GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 00:37:00 +08:00
Code Issues Packages Projects Releases Wiki Activity
1,613 Commits 19 Branches 88 Tags
d1c3e05b9294ff040a0729141acc9fe82b926be6
Commit Graph

1613 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Joerg Mayer
d1c3e05b92 Fix one of the places where "make distcheck" fails: In case of success ocpasswd-test should not leave the last test output lying around 
Signed-off-by: Joerg Mayer <jmayer@loplof.de>
 2015-02-13 14:00:32 +01:00
Joerg Mayer
12f7d42851 Fix out of tree build. 
Signed-off-by: Joerg Mayer <jmayer@loplof.de>
 2015-02-13 14:00:11 +01:00
Nikos Mavrogiannopoulos
9a0ba0218f tests: updated radius-test for fedora 2015-02-13 10:41:54 +01:00
Nikos Mavrogiannopoulos
3d55134215 when opening a session forward the received cookie to sec-module 
That allows to verify that the cookie hasn't been tampered
without relying only on the MAC.
 2015-02-12 21:44:32 +01:00
Nikos Mavrogiannopoulos
d348caacc2 added seclog_hex 2015-02-12 21:43:40 +01:00
Nikos Mavrogiannopoulos
b6ef99b443 doc update 2015-02-12 21:10:12 +01:00
Nikos Mavrogiannopoulos
23586bdb9c no longer document the auth option certificate[optional] 2015-02-12 21:08:41 +01:00
Nikos Mavrogiannopoulos
aa10eb53c1 doc update 2015-02-11 11:44:57 +01:00
Nikos Mavrogiannopoulos
965ea48ee2 always assign the first network address as PtP address 2015-02-11 10:27:30 +01:00
Nikos Mavrogiannopoulos
75af003f12 check the explicit IP addresses for existence in our leases 2015-02-11 09:51:43 +01:00
Nikos Mavrogiannopoulos
585d29763d test-explicit-ip: Modified illegal checks for the new illegal addresses 2015-02-11 09:39:57 +01:00
Nikos Mavrogiannopoulos
57225a2c6a reserve the first address of the network to be set as the local part in our tun devices 
That is used only when explicit IP addresses are set. That way we
don't need to separate addresses into odd and even.
 2015-02-11 09:37:26 +01:00
Nikos Mavrogiannopoulos
0d999f5424 Added failure codes for proc_table_add() 2015-02-10 18:36:40 +01:00
Nikos Mavrogiannopoulos
85483e98e8 added hash table to search via 'real' SID 2015-02-10 18:33:02 +01:00
Nikos Mavrogiannopoulos
820de6a979 correctly renamed DTLS ID search functions 2015-02-10 18:14:34 +01:00
Nikos Mavrogiannopoulos
45b1f46265 doc update 2015-02-10 11:17:04 +01:00
Nikos Mavrogiannopoulos
952d6adc9c Added implicit accounting when explicit addresses are specified 
Only odd IP addresses can now explicitly be set, so that the next
even address can be used as the local one.
 2015-02-10 11:07:58 +01:00
Kevin Cernekee
2e757cedb2 Use distinct remote and local IPs when explicit_ipv[46] is specified 
Currently the code sets the local interface IP to the same value as the
P-t-P IP:

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.168.63.1  P-t-P:192.168.63.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1341  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

This doesn't seem to get things routed correctly.  e.g. pinging 192.168.63.1
from the ocserv gateway just loops traffic back to the local machine instead
of pinging the client.

So instead we'll set LIP = RIP + 1.  This isn't terribly intuitive (an
administrator might try to number consecutive users 192.168.1.1, 192.168.1.2,
192.168.1.3, ...) but it's better than the current situation.  Maybe at some
point, fixed IPs should also make use of the hash table.
 2015-02-10 10:43:49 +01:00
Nikos Mavrogiannopoulos
1e0af5c482 set cookie to expire when the last user disconnects 2015-02-10 09:10:00 +01:00
Kevin Cernekee
25cfd3b1db config: Use talloc_free() to free "route" strings 
Adding redundant routes triggers a glibc assertion on startup.  The offending
config file contained:

    route = 192.168.1.0/255.255.255.0
    route = default

The assertion:

    # ./src/ocserv -c ocserv.conf -f
    *** Error in `./src/ocserv': munmap_chunk(): invalid pointer: 0x0000000001703470 ***
    Aborted (core dumped)

