36a3 Added support for unix sockets for the occtl communication. 
D-BUS support is left, but is not enabled by default.
 2014-05-07 13:54:58 +02:00
Nikos Mavrogiannopoulos
2a0cc77c2e Export TUN device statistics from the worker process. 
When a worker process terminates in authenticated state, then
export statistics from the tun device (currently bytes_in and
bytes_out). These statistics are sent to main process using an
informational message just prior to process exit. The statistics
are also exported to the disconnect script using the STATS_BYTES_IN
and STATS_BYTES_OUT environment variables.
 2014-04-28 17:32:51 +02:00
Nikos Mavrogiannopoulos
62110975a7 Revert "Delay the cleanup of resources of a worker if a disconnect script is set." 
This reverts commit 7e0ee385c2.
 2014-04-16 12:00:16 +02:00
Nikos Mavrogiannopoulos
7e0ee385c2 Delay the cleanup of resources of a worker if a disconnect script is set. 
In that case use the intermediate state PS_AUTH_DEAD to delay the
release of resources for few seconds. That would allow the disconnect
script to gather any required statistics from the device, IPs etc.
 2014-04-12 21:29:14 +02:00
Nikos Mavrogiannopoulos
6410f6864c The tun device will be closed only after the disconnect script has been called. 
This allows gathering statistics from it. In addition, changed behavior of
script calling, and now will always contain the IP information.
 2014-04-12 12:44:13 +02:00
Nikos Mavrogiannopoulos
991455065f simplified handling of CISCO reconnecting clients. 
Instead of having a client use the initial SID over and over,
re-set the SID cookie, during authentication when needed. That
way we avoid having expensive checks to ensure uniqueness of SID.
 2014-02-16 22:47:45 +01:00
Nikos Mavrogiannopoulos
404d831c35 better definition names. 2014-01-19 09:49:46 +01:00
Nikos Mavrogiannopoulos
0ed6332e09 mslog_hex() will allow printing values encoded in base64. 2014-01-19 09:21:48 +01:00
Nikos Mavrogiannopoulos
9d2b10de22 Use base64 to encode Cookies. That reduces the size of the cookie. 2014-01-19 09:14:11 +01:00
Nikos Mavrogiannopoulos
baf12348d4 Added proc_st status PS_AUTH_FAILED to prevent users that failed authentication to leave a zombie proc_st. 2014-01-19 04:14:56 +01:00
Nikos Mavrogiannopoulos
b9fe6b6263 instead of using the TLS session ID as session identifier prior to authentication use the webvpncontext cookie. 2014-01-19 02:59:04 +01:00
Nikos Mavrogiannopoulos
b1af6f2829 enabling cisco-client-compat allows 'stealing' of processes. 
This change puts a proc_st that its client has terminated to a "zombie"
state. That state will allow a client that connects later using the
same TLS session ID to reclaim it. That way clients that try to authenticate
by sending their credentials in different sessions can still authenticate with
ocserv. That however puts more trust to worker processes (as the main
process has no way of telling whether a TLS session is certainly
resumed).
 2014-01-18 15:06:10 +01:00
Nikos Mavrogiannopoulos
cc6473a92a print file name instead of function name 2014-01-12 18:24:13 +01:00
Nikos Mavrogiannopoulos
823190475b print textual name of messages exchanged. 2014-01-12 18:23:29 +01:00
Nikos Mavrogiannopoulos
39572b3d48 Store User-Agent information and send to occtl. 2014-01-12 14:35:58 +01:00
Nikos Mavrogiannopoulos
fd2d640e0a increased sizes for ciphersuite name, and decreased maximum size for the DTLS ciphersuite (as we use openssl's short names) 2014-01-11 21:54:20 +01:00
Nikos Mavrogiannopoulos
33dfbdea56 worker will send information on the negotiated TLS/DTLS ciphersuites to main. 2014-01-10 09:17:59 +01:00
Nikos Mavrogiannopoulos
cdba1ae374 Try to release as much memory as possible to be able to detect real memory leaks. 2014-01-09 17:27:49 +01:00
Nikos Mavrogiannopoulos
bc08bcce9a Added reload and 'stop now' D-BUS commands. 2014-01-09 11:24:30 +01:00
Nikos Mavrogiannopoulos
cf8cac0161 better names to lists 2014-01-08 20:07:41 +01:00
Nikos Mavrogiannopoulos
0cf7529c72 Added support for control commands using D-BUS. 2014-01-08 11:15:06 +01:00
Nikos Mavrogiannopoulos
0981efe74f store the time a client connected. 2014-01-05 17:17:54 +01:00
Nikos Mavrogiannopoulos
058b986967 Converted IPC messaging to protocolbuffers-c 
That adds a dependency on protocolbuffers-c, but simplifies
the worker-main communication protocol handling.
 2013-12-21 12:38:01 +01:00
Nikos Mavrogiannopoulos
dee376e8b1 reduced cookie size by only writing down the ipv4 seed. 2013-12-11 10:14:31 +01:00
Nikos Mavrogiannopoulos
cb5092e820 Augmented cookie format to store the seeds used to generate IPv4 and IPv6 addresses. 
This ensures that if the IP previously used by a user is free, it will
be reassigned to him after a reconnection with the same cookie.
 2013-12-11 10:03:47 +01:00