GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 16:57:00 +08:00
Code Issues Packages Projects Releases Wiki Activity
1,494 Commits 19 Branches 88 Tags
fe848ad15394e0079cd86b3d2d39a76bb1d25473
Commit Graph

137 Commits

Author SHA1 Message Date
Nikos Mavrogiannopoulos
fe848ad153 replaced use-seccomp by isolate-workers 
That, if enabled, includes the Linux namespaces restrictions into workers.
 2015-01-15 10:25:23 +01:00
Nikos Mavrogiannopoulos
50f2fb88f6 simplify the input of IPv6 networks 
The prefix is specified as part of the network.
 2014-12-29 20:15:36 +02:00
Nikos Mavrogiannopoulos
35e93c6341 added option to send statistics periodically to sec-mod 2014-12-10 11:18:23 +01:00
Nikos Mavrogiannopoulos
766afb591a Added support for reading user configuration from radius. 2014-12-09 15:38:27 +01:00
Nikos Mavrogiannopoulos
2194e11b39 Added support for radius authentication 2014-12-09 10:59:18 +01:00
Nikos Mavrogiannopoulos
baa3e4701e Supplementary configuration is now read by the security module. 
That allows sec-mod to handle both authentication and accounting.
That deprecates the session-control configuration option.
 2014-12-08 13:52:28 +01:00
Nikos Mavrogiannopoulos
8365449e9b deprecated ipv6_netmask 2014-12-08 10:48:25 +01:00
Nikos Mavrogiannopoulos
cb9dcde387 Notify the client that the server may have a dynamic DNS address 
That is send "X-CSTP-DynDNS: true", in CSTP headers if the
server is configured as having a dynamic DNS address.
 2014-11-30 11:30:08 +01:00
Nikos Mavrogiannopoulos
96b4d922e8 increased the SID_SIZE (cookie used during authentication phase) to 128 bits 2014-10-27 23:51:55 +01:00
Nikos Mavrogiannopoulos
5fa95fe9e7 send session information from worker to parent twice 
That allows to account changes after DTLS is established (e.g.,
send the DTLS ciphersuite name).
 2014-10-27 23:49:33 +01:00
Nikos Mavrogiannopoulos
365ca267d4 added new authentication mode optional-certificate 
That mode allows having only specific group of users that are required
to present a certificate.
 2014-09-24 12:41:31 +02:00
Nikos Mavrogiannopoulos
4ea5a56ace Allow the CSTP layer to operate without TLS 
That also introduces a unix domain socket under which connections to the
server can occur.
 2014-09-23 16:08:29 +02:00
Nikos Mavrogiannopoulos
265e723cdb send the IPv6 netmask in a compatible with cisco servers way 2014-09-09 09:36:48 +02:00
Nikos Mavrogiannopoulos
c781bea7cd user-profile is now allowed in per-user configuration 2014-07-31 14:57:09 +02:00
Nikos Mavrogiannopoulos
a144fde0e4 Eliminated the MAX_ROUTES requirement. 2014-06-25 10:05:34 +02:00
Nikos Mavrogiannopoulos
70623591d5 Seccomp is now compiled in by default, and can be enabled at run-time. 2014-06-12 15:35:45 +02:00
Nikos Mavrogiannopoulos
28dca2aa0c Added support for session control (relevant for PAM for now) 
That in effect will utilize the pam_open_session() and pam_close_session().
It is disabled by default as it requires more resources from the security module.
 2014-06-10 15:16:40 +02:00
Nikos Mavrogiannopoulos
01db3e5817 Include the SID into the cookie and store it in proc_st. 2014-06-10 10:41:10 +02:00
Nikos Mavrogiannopoulos
0a0b51ab37 Added work-around for openconnect v3.20 
That version of openconnect requires some strict format on the
XML messages. Thus we send it, what it expects.
 2014-06-10 10:08:46 +02:00
Nikos Mavrogiannopoulos
3db871bb43 Do a more graceful termination of the client if main server closes the CMD fd. 2014-06-01 13:00:33 +02:00
Nikos Mavrogiannopoulos
25fbdfbf70 Keep track of cookies internally. 
That allows to restrict the cookie validity time to the absolutely minimum
required to establish and reconnect a recently disconnected session.
That deprecates the cookie-validity option and introduces the cookie-timeout
option.
 2014-05-27 16:00:57 +02:00
Nikos Mavrogiannopoulos
0586e4c5fa Simplified the TLS hash table initialization. 2014-05-27 15:00:13 +02:00
Nikos Mavrogiannopoulos
7ba0fffb07 Added the configuration option deny-roaming. 
That required moving the read of the group configuration during the
cookie authentication phase.
 2014-05-25 10:17:28 +02:00
Nikos Mavrogiannopoulos
78132e2a6d Added auto group listing on PAM authentication as well. 
In addition a configuration option to print group IDs over a
certain number was added.
 2014-05-23 16:36:48 +02:00
Nikos Mavrogiannopoulos
28943341db Added the proxy-url option to allow sending a proxy URL. 
This corresponds to the X-CSTP-MSIE-Proxy-Pac-URL CSTP header.
 2014-05-23 11:04:30 +02:00
Nikos Mavrogiannopoulos
177c1c95bd Allow aliases to group names. 2014-05-21 12:25:26 +02:00
Nikos Mavrogiannopoulos
