GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 08:46:58 +08:00
Code Issues Packages Projects Releases Wiki Activity
1,634 Commits 19 Branches 88 Tags
683fd2ec2880a058cf7f1e0d4fb58a452520941c
Commit Graph

1634 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Nikos Mavrogiannopoulos
683fd2ec28 radius-test: completed test 2015-02-16 13:21:14 +01:00
Nikos Mavrogiannopoulos
a2f52c58cc full/unix-test: updated for new IP assignments 2015-02-16 13:19:22 +01:00
Nikos Mavrogiannopoulos
ad52336a14 Linux ipv6: assign route to the remote IP 2015-02-16 13:16:48 +01:00
Nikos Mavrogiannopoulos
e22a1d7f42 doc update 2015-02-15 12:23:42 +01:00
Nikos Mavrogiannopoulos
137e584538 force relative names on the socket file to allow it being accessible from main and workers 2015-02-15 12:23:39 +01:00
Nikos Mavrogiannopoulos
53b9bbe603 configure: use seccomp where it is available 2015-02-15 08:28:08 +01:00
Nikos Mavrogiannopoulos
a07be822ac use IPV6_V6ONLY flag only when defined ocserv_0_9_1 2015-02-15 08:21:39 +01:00
Nikos Mavrogiannopoulos
0794a32567 use headers for clone() only when ENABLE_LINUX_NS is defined 2015-02-15 08:21:22 +01:00
Nikos Mavrogiannopoulos
f3249a70aa doc update 2015-02-15 08:04:41 +01:00
Nikos Mavrogiannopoulos
9e3695ec15 tests: added missing file 2015-02-15 07:55:38 +01:00
Stuart Henderson
56c2d9a74a header/macro fix for OpenBSD 
Signed-off-by: Stuart Henderson <stu@spacehopper.org>
 2015-02-14 18:53:26 +01:00
Stuart Henderson
7cb57b162b correct byte-order for tun header 
Signed-off-by: Stuart Henderson <stu@spacehopper.org>
 2015-02-14 18:51:59 +01:00
Nikos Mavrogiannopoulos
d75c1d18a2 use writev() and readv() for tun_read/write in OpenBSD 2015-02-14 14:36:46 +01:00
Nikos Mavrogiannopoulos
9d5106995c Handle OpenBSD's additional tun header 2015-02-14 14:22:00 +01:00
Nikos Mavrogiannopoulos
82a0c334ba oc_recvfrom_at: correctly set *addrlen 2015-02-14 14:06:08 +01:00
Nikos Mavrogiannopoulos
1b9fe50628 Set blocking mode to fd returned by accept 
That addresses issues in OpenBSD where the fd is
set to non blocking when the accept's fd is non blocking.
 2015-02-14 11:49:26 +01:00
Nikos Mavrogiannopoulos
ff5c721d30 doc update 2015-02-14 11:14:53 +01:00
Nikos Mavrogiannopoulos
df81d16f9d added missing colon 2015-02-14 08:06:53 +01:00
Nikos Mavrogiannopoulos
14d8c34e60 Attempted to simplify the BSD tun handling code 2015-02-13 23:34:34 +01:00
Stuart Henderson
2c0849c8a9 BSD patches for ocserv 
Iterate over tunXX devices, for BSDs that can't just open /dev/tun to
retrieve the "next available tun".

This is just copied with minor changes from openconnect/src/tun.c,

Signed-off-by: Stuart Henderson <stu@spacehopper.org>
 2015-02-13 23:21:05 +01:00
Stuart Henderson
a2b947de6f BSD patches for ocserv 
Hi Nikos, here are patches for a couple of issues which are stopping ocserv
from building on OpenBSD (and might be causing problems on other OS too).
There's a bit more to do for OpenBSD, it does need the iteration as done
in openconnect's tun.c:405-410, I might have another diff for that later.

