GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 16:57:00 +08:00
Code Issues Packages Projects Releases Wiki Activity
1,274 Commits 19 Branches 88 Tags
c781bea7cd604e93cd5e66d99754fd821c614beb
Commit Graph

85 Commits

Author SHA1 Message Date
Nikos Mavrogiannopoulos
c781bea7cd user-profile is now allowed in per-user configuration 2014-07-31 14:57:09 +02:00
Nikos Mavrogiannopoulos
a144fde0e4 Eliminated the MAX_ROUTES requirement. 2014-06-25 10:05:34 +02:00
Nikos Mavrogiannopoulos
28dca2aa0c Added support for session control (relevant for PAM for now) 
That in effect will utilize the pam_open_session() and pam_close_session().
It is disabled by default as it requires more resources from the security module.
 2014-06-10 15:16:40 +02:00
Nikos Mavrogiannopoulos
01db3e5817 Include the SID into the cookie and store it in proc_st. 2014-06-10 10:41:10 +02:00
Nikos Mavrogiannopoulos
98ed640258 more debug messages 2014-05-29 00:27:20 +02:00
Nikos Mavrogiannopoulos
3a18882a40 Store a hash of the client's cookie instead of the cookie itself. 
That ensures that the cookies cannot be leaked from the server.
On a hash collision, the IP of the other cookie in use will be
hijacked.
 2014-05-28 10:13:08 +02:00
Nikos Mavrogiannopoulos
25fbdfbf70 Keep track of cookies internally. 
That allows to restrict the cookie validity time to the absolutely minimum
required to establish and reconnect a recently disconnected session.
That deprecates the cookie-validity option and introduces the cookie-timeout
option.
 2014-05-27 16:00:57 +02:00
Nikos Mavrogiannopoulos
7ba0fffb07 Added the configuration option deny-roaming. 
That required moving the read of the group configuration during the
cookie authentication phase.
 2014-05-25 10:17:28 +02:00
Nikos Mavrogiannopoulos
213f9a63ee license upgraded to GPLv3 2014-05-23 11:50:56 +02:00
Nikos Mavrogiannopoulos
28943341db Added the proxy-url option to allow sending a proxy URL. 
This corresponds to the X-CSTP-MSIE-Proxy-Pac-URL CSTP header.
 2014-05-23 11:04:30 +02:00
Nikos Mavrogiannopoulos
6dcc9acf77 Restrict cookies to a single IP address. 2014-05-21 16:19:07 +02:00
Nikos Mavrogiannopoulos
6ca3c4761c Cookies are packed using protocol buffers to reduce their size. 2014-05-21 16:11:05 +02:00
Nikos Mavrogiannopoulos
68c4b2371b Renamed main-auth.h. 2014-05-15 11:39:02 +02:00
Nikos Mavrogiannopoulos
53f3129da9 Authentication modules were moved to subdirectory auth/ 2014-05-14 14:35:50 +02:00
Nikos Mavrogiannopoulos
09704b8819 Password authentication is now delegated to sec-mod. 
That prevents any memory from the authentication modules to be leaked
to a worker process. As a result, the status zombie and dead no longer
exists.
 2014-05-14 11:37:01 +02:00
Nikos Mavrogiannopoulos
1465a5922c Added no-udp group configuration option. 
That options allows disabling UDP for specific users or groups.
 2014-05-12 10:29:29 +02:00
Nikos Mavrogiannopoulos
969e684960 Use talloc() for all allocations to reduce the possibility of memory leaks. 2014-05-09 16:13:11 +02:00
Nikos Mavrogiannopoulos
6410f6864c The tun device will be closed only after the disconnect script has been called. 
This allows gathering statistics from it. In addition, changed behavior of
script calling, and now will always contain the IP information.
 2014-04-12 12:44:13 +02:00
Nikos Mavrogiannopoulos
52d34b1d8d small code improvements 2014-04-02 10:14:15 +02:00
Nikos Mavrogiannopoulos
f65507ed66 properly copy the username from a certificate 2014-04-01 18:35:21 +02:00
Nikos Mavrogiannopoulos
991455065f simplified handling of CISCO reconnecting clients. 
Instead of having a client use the initial SID over and over,
re-set the SID cookie, during authentication when needed. That
way we avoid having expensive checks to ensure uniqueness of SID.
 2014-02-16 22:47:45 +01:00
Nikos Mavrogiannopoulos
17f3fb8518 check for auth context presence when locating a previous session 2014-02-16 08:40:51 +01:00
Nikos Mavrogiannopoulos
3b9971b7e8 Added support for the "new" type of IP6 support in AnyConnect. 
If the client sends "X-CSTP-Full-IPv6-Capability: true", then we
use the headers:
     X-CSTP-Address-IP6: 2001:db8:1000:1000::1/64
     X-CSTP-Split-Include-IP6: 2001:db8:1000:1001::/64
     X-CSTP-Split-Include-IP6: 2001:db8:1000:1002::/64

(see corresponding openconnect change)
 2014-02-15 13:51:03 +01:00
Nikos Mavrogiannopoulos
0ec67882c0 Added support for multiple DNS and NBNS servers. 
This patch also combines ipv4-dns and ipv6-dns options
that are now handled as aliases to dns.