2668fe63b4 Added the default-select-group directive. 2014-05-19 20:00:35 +02:00
Nikos Mavrogiannopoulos
4755ee48c5 Added the select-group and auto-select-group config options. 
These options allow to prompt the user for a group prior to login.
That in addition enhances the password file format and multiple groups
can be specified on a comma separated list, as:
user:group1,group2,group3:$5$encodedpassword
 2014-05-19 18:25:25 +02:00
Nikos Mavrogiannopoulos
788560b9ce Added default-user-config and default-group-config configuration options. 
These allow setting a configuration file that will be loaded if a
user-specific or group-specific configuration file isn't found.
 2014-05-14 13:27:51 +02:00
Nikos Mavrogiannopoulos
3f9a215f53 Allow for random and for predictable IP assignment. 2014-05-14 13:00:11 +02:00
Nikos Mavrogiannopoulos
09704b8819 Password authentication is now delegated to sec-mod. 
That prevents any memory from the authentication modules to be leaked
to a worker process. As a result, the status zombie and dead no longer
exists.
 2014-05-14 11:37:01 +02:00
Nikos Mavrogiannopoulos
1465a5922c Added no-udp group configuration option. 
That options allows disabling UDP for specific users or groups.
 2014-05-12 10:29:29 +02:00
Nikos Mavrogiannopoulos
522a9c35a4 Allow modifying the default occtl socket file. 2014-05-11 14:16:38 +02:00
Nikos Mavrogiannopoulos
b0e10065a0 Support for the unix socket is now configurable. 2014-05-09 16:12:37 +02:00
Nikos Mavrogiannopoulos
2a0cc77c2e Export TUN device statistics from the worker process. 
When a worker process terminates in authenticated state, then
export statistics from the tun device (currently bytes_in and
bytes_out). These statistics are sent to main process using an
informational message just prior to process exit. The statistics
are also exported to the disconnect script using the STATS_BYTES_IN
and STATS_BYTES_OUT environment variables.
 2014-04-28 17:32:51 +02:00
Nikos Mavrogiannopoulos
95a0b6abc3 Added the rekey-method config option. 2014-02-22 12:51:34 +01:00
Nikos Mavrogiannopoulos
7b73aee479 when mobile-dpd and mobile-idle-timeout are not set, they get values from their non-mobile counterpart. 2014-02-18 19:39:37 +01:00
Nikos Mavrogiannopoulos
6ee0899e22 Added the mobile-idle-timeout config option. 2014-02-18 18:54:50 +01:00
Nikos Mavrogiannopoulos
367976ca34 Implemented Idle timeout. 
When set, a client that does not have any non-control traffic
for that period is getting disconnected.
 2014-02-18 18:09:23 +01:00
Nikos Mavrogiannopoulos
2399aafe35 modified priorities 2014-02-18 13:11:38 +01:00
Nikos Mavrogiannopoulos
c5c38e92bd Do not allow DPD to be disabled. 
Doing so would prevent the server from dropping inactive
connections. If the dpd values are not configured, set some
reasonable defaults.
 2014-02-17 22:40:32 +01:00
Nikos Mavrogiannopoulos
2bd6f5a6a1 Added the mobile-dpd configuration option. 
This option allows setting a different DPD value for
mobile clients to allow them going to sleep for longer time.
 2014-02-17 22:17:09 +01:00
Nikos Mavrogiannopoulos
be332174f8 Simplified debugging by allowing multiple levels. 
'ocserv -d' now accepts a numeric option from 0 (no debugging) to 9
(maximum verbosity).
 2014-02-17 20:19:39 +01:00
Nikos Mavrogiannopoulos
3b9971b7e8 Added support for the "new" type of IP6 support in AnyConnect. 
If the client sends "X-CSTP-Full-IPv6-Capability: true", then we
use the headers:
     X-CSTP-Address-IP6: 2001:db8:1000:1000::1/64
     X-CSTP-Split-Include-IP6: 2001:db8:1000:1001::/64
     X-CSTP-Split-Include-IP6: 2001:db8:1000:1002::/64

(see corresponding openconnect change)
 2014-02-15 13:51:03 +01:00
Nikos Mavrogiannopoulos
c92925e727 Rekey time is now configurable and can be disabled. 2014-02-11 15:47:20 +01:00
Nikos Mavrogiannopoulos
91ceefb1f3 Added the split-dns config option. 2014-02-01 18:59:50 +01:00
Nikos Mavrogiannopoulos
311d5ddd20 Added configuration option to send custom headers to client. 2014-02-01 18:55:27 +01:00
Nikos Mavrogiannopoulos
0ec67882c0 Added support for multiple DNS and NBNS servers. 
This patch also combines ipv4-dns and ipv6-dns options
that are now handled as aliases to dns.

A side-effect of this patch is that the local keyword is no
longer supported.
 2014-02-01 14:50:52 +01:00
Nikos Mavrogiannopoulos
28e5d62f3f The worker process receives the client's IPs from the main process. 
That eliminates the need to read the IP address from the tun device
(which can be quite tricky to implement in a clean portable way).
 2014-01-31 20:53:45 +01:00
Nikos Mavrogiannopoulos
fe927da089 corrected reading of IP addresses. 2014-01-29 18:27:57 +01:00