diff options
| author | David Sommerseth <dazo@users.sourceforge.net> | 2008-09-30 09:48:27 +0200 |
|---|---|---|
| committer | David Sommerseth <dazo@users.sourceforge.net> | 2008-09-30 09:48:27 +0200 |
| commit | 31cdce29bff7e76322df96219da9bfce0252eff8 (patch) | |
| tree | 44e6891a753dee283c5470e2b3d9a639bea7d885 | |
| parent | 5610e5c5ffd51202dd015242cd77ea89ec2600e2 (diff) | |
| parent | ec9b998524c979a06b0373d5e76e9a9b1da89396 (diff) | |
Merged in changes from masteralpha_0.8.1
| -rw-r--r-- | Makefile.global | 4 | ||||
| -rw-r--r-- | database/eurephiadb-driver_template.c | 40 | ||||
| -rw-r--r-- | database/sqlite/eurephiadb-sqlite.c | 18 | ||||
| -rw-r--r-- | database/sqlite/sql-schema.sql | 3 | ||||
| -rw-r--r-- | eurephia-auth.c | 25 | ||||
| -rw-r--r-- | eurephia.c | 190 | ||||
| -rw-r--r-- | eurephia_log.c | 28 | ||||
| -rw-r--r-- | eurephia_log.h | 9 | ||||
| -rw-r--r-- | eurephiadb_session.c | 9 | ||||
| -rw-r--r-- | firewall/iptables/efw_iptables.c | 8 |
10 files changed, 233 insertions, 101 deletions
diff --git a/Makefile.global b/Makefile.global index db60c0c..bce1ef1 100644 --- a/Makefile.global +++ b/Makefile.global @@ -8,8 +8,8 @@ DATABASE_DIR=${DRIVER_DIR} CFLAGS += -g -Wall INCLUDE += -I ${topdir} -I. -I${OPENVPN_SRC_DIR} -ifdef DEBUG - CFLAGS += -DENABLE_DEBUG +ifdef DEBUG + CFLAGS += -DENABLE_DEBUG # -DSHOW_SECRETS endif .SUFFIX=.c .o .so diff --git a/database/eurephiadb-driver_template.c b/database/eurephiadb-driver_template.c index 5bcea91..005afc7 100644 --- a/database/eurephiadb-driver_template.c +++ b/database/eurephiadb-driver_template.c @@ -105,13 +105,26 @@ int eDBconnect(eurephiaCTX *ctx, const int argc, const char **argv) eDBconn *dbc = NULL; int rc; - DEBUG(ctx, 10, "Function call: eDBconnect(ctx, %i, '%s')", argc, argv[1]); - - if( (argc != 1) || (argv[0] == NULL) || (strlen(argv[0]) < 1) ) { - eurephia_log(ctx, LOG_PANIC, 0, - "Wrong parameters to eurephia-auth (eDBconnect). Cannot open database."); - return 0; - } + /* WORK TO DO -- Parse arguments + * + * use what ever suitable approach to parse arguments sent to the database module. + * + * The arguments being recieved is everything after the '--' (double dash) + * in the 'plugin' configuration line for OpenVPN. + * + * plugin eurephia-auth.so "-i my_db_module.so -L 3 -- myparam1 myparam2 myparam3" + * + * In this example the following parameters will be available here: + * + * argc = 3 + * argv[0] = myparam1 + * argv[1] = myparam2 + * argv[2] = myparam3 + * + * You are free to use whatever parameter syntax you would like to use. + */ + + DEBUG(ctx, 10, "Function call: eDBconnect(ctx, %i, '...')", argc, dbame); // Connect to the database dbc = (eDBconn *) malloc(sizeof(eDBconn)+2); @@ -641,8 +654,12 @@ char *eDBget_sessionkey_seed(eurephiaCTX *ctx, const char *sessionseed) { } /* WORK TO DO -- DO SQL: - "SELECT sessionkey FROM openvpn_sessionkeys WHERE sessionseed = '%q'", - sessionseed + "SELECT sessionkey " + " FROM openvpn_sessionkeys " + " JOIN openvpn_lastlog USING (sessionkey)" + " WHERE sessionstatus IN (1,2)" + " AND sessionseed = '%q'", + sessionseed */ if( /* IF SQL QUERY FAILED */ ) { eurephia_log(ctx, LOG_CRITICAL, 0,"Could not retrieve sessionkey from openvpn_sessionkeys (%s)", @@ -665,7 +682,10 @@ char *eDBget_sessionkey_macaddr(eurephiaCTX *ctx, const char *macaddr) { /* WORK TO DO -- DO SQL: "SELECT sessionkey " " FROM openvpn_sessions " - " WHERE datakey = 'macaddr' AND dataval = '%q'", + " JOIN openvpn_lastlog USING (sessionkey)" + " WHERE sessionstatus = 3 " + " AND datakey = 'macaddr' " + " AND dataval = '%q'", macaddr */ if( /* IF SQL QUERY FAILED */ ) { diff --git a/database/sqlite/eurephiadb-sqlite.c b/database/sqlite/eurephiadb-sqlite.c index 04ee569..4fc7c5d 100644 --- a/database/sqlite/eurephiadb-sqlite.c +++ b/database/sqlite/eurephiadb-sqlite.c @@ -106,7 +106,7 @@ int eDBconnect(eurephiaCTX *ctx, const int argc, const char **argv) mwStatistics(3); #endif - DEBUG(ctx, 10, "Function call: eDBconnect(ctx, %i, '%s')", argc, argv[1]); + DEBUG(ctx, 10, "Function call: eDBconnect(ctx, %i, '%s')", argc, argv[0]); if( (argc != 1) || (argv[0] == NULL) || (strlen(argv[0]) < 1) ) { eurephia_log(ctx, LOG_PANIC, 0, "Wrong parameters to dblink-sqlite. Cannot open database."); @@ -116,11 +116,11 @@ int eDBconnect(eurephiaCTX *ctx, const int argc, const char **argv) // Connect to the database dbc = (eDBconn *) malloc(sizeof(eDBconn)+2); memset(dbc, 1, sizeof(eDBconn)+2); - dbc->dbname = strdup(argv[1]); + dbc->dbname = strdup(argv[0]); eurephia_log(ctx, LOG_INFO, 1, "Opening database '%s'", dbc->dbname); - rc = sqlite3_open(argv[1], (void *) &dbc->dbhandle); + rc = sqlite3_open(argv[0], (void *) &dbc->dbhandle); if( rc ) { eurephia_log(ctx, LOG_FATAL, 0, "Could not open database '%s'", dbc->dbname); free_nullsafe(dbc->dbname); @@ -615,7 +615,12 @@ char *eDBget_sessionkey_seed(eurephiaCTX *ctx, const char *sessionseed) { "eDBget_sessionkey: No session seed given - cannot locate sessionkey"); return NULL; } - res = sqlite_query(ctx, "SELECT sessionkey FROM openvpn_sessionkeys WHERE sessionseed = '%q'", + res = sqlite_query(ctx, + "SELECT sessionkey " + " FROM openvpn_sessionkeys " + " JOIN openvpn_lastlog USING (sessionkey)" + " WHERE sessionstatus IN (1,2)" + " AND sessionseed = '%q'", sessionseed); if( res == NULL ) { eurephia_log(ctx, LOG_CRITICAL, 0,"Could not retrieve sessionkey from openvpn_sessionkeys (%s)", @@ -639,7 +644,10 @@ char *eDBget_sessionkey_macaddr(eurephiaCTX *ctx, const char *macaddr) { res = sqlite_query(ctx, "SELECT sessionkey " " FROM openvpn_sessions " - " WHERE datakey = 'macaddr' AND dataval = '%q'", macaddr); + " JOIN openvpn_lastlog USING (sessionkey)" + " WHERE sessionstatus = 3 " + " AND datakey = 'macaddr' " + " AND dataval = '%q'", macaddr); if( res == NULL ) { eurephia_log(ctx, LOG_CRITICAL, 0, "Could not remove session from database (MAC addr: %s)", macaddr); diff --git a/database/sqlite/sql-schema.sql b/database/sqlite/sql-schema.sql index b677554..81d7ea4 100644 --- a/database/sqlite/sql-schema.sql +++ b/database/sqlite/sql-schema.sql @@ -103,8 +103,9 @@ CREATE UNIQUE INDEX openvpn_attempts_remoteip ON openvpn_attempts(remoteip); CREATE TABLE openvpn_sessionkeys ( sessionseed varchar(128) NOT NULL, sessionkey varchar(128) NOT NULL, - PRIMARY KEY(sessionseed) + PRIMARY KEY(sessionkey) ); +CREATE INDEX opevpn_sessionkeys_seed ON openvpn_sessionkeys(sessionseed); CREATE TABLE openvpn_config ( datakey