A side-effect of this patch is that the local keyword is no
longer supported.
 2014-02-01 14:50:52 +01:00
Nikos Mavrogiannopoulos
28e5d62f3f The worker process receives the client's IPs from the main process. 
That eliminates the need to read the IP address from the tun device
(which can be quite tricky to implement in a clean portable way).
 2014-01-31 20:53:45 +01:00
Nikos Mavrogiannopoulos
30d656ad92 code cleanup 2014-01-20 22:02:09 +01:00
Nikos Mavrogiannopoulos
0ed6332e09 mslog_hex() will allow printing values encoded in base64. 2014-01-19 09:21:48 +01:00
Nikos Mavrogiannopoulos
1b769d38d9 better debug messge 2014-01-19 09:16:08 +01:00
Nikos Mavrogiannopoulos
79b6f226af when taking the state of a proc_st set its status to zombie. 2014-01-19 03:43:03 +01:00
Nikos Mavrogiannopoulos
b9fe6b6263 instead of using the TLS session ID as session identifier prior to authentication use the webvpncontext cookie. 2014-01-19 02:59:04 +01:00
Nikos Mavrogiannopoulos
90a9286b88 send auth reply failure when needed. 2014-01-18 16:06:37 +01:00
Nikos Mavrogiannopoulos
b1af6f2829 enabling cisco-client-compat allows 'stealing' of processes. 
This change puts a proc_st that its client has terminated to a "zombie"
state. That state will allow a client that connects later using the
same TLS session ID to reclaim it. That way clients that try to authenticate
by sending their credentials in different sessions can still authenticate with
ocserv. That however puts more trust to worker processes (as the main
process has no way of telling whether a TLS session is certainly
resumed).
 2014-01-18 15:06:10 +01:00
Nikos Mavrogiannopoulos
d454557649 replace always-require-cert with cisco-client-compat. 2014-01-18 11:19:19 +01:00
Nikos Mavrogiannopoulos
cf8cac0161 better names to lists 2014-01-08 20:07:41 +01:00
Nikos Mavrogiannopoulos
058b986967 Converted IPC messaging to protocolbuffers-c 
That adds a dependency on protocolbuffers-c, but simplifies
the worker-main communication protocol handling.
 2013-12-21 12:38:01 +01:00
Nikos Mavrogiannopoulos
dee376e8b1 reduced cookie size by only writing down the ipv4 seed. 2013-12-11 10:14:31 +01:00
Nikos Mavrogiannopoulos
cb5092e820 Augmented cookie format to store the seeds used to generate IPv4 and IPv6 addresses. 
This ensures that if the IP previously used by a user is free, it will
be reassigned to him after a reconnection with the same cookie.
 2013-12-11 10:03:47 +01:00
Kevin Cernekee
1176d2b7b8 Fix multiple session disconnect when max-same-clients is 0 
max-same-clients is used to limit the number of outstanding sessions
(cookies).  If set to 0, it means an unlimited number of active cookies
can be owned by each user.  But it doesn't mean that the same cookie
can be reused for multiple CSTP connections with different IPs, as
the protocol does not normally work this way.
 2013-12-11 08:35:34 +01:00
Nikos Mavrogiannopoulos
ca93854758 do check the username validity only when a certificate is present. 2013-12-09 22:13:35 +01:00
Nikos Mavrogiannopoulos
e367acc41d corrected typo 2013-12-09 19:56:50 +01:00
Nikos Mavrogiannopoulos
480c5f5a44 do not require a certificate when authenticating with cookie and always-require-cert is set to false. 2013-12-09 19:47:52 +01:00
Nikos Mavrogiannopoulos
8f40c5c18e Added more verbose logging 2013-12-09 19:45:29 +01:00
Nikos Mavrogiannopoulos
6cb553e9a8 Added the net-priority configuration option. 
That option allows setting the protocol-defined priority (via SO_PRIORITY)
for the UDP and TCP sockets, per user/group or globally.
 2013-12-09 14:40:55 +01:00
Nikos Mavrogiannopoulos
c256f14c33 Allow PAM to update username 2013-12-08 13:00:28 +01:00
Nikos Mavrogiannopoulos
babf53c442 explicitly initialize module 2013-12-08 12:43:59 +01:00
Nikos Mavrogiannopoulos
d4a56c6a33 initialize values prior to list_for_each() calls, to avoid static analysers complaints on garbage values. 2013-12-06 14:50:48 +01:00
Nikos Mavrogiannopoulos
8bb4e81f6f When a new connection presents a cookie of an existing session the previous session is disconnected. 2013-12-05 20:53:27 +01:00
Nikos Mavrogiannopoulos
85f4db201c updated license information and authors 2013-11-05 19:38:30 +01:00
Nikos Mavrogiannopoulos
2f5141b00f Added directives to allow bandwidth limitation. 2013-11-03 17:06:02 +01:00
Nikos Mavrogiannopoulos
9e8f39faf5 Avoid many system calls when sending serialized data. 2013-10-30 09:28:39 +01:00