GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-03-06 14:56:59 +08:00
Code Issues Packages Projects Releases Wiki Activity
1,143 Commits 16 Branches 89 Tags
6ca3c4761cb689d80319517210e81a71fb0a4fac
Commit Graph

76 Commits

Author SHA1 Message Date
Nikos Mavrogiannopoulos
6ca3c4761c Cookies are packed using protocol buffers to reduce their size. 2014-05-21 16:11:05 +02:00
Nikos Mavrogiannopoulos
4755ee48c5 Added the select-group and auto-select-group config options. 
These options allow to prompt the user for a group prior to login.
That in addition enhances the password file format and multiple groups
can be specified on a comma separated list, as:
user:group1,group2,group3:$5$encodedpassword
 2014-05-19 18:25:25 +02:00
Nikos Mavrogiannopoulos
d99c527758 memory reorganization in sec-mod. 
It no longer relies on main pool, it uses it's own pool.
In addition the DEBUG_LEAKS definition was added to allow debugging
leaks.
 2014-05-15 16:44:43 +02:00
Nikos Mavrogiannopoulos
739a2126d0 Clean-up all memory on deinitialization of sec-mod and worker. 
That will allow to easier spot any unintentional memory leaks.
 2014-05-15 15:36:03 +02:00
Nikos Mavrogiannopoulos
e7171ac859 Supplementary group/user configuration is now modular. 
That will ease the addition of other backends that can be used to
read the user/group configuration. The only backend supported now
is file.
 2014-05-15 11:36:30 +02:00
Nikos Mavrogiannopoulos
09704b8819 Password authentication is now delegated to sec-mod. 
That prevents any memory from the authentication modules to be leaked
to a worker process. As a result, the status zombie and dead no longer
exists.
 2014-05-14 11:37:01 +02:00
Nikos Mavrogiannopoulos
07559df432 Corrected the removal of socket files in chrooted environment. 
In addition remove the occtl_socket_file.
 2014-05-12 11:14:53 +02:00
Nikos Mavrogiannopoulos
5e3afb92ad eliminate the need for a worker_pool variable in main_server_st. 2014-05-12 10:51:18 +02:00
Nikos Mavrogiannopoulos
41561567b5 status cmd will report the server uptime 2014-05-10 23:12:37 +02:00
Nikos Mavrogiannopoulos
969e684960 Use talloc() for all allocations to reduce the possibility of memory leaks. 2014-05-09 16:13:11 +02:00
Nikos Mavrogiannopoulos
71104b36a3 Added support for unix sockets for the occtl communication. 
D-BUS support is left, but is not enabled by default.
 2014-05-07 13:54:58 +02:00
Nikos Mavrogiannopoulos
2a0cc77c2e Export TUN device statistics from the worker process. 
When a worker process terminates in authenticated state, then
export statistics from the tun device (currently bytes_in and
bytes_out). These statistics are sent to main process using an
informational message just prior to process exit. The statistics
are also exported to the disconnect script using the STATS_BYTES_IN
and STATS_BYTES_OUT environment variables.
 2014-04-28 17:32:51 +02:00
Nikos Mavrogiannopoulos
62110975a7 Revert "Delay the cleanup of resources of a worker if a disconnect script is set." 
This reverts commit 7e0ee385c2.
 2014-04-16 12:00:16 +02:00
Nikos Mavrogiannopoulos
7e0ee385c2 Delay the cleanup of resources of a worker if a disconnect script is set. 
In that case use the intermediate state PS_AUTH_DEAD to delay the
release of resources for few seconds. That would allow the disconnect
script to gather any required statistics from the device, IPs etc.
 2014-04-12 21:29:14 +02:00
Nikos Mavrogiannopoulos
6410f6864c The tun device will be closed only after the disconnect script has been called. 
This allows gathering statistics from it. In addition, changed behavior of
script calling, and now will always contain the IP information.
 2014-04-12 12:44:13 +02:00
Nikos Mavrogiannopoulos
991455065f simplified handling of CISCO reconnecting clients. 
Instead of having a client use the initial SID over and over,
re-set the SID cookie, during authentication when needed. That
way we avoid having expensive checks to ensure uniqueness of SID.
 2014-02-16 22:47:45 +01:00
Nikos Mavrogiannopoulos
404d831c35 better definition names. 2014-01-19 09:49:46 +01:00
Nikos Mavrogiannopoulos
0ed6332e09 mslog_hex() will allow printing values encoded in base64. 2014-01-19 09:21:48 +01:00
Nikos Mavrogiannopoulos
9d2b10de22 Use base64 to encode Cookies. That reduces the size of the cookie. 2014-01-19 09:14:11 +01:00
Nikos Mavrogiannopoulos
baf12348d4 Added proc_st status PS_AUTH_FAILED to prevent users that failed authentication to leave a zombie proc_st. 2014-01-19 04:14:56 +01:00
Nikos Mavrogiannopoulos
b9fe6b6263 instead of using the TLS session ID as session identifier prior to authentication use the webvpncontext cookie. 2014-01-19 02:59:04 +01:00
Nikos Mavrogiannopoulos
b1af6f2829 enabling cisco-client-compat allows 'stealing' of processes. 
