GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 16:57:00 +08:00
Code Issues Packages Projects Releases Wiki Activity
1,531 Commits 19 Branches 88 Tags
66ff730dfc26d44268f43a0c01ca2398ded1ff04
Commit Graph

39 Commits

Author SHA1 Message Date
Nikos Mavrogiannopoulos
9fc8568107 ensure that stats are only updated if they increase 
That is, transferred bytes will not decrease in an update
due to miscommunication between main and workers.
 2014-12-14 20:00:33 +01:00
Nikos Mavrogiannopoulos
07e01d06b5 use strlcpy() instead of snprintf() where it make sense 
That should reduce wasted cycles.
 2014-12-14 19:24:14 +01:00
Nikos Mavrogiannopoulos
853f7876cd radius: increase the info sent during accounting requests 
Based on suggestions by Niels Peen. That adds:
Calling-Station-Id in auth message, and Service-Type,
Framed-Protocol, Framed-IP-Address, Acct-Authentic,
NAS-Port-Type, Acct-Session-Time in acct messages.
 2014-12-14 15:03:59 +01:00
Nikos Mavrogiannopoulos
065753bd57 undid ed5b177691 
It is not currently possible to reload only a part of the
configuration. If the back-end module changes, the server will
bail out instead.
 2014-12-10 15:28:14 +01:00
Nikos Mavrogiannopoulos
c15a7befbb sec-mod: always reply on open-session cmd 2014-12-10 15:10:25 +01:00
Nikos Mavrogiannopoulos
c8a2666fa7 avoid crash when no auth module is in use 2014-12-10 14:15:37 +01:00
Nikos Mavrogiannopoulos
0551338a7a sec-mod: preparations for thread safety 2014-12-10 14:10:17 +01:00
Nikos Mavrogiannopoulos
54e6450807 sec-mod: separated request serving from main loop 2014-12-10 13:30:56 +01:00
Nikos Mavrogiannopoulos
320773e80a Added support for radius interim updates 2014-12-10 11:18:29 +01:00
Nikos Mavrogiannopoulos
2194e11b39 Added support for radius authentication 2014-12-09 10:59:18 +01:00
Nikos Mavrogiannopoulos
baa3e4701e Supplementary configuration is now read by the security module. 
That allows sec-mod to handle both authentication and accounting.
That deprecates the session-control configuration option.
 2014-12-08 13:52:28 +01:00
Nikos Mavrogiannopoulos
7b0e20e6ad sec-mod: made logging consistent with the main server 2014-12-01 22:49:09 +01:00
Nikos Mavrogiannopoulos
987974a59e sec-mod: print whether a certificate is present 2014-11-27 13:33:02 +01:00
Nikos Mavrogiannopoulos
78b3685f7a Generate a new DTLS session ID on every cookie connection 
That allows openconnect to distinguish when the DTLS key has switched.
 2014-11-16 10:00:15 +01:00
Nikos Mavrogiannopoulos
473ceebe4c Added sanity checks into sec-mod 
That prevents a crash when certificate authentication is
used but session control is enabled. Reported by George Panda.
 2014-10-11 08:25:17 +02:00
Nikos Mavrogiannopoulos
1cb35b8b09 use more reasonable names to open and close a session 2014-09-25 16:41:54 +02:00
Nikos Mavrogiannopoulos
365ca267d4 added new authentication mode optional-certificate 
That mode allows having only specific group of users that are required
to present a certificate.
 2014-09-24 12:41:31 +02:00
Nikos Mavrogiannopoulos
30bcf35576 Revert "license upgraded to GPLv3" 
This reverts commit 213f9a63ee.

Conflicts:
	configure.ac
 2014-09-24 11:34:15 +02:00
Nikos Mavrogiannopoulos
a40c5afcc8 sec-mod-auth: don't print misleading message on session control 2014-09-01 00:45:20 +02:00
Nikos Mavrogiannopoulos
4fa0053d54 ocserv: prompt the user for group selection even if only certificate authentication is used. 2014-06-26 13:46:31 +02:00
Nikos Mavrogiannopoulos
28dca2aa0c Added support for session control (relevant for PAM for now) 
That in effect will utilize the pam_open_session() and pam_close_session().
It is disabled by default as it requires more resources from the security module.
 2014-06-10 15:16:40 +02:00
Nikos Mavrogiannopoulos
01db3e5817 Include the SID into the cookie and store it in proc_st. 2014-06-10 10:41:10 +02:00
Nikos Mavrogiannopoulos
25fbdfbf70 Keep track of cookies internally. 
That allows to restrict the cookie validity time to the absolutely minimum
required to establish and reconnect a recently disconnected session.
That deprecates the cookie-validity option and introduces the cookie-timeout
option.
 2014-05-27 16:00:57 +02:00
Nikos Mavrogiannopoulos
2e1c1bb29f require the certificate being present on the sec-mod session initialization. 2014-05-27 10:46:16 +02:00
Nikos Mavrogiannopoulos
78132e2a6d Added auto group listing on PAM authentication as well. 
In addition a configuration option to print group IDs over a
certain number was added.
 2014-05-23 16:36:48 +02:00
Nikos Mavrogiannopoulos
213f9a63ee license upgraded to GPLv3 2014-05-23 11:50:56 +02:00
Nikos Mavrogiannopoulos
de50dd413b Better auth log messages. 2014-05-23 11:36:37 +02:00
Nikos Mavrogiannopoulos
6dcc9acf77 Restrict cookies to a single IP address. 2014-05-21 16:19:07 +02:00
Nikos Mavrogiannopoulos
6ca3c4761c Cookies are packed using protocol buffers to reduce their size. 2014-05-21 16:11:05 +02:00
Nikos Mavrogiannopoulos
7153ea8ea7 more precise usage of MAX_*_SIZE definitions. 2014-05-21 06:21:34 +02:00
Nikos Mavrogiannopoulos
aef5dc0633 Allow multiple groups to be present in a client certificate. 
In that case the user will be prompted to select a group.
 2014-05-20 15:36:40 +02:00
Nikos Mavrogiannopoulos
4755ee48c5 Added the select-group and auto-select-group config options. 
These options allow to prompt the user for a group prior to login.
That in addition enhances the password file format and multiple groups
can be specified on a comma separated list, as:
user:group1,group2,group3:$5$encodedpassword
 2014-05-19 18:25:25 +02:00
Nikos Mavrogiannopoulos
d99c527758 memory reorganization in sec-mod. 
It no longer relies on main pool, it uses it's own pool.
In addition the DEBUG_LEAKS definition was added to allow debugging
leaks.
 2014-05-15 16:44:43 +02:00
Nikos Mavrogiannopoulos
f9ce018f68 Add the clock_gettime() syscall on the list of allowed in seccomp. 2014-05-15 14:28:18 +02:00
Nikos Mavrogiannopoulos
68c4b2371b Renamed main-auth.h. 2014-05-15 11:39:02 +02:00
Nikos Mavrogiannopoulos
fcaeacbd00 Added sanity checks in state transitions. 2014-05-14 14:51:41 +02:00
Nikos Mavrogiannopoulos
53f3129da9 Authentication modules were moved to subdirectory auth/ 2014-05-14 14:35:50 +02:00
Nikos Mavrogiannopoulos
3f9a215f53 Allow for random and for predictable IP assignment. 2014-05-14 13:00:11 +02:00
Nikos Mavrogiannopoulos
09704b8819 Password authentication is now delegated to sec-mod. 
That prevents any memory from the authentication modules to be leaked
to a worker process. As a result, the status zombie and dead no longer
exists.
 2014-05-14 11:37:01 +02:00