GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 08:46:58 +08:00
Code Issues Packages Projects Releases Wiki Activity
2,656 Commits 19 Branches 88 Tags
bd87c7607ed77956ae49af6458f41471775511d0
Commit Graph

2656 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Nikos Mavrogiannopoulos
bd87c7607e renamed match-tls-and-dtls-ciphers to match-tls-dtls-ciphers 2016-09-22 15:26:02 +02:00
Nikos Mavrogiannopoulos
22a01d2981 doc update 2016-09-22 15:21:57 +02:00
Nikos Mavrogiannopoulos
4c85fa97f0 Added configuration option 'dtls-psk' 
When this option is set to false, the DTLS-PSK protocol
will not be negotiated by worker processes. The process will fallback
to the legacy protocol in that case.
 2016-09-22 15:20:35 +02:00
Nikos Mavrogiannopoulos
33089ab74e Updated the new DTLS protocol negotiation 
The server sends the X-DTLS-App-ID header in the new protocol;
the X-DTLS-Session-ID is only used in the legacy protocol. The
server expects the Application identifier to be placed in a TLS
extension.
 2016-09-21 08:53:35 +02:00
Nikos Mavrogiannopoulos
a5a80f8236 seccomp: add getrandom syscall to filter only when it is available 2016-09-21 08:53:08 +02:00
Nikos Mavrogiannopoulos
ede5d97be8 worker: increased the wait time for the SEC_AUTH_REPLY message from sec-mod 
That is, to allow for authentication methods which require the user input
prior to returning a reply.
 2016-09-15 08:38:53 +02:00
Nikos Mavrogiannopoulos
0a4e06b354 Only send the X-DTLS-MTU in the legacy protocol 
There the DTLS ciphersuite and DTLS version are negotiated and
we cannot accurately predict the actual tunnel size. In that
case the client must rely on the Base-MTU.
 2016-09-14 13:12:05 +02:00
Nikos Mavrogiannopoulos
284af95d79 tests: link valid-hostname with gnulib 
It is used by its included file.
 2016-09-14 11:35:58 +02:00
Nikos Mavrogiannopoulos
c3c54cd958 ocspasswd: compile with LIBGNUTLS_CFLAGS 2016-09-14 11:29:08 +02:00
Nikos Mavrogiannopoulos
646449743c added defs.h containing definitions from vpn.h 
These are the definitions used by common/ library and
a split from vpn.h to reduce the dependencies (in headers)
to common library.
 2016-09-14 11:18:35 +02:00
Nikos Mavrogiannopoulos
cc74e66f75 doc update 2016-09-14 10:21:20 +02:00
Nikos Mavrogiannopoulos
cc1dbf1c24 seccomp: added getrandom() to the accepted list of calls 2016-09-14 10:20:44 +02:00
Nikos Mavrogiannopoulos
58b447c413 Use a macro for the DTLS-PSK protocol indicator 
Also corrected its usage in worker-http
 2016-09-13 14:09:59 +02:00
Nikos Mavrogiannopoulos
b0dcea76ca Modified the X-DTLS-CipherSuite parameter for PSK to PSK-NEGOTIATE 
This was changed so that it is explicitly made incompatible with
existing openconnect patch. The new openconnect client patch for
PSK negotiation is incompatible with the protocol as implemented
in 0.11.4 and requires the option match-tls-and-dtls-ciphers for its
openssl variant.
 2016-09-13 13:41:46 +02:00
Nikos Mavrogiannopoulos
2022ee4270 doc update 2016-09-13 13:35:14 +02:00
Nikos Mavrogiannopoulos
555d2cb03e Added the match-tls-and-dtls-ciphers config option 
That when enable, it will prevent any DTLS negotiation other than the
DTLS-PSK, and will ensure that the cipher/mac combination matches on
the TLS and DTLS connections. The cisco-client-compat config option
when disabled, it will disable the pre-draft-DTLS negotiation.
 2016-09-13 13:25:35 +02:00
Nikos Mavrogiannopoulos
56e82a2f31 test-gssapi: use an unlikely username to avoid clashes 
That prevents the test from failing if the host system contains a
user called 'test'.
 2016-09-09 16:33:25 +02:00
Nikos Mavrogiannopoulos
324c70d4e4 .gitlab-ci.yml: use gitlab.com shared runners 2016-09-04 15:29:51 +02:00
Nikos Mavrogiannopoulos
9fadbc89f9 README.md: added coverage badge 2016-09-04 15:29:51 +02:00
Nikos Mavrogiannopoulos
a1889e100d Allow disabling the tests requiring root 
This allows seamless operation on the CI.
 2016-09-04 15:29:39 +02:00
Nikos Mavrogiannopoulos
32d1bafece doc update 2016-08-27 16:51:09 +02:00
Nikos Mavrogiannopoulos
ca5dfc26ef released 0.11.4 ocserv_0_11_4 2016-08-05 09:48:04 +02:00
Nikos Mavrogiannopoulos
a581d0babb removed support for chacha20-poly1305 using the legacy protocol 2016-08-05 09:08:58 +02:00
Nikos Mavrogiannopoulos
068548e83f doc update 2016-08-05 09:08:58 +02:00
Nikos Mavrogiannopoulos
b5f5f2a0c0 Enhanced the openconnect protocol DTLS negotiation 
If the client's X-DTLS-CipherSuite contains the PSK keyword,
the server will reply with "X-DTLS-CipherSuite: PSK" and will enable
DTLS-PSK negotiation on the DTLS channel. The ciphersuite set
in the DTLS channel, must match the one set in TLS one. That,
makes the protocol consistent in security properties (DTLS and TLS channel
will match cipher/mac combinations), and allows the protocol to use
any new DTLS versions, as well as new DTLS ciphersuites without
any code changes.