Fix this by calling the correct free() function.
 2015-02-09 15:06:57 +01:00
Nikos Mavrogiannopoulos
35fae82538 document explicit-ipv? 2015-02-09 15:04:30 +01:00
Kevin Cernekee
71ff05cea7 Allow explicit-ipv4 / explicit-ipv6 addresses in per-user config files 
If a machine is running remotely accessible services, it can be helpful
to assign a fixed IP address upon connection.
 2015-02-09 11:32:24 +01:00
Kevin Cernekee
1545130237 main: Check chdir() return value 
This fixes:

    main.c: In function ‘main’:
    main.c:1025:8: warning: ignoring return value of ‘chdir’, declared with attribute warn_unused_result [-Wunused-result]
       chdir(s->config->chroot_dir);
            ^
 2015-02-09 11:31:52 +01:00
Kevin Cernekee
fbe55c23ef main: Fix unused variable warning on !HAVE_LIBSYSTEMD builds 
This fixes:

      CC       main.o
    main.c: In function ‘listen_ports’:
    main.c:276:11: warning: unused variable ‘fds’ [-Wunused-variable]
      int ret, fds;
               ^
 2015-02-09 11:31:18 +01:00
Nikos Mavrogiannopoulos
38206d6e93 eliminate double books for session expiration 
Session expiration is now handled only by security
module. That simplifies the logic significantly.
 2015-02-09 11:25:48 +01:00
Nikos Mavrogiannopoulos
e82e1b8d68 delete client entry after message is sent 2015-02-09 10:57:40 +01:00
Nikos Mavrogiannopoulos
dcb7068c19 Before allowing the steal of leases, check that usernames match 2015-02-09 10:20:25 +01:00
Nikos Mavrogiannopoulos
905222fe6e corrected typo 2015-02-09 10:20:00 +01:00
Nikos Mavrogiannopoulos
ee81ffa10d when we detect user disconnection, set the proper expiration time on their cookies 2015-02-09 10:07:46 +01:00
Nikos Mavrogiannopoulos
b014f8e1ec test-cookie-timeout: verify that a forced kill will not alter the cookie's validity 2015-02-09 09:53:45 +01:00
Nikos Mavrogiannopoulos
1ce578a525 doc update 2015-02-06 20:05:35 +01:00
Nikos Mavrogiannopoulos
ffe9451367 be explicit that dbus support is incomplete 2015-02-06 14:09:44 +01:00
Nikos Mavrogiannopoulos
1a462c7ced doc update 2015-02-06 14:05:22 +01:00
Nikos Mavrogiannopoulos
bcea928abe Added support for no-routes (X-Split-Exclude) 2015-02-06 14:05:10 +01:00
Nikos Mavrogiannopoulos
5f34edaf31 only use libseccomp in x86 (64) and ARM 2015-02-05 17:50:27 +01:00
Nikos Mavrogiannopoulos
2651099b96 doc update 2015-02-05 17:47:53 +01:00
Nikos Mavrogiannopoulos
06b4f02679 doc update 2015-01-31 12:29:32 +01:00
Nikos Mavrogiannopoulos
4cd880cb2d updated package dependencies 2015-01-30 11:45:58 +01:00
Nikos Mavrogiannopoulos
ea79349bc5 Revert "tests: added test for broken seccomp" 
This reverts commit 889d6ba0b7.
 2015-01-30 00:41:53 +01:00
Nikos Mavrogiannopoulos
c4f5027a46 Revert "tests: only run the seccomp check if it was enabled" 
This reverts commit 00a2caee36.
 2015-01-30 00:41:50 +01:00
Nikos Mavrogiannopoulos
639514d1e1 seccomp: allow _newselect since it is called in x86 instead of select 2015-01-30 00:41:26 +01:00
Nikos Mavrogiannopoulos
df872c218d configure: specify that experimental are not recommended 2015-01-29 19:26:25 +01:00
Nikos Mavrogiannopoulos
777199ffb7 bumped version 2015-01-29 19:22:06 +01:00
Nikos Mavrogiannopoulos
7598e9dee2 rearrange supported options 2015-01-29 19:20:09 +01:00
Nikos Mavrogiannopoulos
b5d8547563 doc update 2015-01-29 19:12:03 +01:00
Nikos Mavrogiannopoulos
00a2caee36 tests: only run the seccomp check if it was enabled 2015-01-29 14:12:20 +01:00
Nikos Mavrogiannopoulos
2d06c2da56 doc update 2015-01-29 14:08:27 +01:00
Nikos Mavrogiannopoulos
889d6ba0b7 tests: added test for broken seccomp 2015-01-29 14:07:55 +01:00
Nikos Mavrogiannopoulos
55c54202e1 doc update 2015-01-28 19:04:08 +01:00
Nikos Mavrogiannopoulos
06dcdb8669 tests: added missing file 2015-01-28 18:57:49 +01:00