GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 08:46:58 +08:00
Code Issues Packages Projects Releases Wiki Activity
2,628 Commits 19 Branches 88 Tags
982348df88326174e4c55d089fadd7f015fb6ee3
Commit Graph

2628 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Nikos Mavrogiannopoulos
982348df88 Reworked MTU discovery 
Disable MTU discovery when not requested, set the minimum packet size
to 1280 for IPv6 and 800 bytes for IPv4. When MTU discovery fails to
calculate an MTU over the minimum, it disables itself and ocserv will rely
on packet fragmentation. This also enhances DTLS connection detection
(due to MTU issues), by setting the DPD packet size to equal to the current
data MTU.
 2016-08-04 07:57:37 +02:00
Nikos Mavrogiannopoulos
22d285949c update the IP and the proc table hashes when updating the proxy protocol IP 
This prevents stray pointers to the replaced IP being present in the
proc hash table.
 2016-08-01 12:01:42 +02:00
Nikos Mavrogiannopoulos
8163e5c486 tests: use fedora24 2016-07-28 16:23:46 +02:00
Nikos Mavrogiannopoulos
37a369aec6 ocsignal: memset to zero the new sigaction 2016-07-26 13:32:40 +02:00
Nikos Mavrogiannopoulos
99c9b6749b recv_from_new_fd: changed to unsigned type 2016-07-19 11:35:24 +02:00
Nikos Mavrogiannopoulos
6510ef06cf doc update 2016-07-19 11:30:34 +02:00
Nikos Mavrogiannopoulos
2ffd80509d recv_from_new_fd: update tmsg pointer 
This addresses issue where tmsg was free'd by the dtls_pull
function, and free'd again by the caller of recv_from_new_fd.
 2016-07-19 11:27:19 +02:00
Nikos Mavrogiannopoulos
c346f29860 worker: use the main buffer for receiving commands from main 
This avoids large stack allocations.
 2016-07-19 11:24:45 +02:00
Nikos Mavrogiannopoulos
53a54b0e39 doc: documented about krb5-k5tls plugin 
This plugin is required in Debian and Ubuntu based distributions
for kinit to be able to use KKDCP servers. Suggested by Jochen Hein.
 2016-07-13 09:08:46 +02:00
Nikos Mavrogiannopoulos
23558aff31 doc update 2016-07-09 10:57:53 +02:00
Nikos Mavrogiannopoulos
4015a19a29 open_tun() ignore EINVAL error in TUNSETGROUP ioctl() 
This allows ocserv to work with kernels prior to 2.6.23.

Relates #60
 2016-07-09 10:57:03 +02:00
Nikos Mavrogiannopoulos
5964c31d68 tun: enable multicast mode for FreeBSD systems 2016-07-04 14:00:08 +02:00
Nikos Mavrogiannopoulos
6aafcc0bf5 tun: move bsd-system-specific tun code to bsd_open_tun() 2016-07-04 14:00:08 +02:00
Nikos Mavrogiannopoulos
7254f3b2e7 document how a certificate may hold multiple groups 2016-07-04 10:50:40 +02:00
Nikos Mavrogiannopoulos
b4d04878a6 doc update 2016-07-04 00:20:06 +02:00
Nikos Mavrogiannopoulos
085df882ab tun: corrected tun device group assignment 2016-07-04 00:19:34 +02:00
Nikos Mavrogiannopoulos
e12d2e6818 tests: made pam check independent of builddir 2016-06-29 10:05:00 +02:00
Nikos Mavrogiannopoulos
0eb8aac9bf README.md: mention NSS wrapper 2016-06-29 09:50:41 +02:00
Nikos Mavrogiannopoulos
0d1358edf2 configure: enable pam tests only when liboath is present and PAM compiled in 2016-06-29 09:49:24 +02:00
Nikos Mavrogiannopoulos
a80abeb888 tun: use the same prefix (from the lease) in Linux and *BSD 2016-06-28 09:05:27 +02:00
Nikos Mavrogiannopoulos
ae3c20c3ed tests: pam tests were converted to use pam-wrapper 
This allows running the PAM tests without requiring root access
 2016-06-25 23:05:18 +02:00
Nikos Mavrogiannopoulos
dcab477d52 radius: corrected the accounting of gigawords for outgoing data 
Previously the incoming bytes were accounted instead of the
outgoing bytes.

Resolves #57
 2016-06-20 23:23:22 +02:00
Nikos Mavrogiannopoulos
954607e88a When sending auth_id reply to pre-3.x clients use a different auth_id for username and password 
That is because some modified v2.x clients require that any response
that asks for information does not have an XML form with auth_id set
to "main".