That change still requires to client to pretend it is resuming
by setting in the DTLS client hello the session ID provided by
X-DTLS-Session-ID.
 2016-08-05 09:07:11 +02:00
Nikos Mavrogiannopoulos
5825a2cd3e NEWS: corrected typo 2016-08-04 14:13:23 +02:00
Nikos Mavrogiannopoulos
c2ae0f6cc2 bumped version 2016-08-04 08:11:22 +02:00
Nikos Mavrogiannopoulos
5a0c6caf65 improved config macro CHECK_TRUE 2016-08-04 08:05:37 +02:00
Nikos Mavrogiannopoulos
982348df88 Reworked MTU discovery 
Disable MTU discovery when not requested, set the minimum packet size
to 1280 for IPv6 and 800 bytes for IPv4. When MTU discovery fails to
calculate an MTU over the minimum, it disables itself and ocserv will rely
on packet fragmentation. This also enhances DTLS connection detection
(due to MTU issues), by setting the DPD packet size to equal to the current
data MTU.
 2016-08-04 07:57:37 +02:00
Nikos Mavrogiannopoulos
22d285949c update the IP and the proc table hashes when updating the proxy protocol IP 
This prevents stray pointers to the replaced IP being present in the
proc hash table.
 2016-08-01 12:01:42 +02:00
Nikos Mavrogiannopoulos
8163e5c486 tests: use fedora24 2016-07-28 16:23:46 +02:00
Nikos Mavrogiannopoulos
37a369aec6 ocsignal: memset to zero the new sigaction 2016-07-26 13:32:40 +02:00
Nikos Mavrogiannopoulos
99c9b6749b recv_from_new_fd: changed to unsigned type 2016-07-19 11:35:24 +02:00
Nikos Mavrogiannopoulos
6510ef06cf doc update 2016-07-19 11:30:34 +02:00
Nikos Mavrogiannopoulos
2ffd80509d recv_from_new_fd: update tmsg pointer 
This addresses issue where tmsg was free'd by the dtls_pull
function, and free'd again by the caller of recv_from_new_fd.
 2016-07-19 11:27:19 +02:00
Nikos Mavrogiannopoulos
c346f29860 worker: use the main buffer for receiving commands from main 
This avoids large stack allocations.
 2016-07-19 11:24:45 +02:00
Nikos Mavrogiannopoulos
53a54b0e39 doc: documented about krb5-k5tls plugin 
This plugin is required in Debian and Ubuntu based distributions
for kinit to be able to use KKDCP servers. Suggested by Jochen Hein.
 2016-07-13 09:08:46 +02:00
Nikos Mavrogiannopoulos
23558aff31 doc update 2016-07-09 10:57:53 +02:00
Nikos Mavrogiannopoulos
4015a19a29 open_tun() ignore EINVAL error in TUNSETGROUP ioctl() 
This allows ocserv to work with kernels prior to 2.6.23.

Relates #60
 2016-07-09 10:57:03 +02:00
Nikos Mavrogiannopoulos
5964c31d68 tun: enable multicast mode for FreeBSD systems 2016-07-04 14:00:08 +02:00
Nikos Mavrogiannopoulos
6aafcc0bf5 tun: move bsd-system-specific tun code to bsd_open_tun() 2016-07-04 14:00:08 +02:00
Nikos Mavrogiannopoulos
7254f3b2e7 document how a certificate may hold multiple groups 2016-07-04 10:50:40 +02:00
Nikos Mavrogiannopoulos
b4d04878a6 doc update 2016-07-04 00:20:06 +02:00
Nikos Mavrogiannopoulos
085df882ab tun: corrected tun device group assignment 2016-07-04 00:19:34 +02:00
Nikos Mavrogiannopoulos
e12d2e6818 tests: made pam check independent of builddir 2016-06-29 10:05:00 +02:00
Nikos Mavrogiannopoulos
0eb8aac9bf README.md: mention NSS wrapper 2016-06-29 09:50:41 +02:00
Nikos Mavrogiannopoulos
0d1358edf2 configure: enable pam tests only when liboath is present and PAM compiled in 2016-06-29 09:49:24 +02:00
Nikos Mavrogiannopoulos
a80abeb888 tun: use the same prefix (from the lease) in Linux and *BSD 2016-06-28 09:05:27 +02:00
Nikos Mavrogiannopoulos
ae3c20c3ed tests: pam tests were converted to use pam-wrapper 
This allows running the PAM tests without requiring root access
 2016-06-25 23:05:18 +02:00
Nikos Mavrogiannopoulos
dcab477d52 radius: corrected the accounting of gigawords for outgoing data 
Previously the incoming bytes were accounted instead of the
outgoing bytes.

Resolves #57
 2016-06-20 23:23:22 +02:00