Capture all the required worker process state in a protobuf and
pass to worker via env. Snapshot all config files to ensure ocserv-sm
and ocserv-worker remain in sync. Split ocserv-worker functionality
into it's own executable with minimal dependencies.
Resolves: #285
Signed-off-by: Alan Jowett alanjo@microsoft.com
This addresses issues with anyconnect clients which send back the descriptive labels.
Resolves#267
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This fixes the ban entries listing from printing all the items in
the database, to all the items that are actually banned from
connecting.
Resolves: #272
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Export more information to the script, including client device platform,
type and user agent.
Resolves: #256
Signed-off-by: Alan Jowett <alanjo@microsoft.com>
This permits the validation of OpenID Connect auth tokens OpenID
Connect is an OAuth 2.0 protocol used to identify a resource owner
(VPN client end-user) to a resource server (VPN server) intermediated
by an Authorization server.
Resolves: #240
Signed-off-by: Alan TG Jowett <alan.jowett@microsoft.com>
When a client re-uses a cookie and takes over a previous connection
previously the disconnect script of the old connection wouldn't receive
the IP information. Ensure that all information is provided to scripts
at this case.
Resolves: #231
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This modifies test-pass-script to force a DPD timeout to
verify whether ${IP_REMOTE} is set on the disconnect script.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This test verifies that the server will continue to operate
even if the up script will block indefinitely.
Resolves: #241
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
When max-same-clients is set to 1 and a user re-using a cookie
connects, check_multiple_users() would prevent the user from
reconnecting. This corrects the issue by taking into account
only valid sessions that have not yet been disconnected.
Resolves: #223
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This option supports different listen addresses for tcp and
udp such as haproxy for tcp, but support dtls at the same time (haproxy
does not support UDP at the moment)
This removes a trailing comma from the end of the listing, and
adds a missing one.
Resolves: #220
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
tests (radius-otp): add a check radcli version (atleast 1.2.7), since debian uses version
1.2.6, which does not support Access-Challenge server response.
tests: show debug messages only in VERBOSE mode
tests (radius-otp): replace test for option max_challenge to macro MAX_CHALLENGE
Signed-off-by: Alexey Dotsenko <lex@rwx.su>
This ensures that the main process receives the TLS channel information
early and does not depend on DTLS channel establishment. Furthermore,
we refactor to make setup_dtls_psk_keys() fail early when no TLS channel
is available.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This avoids a crash when no DTLS ciphersuite is selected and adds a
test case for negotiation without DTLS.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This enables support for AES-256 for anyconnect clients which
do not support AES-GCM. Also prioritized the 256-bit ciphers
higher than the 128-bit ones.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
That addresses the issue of not being able to run under systemd,
or under non-forking mode. Added test case to detect proper
operation.
Resolves#154
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