Signed-off-by: Stuart Henderson <stu@spacehopper.org>
 2015-02-13 20:34:13 +01:00
Joerg Mayer
d1c3e05b92 Fix one of the places where "make distcheck" fails: In case of success ocpasswd-test should not leave the last test output lying around 
Signed-off-by: Joerg Mayer <jmayer@loplof.de>
 2015-02-13 14:00:32 +01:00
Joerg Mayer
12f7d42851 Fix out of tree build. 
Signed-off-by: Joerg Mayer <jmayer@loplof.de>
 2015-02-13 14:00:11 +01:00
Nikos Mavrogiannopoulos
9a0ba0218f tests: updated radius-test for fedora 2015-02-13 10:41:54 +01:00
Nikos Mavrogiannopoulos
3d55134215 when opening a session forward the received cookie to sec-module 
That allows to verify that the cookie hasn't been tampered
without relying only on the MAC.
 2015-02-12 21:44:32 +01:00
Nikos Mavrogiannopoulos
d348caacc2 added seclog_hex 2015-02-12 21:43:40 +01:00
Nikos Mavrogiannopoulos
b6ef99b443 doc update 2015-02-12 21:10:12 +01:00
Nikos Mavrogiannopoulos
23586bdb9c no longer document the auth option certificate[optional] 2015-02-12 21:08:41 +01:00
Nikos Mavrogiannopoulos
aa10eb53c1 doc update 2015-02-11 11:44:57 +01:00
Nikos Mavrogiannopoulos
965ea48ee2 always assign the first network address as PtP address 2015-02-11 10:27:30 +01:00
Nikos Mavrogiannopoulos
75af003f12 check the explicit IP addresses for existence in our leases 2015-02-11 09:51:43 +01:00
Nikos Mavrogiannopoulos
585d29763d test-explicit-ip: Modified illegal checks for the new illegal addresses 2015-02-11 09:39:57 +01:00
Nikos Mavrogiannopoulos
57225a2c6a reserve the first address of the network to be set as the local part in our tun devices 
That is used only when explicit IP addresses are set. That way we
don't need to separate addresses into odd and even.
 2015-02-11 09:37:26 +01:00
Nikos Mavrogiannopoulos
0d999f5424 Added failure codes for proc_table_add() 2015-02-10 18:36:40 +01:00
Nikos Mavrogiannopoulos
85483e98e8 added hash table to search via 'real' SID 2015-02-10 18:33:02 +01:00
Nikos Mavrogiannopoulos
820de6a979 correctly renamed DTLS ID search functions 2015-02-10 18:14:34 +01:00
Nikos Mavrogiannopoulos
45b1f46265 doc update 2015-02-10 11:17:04 +01:00
Nikos Mavrogiannopoulos
952d6adc9c Added implicit accounting when explicit addresses are specified 
Only odd IP addresses can now explicitly be set, so that the next
even address can be used as the local one.
 2015-02-10 11:07:58 +01:00
Kevin Cernekee
2e757cedb2 Use distinct remote and local IPs when explicit_ipv[46] is specified 
Currently the code sets the local interface IP to the same value as the
P-t-P IP:

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.168.63.1  P-t-P:192.168.63.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1341  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

This doesn't seem to get things routed correctly.  e.g. pinging 192.168.63.1
from the ocserv gateway just loops traffic back to the local machine instead
of pinging the client.

So instead we'll set LIP = RIP + 1.  This isn't terribly intuitive (an
administrator might try to number consecutive users 192.168.1.1, 192.168.1.2,
192.168.1.3, ...) but it's better than the current situation.  Maybe at some
point, fixed IPs should also make use of the hash table.
 2015-02-10 10:43:49 +01:00
Nikos Mavrogiannopoulos
1e0af5c482 set cookie to expire when the last user disconnects 2015-02-10 09:10:00 +01:00
Kevin Cernekee
25cfd3b1db config: Use talloc_free() to free "route" strings 
Adding redundant routes triggers a glibc assertion on startup.  The offending
config file contained:

    route = 192.168.1.0/255.255.255.0
    route = default

The assertion:

    # ./src/ocserv -c ocserv.conf -f
    *** Error in `./src/ocserv': munmap_chunk(): invalid pointer: 0x0000000001703470 ***
    Aborted (core dumped)

Fix this by calling the correct free() function.
 2015-02-09 15:06:57 +01:00
Nikos Mavrogiannopoulos
35fae82538 document explicit-ipv? 2015-02-09 15:04:30 +01:00
Kevin Cernekee
71ff05cea7 Allow explicit-ipv4 / explicit-ipv6 addresses in per-user config files 
If a machine is running remotely accessible services, it can be helpful
to assign a fixed IP address upon connection.
 2015-02-09 11:32:24 +01:00
Kevin Cernekee
1545130237 main: Check chdir() return value 
This fixes:

    main.c: In function ‘main’:
    main.c:1025:8: warning: ignoring return value of ‘chdir’, declared with attribute warn_unused_result [-Wunused-result]
       chdir(s->config->chroot_dir);
            ^
 2015-02-09 11:31:52 +01:00
Kevin Cernekee
fbe55c23ef main: Fix unused variable warning on !HAVE_LIBSYSTEMD builds 
This fixes:

      CC       main.o
    main.c: In function ‘listen_ports’:
    main.c:276:11: warning: unused variable ‘fds’ [-Wunused-variable]
      int ret, fds;
               ^
 2015-02-09 11:31:18 +01:00
Nikos Mavrogiannopoulos
38206d6e93 eliminate double books for session expiration 
Session expiration is now handled only by security
module. That simplifies the logic significantly.
 2015-02-09 11:25:48 +01:00
Nikos Mavrogiannopoulos
e82e1b8d68 delete client entry after message is sent 2015-02-09 10:57:40 +01:00
Nikos Mavrogiannopoulos
dcb7068c19 Before allowing the steal of leases, check that usernames match 2015-02-09 10:20:25 +01:00
Nikos Mavrogiannopoulos
905222fe6e corrected typo 2015-02-09 10:20:00 +01:00
Nikos Mavrogiannopoulos
ee81ffa10d when we detect user disconnection, set the proper expiration time on their cookies 2015-02-09 10:07:46 +01:00