This change puts a proc_st that its client has terminated to a "zombie"
state. That state will allow a client that connects later using the
same TLS session ID to reclaim it. That way clients that try to authenticate
by sending their credentials in different sessions can still authenticate with
ocserv. That however puts more trust to worker processes (as the main
process has no way of telling whether a TLS session is certainly
resumed).
 2014-01-18 15:06:10 +01:00
Nikos Mavrogiannopoulos
cc6473a92a print file name instead of function name 2014-01-12 18:24:13 +01:00
Nikos Mavrogiannopoulos
823190475b print textual name of messages exchanged. 2014-01-12 18:23:29 +01:00
Nikos Mavrogiannopoulos
39572b3d48 Store User-Agent information and send to occtl. 2014-01-12 14:35:58 +01:00
Nikos Mavrogiannopoulos
fd2d640e0a increased sizes for ciphersuite name, and decreased maximum size for the DTLS ciphersuite (as we use openssl's short names) 2014-01-11 21:54:20 +01:00
Nikos Mavrogiannopoulos
33dfbdea56 worker will send information on the negotiated TLS/DTLS ciphersuites to main. 2014-01-10 09:17:59 +01:00
Nikos Mavrogiannopoulos
cdba1ae374 Try to release as much memory as possible to be able to detect real memory leaks. 2014-01-09 17:27:49 +01:00
Nikos Mavrogiannopoulos
bc08bcce9a Added reload and 'stop now' D-BUS commands. 2014-01-09 11:24:30 +01:00
Nikos Mavrogiannopoulos
cf8cac0161 better names to lists 2014-01-08 20:07:41 +01:00
Nikos Mavrogiannopoulos
0cf7529c72 Added support for control commands using D-BUS. 2014-01-08 11:15:06 +01:00
Nikos Mavrogiannopoulos
0981efe74f store the time a client connected. 2014-01-05 17:17:54 +01:00
Nikos Mavrogiannopoulos
058b986967 Converted IPC messaging to protocolbuffers-c 
That adds a dependency on protocolbuffers-c, but simplifies
the worker-main communication protocol handling.
 2013-12-21 12:38:01 +01:00
Nikos Mavrogiannopoulos
dee376e8b1 reduced cookie size by only writing down the ipv4 seed. 2013-12-11 10:14:31 +01:00
Nikos Mavrogiannopoulos
cb5092e820 Augmented cookie format to store the seeds used to generate IPv4 and IPv6 addresses. 
This ensures that if the IP previously used by a user is free, it will
be reassigned to him after a reconnection with the same cookie.
 2013-12-11 10:03:47 +01:00
Nikos Mavrogiannopoulos
c6a08db6db Added support for cgroups 2013-12-10 11:07:08 +01:00
Nikos Mavrogiannopoulos
8bb4e81f6f When a new connection presents a cookie of an existing session the previous session is disconnected. 2013-12-05 20:53:27 +01:00
Nikos Mavrogiannopoulos
85f4db201c updated license information and authors 2013-11-05 19:38:30 +01:00
Nikos Mavrogiannopoulos
ac1621df0b Corrected behavior on error during receiving a UDP fd. 2013-10-31 11:44:36 +01:00
Nikos Mavrogiannopoulos
929b8dcaec Avoid forwarding the UDP fd within a minute. That is to avoid duplicate messages messing the worker session. 2013-10-31 09:30:44 +01:00
Nikos Mavrogiannopoulos
aa71216a65 updates in hash table usage. 2013-10-30 13:00:19 +01:00
Nikos Mavrogiannopoulos
3c583e3a35 Added the 'iroute' directive to allow routes set on server. 2013-10-29 11:37:57 +01:00
Nikos Mavrogiannopoulos
2480a2cf58 Increased the number of directives allowed in group and user configurations. 2013-10-29 09:39:06 +01:00
Nikos Mavrogiannopoulos
00554b2f28 Allow loading additional configuration files per user or per group. 
The directives currently allowed are: ipv4/6_dns and route.
 2013-10-28 11:43:05 +01:00
Mike Miller
5e0e286c27 Fix typo maintainance -> maintenance 2013-07-23 21:33:18 +02:00
Nikos Mavrogiannopoulos
b4982477d4 Put a limit in the number of allowed authentication requests, and increased size of stack for co-routines. 2013-07-06 14:29:06 +02:00
Nikos Mavrogiannopoulos
718ccd79c1 better function names and parameter order 2013-07-05 12:01:35 +02:00
Nikos Mavrogiannopoulos
f4c5a54d39 leases belong to users as well. That way IPs are properly re-used. 2013-07-01 14:18:27 +02:00
Nikos Mavrogiannopoulos
126c52ab5c Cookies are no longer persistent 2013-07-01 12:18:51 +02:00
Nikos Mavrogiannopoulos
4f202afefc small fixes to avoid relying on properly null-terminated strings. 2013-06-26 16:54:12 +02:00