Resolves #55
 2016-06-20 23:02:38 +02:00
Nikos Mavrogiannopoulos
bcef7c58cf worker: always honour the DTLS ciphersuite that matches the TLS ciphersuite 
That is, do not consider the ciphersuite priorities at all, but rather
prefer the DTLS ciphersuite that matches the TLS one (if any).
 2016-06-18 16:09:10 +02:00
Nikos Mavrogiannopoulos
3d4fb9b3e6 tests: added unit test for valid_hostname() function 2016-06-18 14:27:40 +02:00
Nikos Mavrogiannopoulos
f7e057a6dd tests: check whether the hostname is overriden by per-user conf 2016-06-18 14:21:46 +02:00
Nikos Mavrogiannopoulos
1f809f5e64 ocserv: check the hostname value received by the client for validity 2016-06-18 14:21:41 +02:00
Nikos Mavrogiannopoulos
ed31709e75 ocserv: notify back the client about the hostname accepted (if any) 
That is, the server will populate X-CSTP-Hostname and send it
back the the client.
 2016-06-18 14:05:29 +02:00
Nikos Mavrogiannopoulos
4124b9c089 doc update 2016-06-18 11:17:02 +02:00
Nikos Mavrogiannopoulos
0c093ad8f3 ocserv: allow overriding hostname on the per-user configuration 
This allows for the administrator to set specific hostnames, or even
empty hostname for specific users.
 2016-06-18 11:08:53 +02:00
Nikos Mavrogiannopoulos
a81652a411 doc update 2016-06-18 10:47:08 +02:00
Nikos Mavrogiannopoulos
966206ecea worker: when advertising the IPv6 address/prefix use the subnet prefix 
That is, instead of advertising the address with the server's prefix
advertise the IPv6 address with the prefix that is assigned to the client
itself.
 2016-06-18 10:45:25 +02:00
Kevin Cernekee
fb1430f95e Zero out the whole sockaddr_in6 struct when parsing explicit-ipv6 
This initializes sin6_scope_id to 0, so that $IPV6_REMOTE doesn't
get strings that look like: "2001:db8::1234%932152953"

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
 2016-06-18 10:41:32 +02:00
Nikos Mavrogiannopoulos
efafdd9e73 tests: added missing certs 2016-06-17 23:11:21 +02:00
Nikos Mavrogiannopoulos
a0ffa818c0 tests: use the .tmp suffix to pid files 2016-06-17 11:56:43 +02:00
Nikos Mavrogiannopoulos
f2bef25cdc sample.config: use new paths 2016-06-17 11:54:07 +02:00
Nikos Mavrogiannopoulos
cbc4dde44b tests: moved passwd files to data/ 2016-06-17 11:54:05 +02:00
Nikos Mavrogiannopoulos
f3a182dbdf tests: moved config files to data/ 2016-06-17 11:54:03 +02:00
Nikos Mavrogiannopoulos
5c88ee7715 tests: moved all certificates and keys in certs/ 2016-06-17 11:53:50 +02:00
Nikos Mavrogiannopoulos
0810cc0aa7 doc update ocserv_0_11_3 2016-06-16 08:49:52 +02:00
Nikos Mavrogiannopoulos
05badbea7a doc update 2016-06-16 08:28:42 +02:00
Nikos Mavrogiannopoulos
bb1ba34bdc ocserv-fw: updated with Lance LeFlore's version 2016-06-16 08:27:22 +02:00
Nikos Mavrogiannopoulos
c49b395a54 ocserv: better log message on terminating worker processes 2016-06-08 19:37:17 +02:00
Nikos Mavrogiannopoulos
aa27271f3b tests: remove the explicit docker pull commands from docker-common.sh 2016-06-08 17:01:48 +02:00
Nikos Mavrogiannopoulos
7a6a7c707a worker: wait for confirmation on messages sent during disconnect 
when disconnecting and sending stats and info to main and sec-mod
ensure that messages have been processed prior to exiting. That makes
sure that these messages are accounted and are not lost. This addresses
issue where the stats on disconnect were not properly reported to
sec-mod.
 2016-06-05 11:35:51 +02:00
Nikos Mavrogiannopoulos
d83c523661 sec-mod: process_packet -> process_worker_packet 2016-06-05 11:25:52 +02:00
Nikos Mavrogiannopoulos
1276ebeb48 ocserv: eliminated race condition with up/down scripts 
If a user is disconnected while the connect script is running,
kill the script and wait for its termination. If it successfully
terminated (exit code = 0) then run the user disconnect (down) script.
 2016-06-05 10:38:34 +02:00
Nikos Mavrogiannopoulos
ceed05b030 doc update 2016-06-05 10:14:34 +02:00
Nikos Mavrogiannopoulos
55cb72522a doc update 2016-06-04 20:03:40 +02:00
Nikos Mavrogiannopoulos
ab5d22c005 tests: added check for host-update-script being run 2016-06-04 20:02:15 +02:00