varchar(64) NOT NULL, diff --git a/eurephia-auth.c b/eurephia-auth.c index c4ac5b5..0be666d 100644 --- a/eurephia-auth.c +++ b/eurephia-auth.c @@ -56,7 +56,19 @@ static const char *plugin_type_name(const int type) return "(UNKNOWN PLUGIN CODE)"; } } -#endif + +static void dump_env(FILE *f, const char *prefix, const char *envp[]) { + int i; + for (i = 0; envp[i]; i++) { +#ifdef SHOW_SECRETS + fprintf(f, "%s%s\n", prefix, envp[i]); +#else + fprintf(f, "%s%s\n", prefix , + (strncmp(envp[i], "password=", 9) == 0) ? "password=xxxxxxx" : envp[i]); +#endif // SHOW_SECRETS + } +} +#endif // ENABLE_DEBUG // daemonize if "daemon" environment variable is set. @@ -65,9 +77,9 @@ static const char *plugin_type_name(const int type) // static void daemonize(const char *envp[]) { - const char *daemon_string = get_env(NULL, envp, "daemon"); + const char *daemon_string = get_env(NULL, 0, envp, "daemon"); if( daemon_string && daemon_string[0] == '1' ) { - const char *log_redirect = get_env(NULL, envp, "daemon_log_redirect"); + const char *log_redirect = get_env(NULL, 0, envp, "daemon_log_redirect"); int fd = -1; if( log_redirect && log_redirect[0] == '1' ) { fd = dup (2); @@ -123,6 +135,13 @@ OPENVPN_EXPORT int openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, DEBUG(ctx, 10, "openvpn_plugin_func_v1(ctx, %s, ...)", plugin_type_name(type)); +#ifdef ENABLE_DEBUG + if( ctx->loglevel >= 30 ) { + dump_env(ctx->log, "ENV: ", envp); + dump_env(ctx->log, "ARG: ", argv); + } +#endif + switch( type ) { case OPENVPN_PLUGIN_TLS_VERIFY: result = eurephia_tlsverify(ctx, envp, argv[1]); @@ -21,6 +21,7 @@ #include <stdarg.h> #include <stdlib.h> #include <string.h> +#include <getopt.h> #include <eurephiadb.h> #include <eurephiadb_driver.h> @@ -29,18 +30,17 @@ #include <eurephia_values.h> #include <certinfo.h> -#define MAX_ARGUMENTS 25 - +#define MAX_ARGUMENTS 64 // Get value of a environment variable -const char *get_env(eurephiaCTX *ctx, const char *envp[], const char *fmt, ... ) +const char *get_env(eurephiaCTX *ctx, int logmasking, const char *envp[], const char *fmt, ... ) { if (envp) { va_list ap; char key[384]; int keylen = 0; - int i; + int i, do_mask = 0; // Build up the key we are looking for memset(&key, 0, 384); @@ -53,10 +53,18 @@ const char *get_env(eurephiaCTX *ctx, const char *envp[], const char *fmt, ... ) if (!strncmp (envp[i], key, keylen)) { const char *cp = envp[i] + keylen; if (*cp == '=') { +#ifdef ENABLE_DEBUG +#ifdef SHOW_SECRETS + do_mask = 0; +#else + do_mask = logmasking; +#endif if( ctx != NULL ) { DEBUG(ctx, 23, "Function call: get_env(envp, '%s') == '%s'", - key, cp + 1); + key, (do_mask == 0 ? cp + 1 : "xxxxxxxxxxxxxx")); } +#endif + return cp + 1; } } @@ -75,54 +83,93 @@ const char *get_env(eurephiaCTX *ctx, const char *envp[], const char *fmt, ... ) // 1 2 3 4..... eurephiaCTX *eurephiaInit(const char **argv) { + static struct option eurephia_opts[] = { + {"log-destination", required_argument, 0, 'l'}, + {"log-level", required_argument, 0, 'L'}, + {"database-interface", required_argument, 0, 'i'}, + {0, 0, 0 ,0} + }; + int argc = 0, error = 0, loglvl = 0, dbargc = 0; + const char *dbargv[MAX_ARGUMENTS]; + const char *fwintf = NULL, *logfile = NULL, *dbi = NULL; eurephiaCTX *ctx = NULL; - int argc = 0, error=0; - const char *dbargs[MAX_ARGUMENTS]; - const char *fwintf = NULL; - - // Count how many arguments we have, and copy - // db arguments from argc >= 3 - while( argv[argc] != NULL ) { - argc++; - if( (argc > 2) ) { - // Make a copy to the argument table - // when we have gotten our three first - // arguments for logging. - // These arguments in dbargs, will - // be sent directly to the - // eDBconnect(...) function - dbargs[argc-3] = argv[argc]; + + // + // Parse input arguments + // + + // Count arguments + for( argc = 0; argv[argc] != NULL; argc++ ) {} + + while(1) { + int opt_idx = 0; + int c = 0; + + c = getopt_long(argc, (char **)argv, "l:L:i:", eurephia_opts, &opt_idx); + if( c == -1 ) { + break; + } + + switch( c ) { + case 'l': + logfile = optarg; + break; + + case 'L': + loglvl = atoi_nullsafe(optarg); + break; + + case 'i': + dbi = optarg; + break; + + default: + fprintf(stderr, "Error parsing eurephia-auth arguments.\n"); + return NULL; + break; } } - - // We need at least 3 arguments - logfile, loglevel and db driver - if( argc < 3 ) { - return NULL; + + // Put the rest of the arguments into an own array which will be the db module arguments + if( optind < argc ) { + // copy arguments, but make sure we do not exceed our limit + while( (optind < argc) && (dbargc < MAX_ARGUMENTS) ) { + dbargv[dbargc] = argv[optind++]; + dbargc++; + dbargv[dbargc] = NULL; + } } + // End of argument parsing + // Prepare a context area for eurephia-auth ctx = (eurephiaCTX *) malloc(sizeof(eurephiaCTX)+2); memset(ctx, 0, sizeof(eurephiaCTX)+2); // Open a log file - if( strlen_nullsafe(argv[1]) > 0) { - if( strcmp(argv[1], "none") != 0 ) { - ctx->log = fopen(argv[1], "aw"); + if( logfile != NULL ) { + if( strcmp(logfile, "openvpn:") == 0 ) { // Let openvpn do the logging + ctx->log = stderr; + } else if( strcmp(logfile, "none:") == 0 ) { // Do not perform any logging + ctx->log = NULL; + } else { // if no hit on these ones,open a file with given name + ctx->log = fopen(logfile, "aw"); if( ctx->log == NULL ) { fprintf(stderr, "Could not open eurephia log file: %s\n", argv[1]); return NULL; } } } else { - ctx->log = fopen("/var/log/eurephia.log", "aw"); - error = (ctx->log == NULL); + // If no logging is given ... log to openvpn: + ctx->log = stderr; } // Set log verbosity - ctx->loglevel = atoi_nullsafe(argv[2]); + ctx->loglevel = loglvl; // Load the database driver - if( (error == 0) && eDBlink_init(ctx, argv[3]) ) { - if( !eDBconnect(ctx, argc-4, dbargs) ) { + if( (error == 0) && eDBlink_init(ctx, dbi) ) { + // Connect to the database + if( !eDBconnect(ctx, dbargc, dbargv) ) { eurephia_log(ctx, LOG_PANIC, 0, "Could not connect to the database"); error = 1; eDBlink_close(ctx); @@ -182,9 +229,14 @@ int eurephiaShutdown(eurephiaCTX *ctx) } if( ctx->log != NULL ) { - eurephia_log(ctx, LOG_INFO, 2, "Closing log file"); fflush(ctx->log); - fclose(ctx->log); + + // Do not close log file if we're on stdout or stderr + if( (ctx->log != stderr) && (ctx->log != stdout) ) { + eurephia_log(ctx, LOG_INFO, 2, "Closing log file"); + fclose(ctx->log); + } + ctx->log = NULL; ctx->loglevel = 0; } @@ -203,14 +255,14 @@ int eurephia_tlsverify(eurephiaCTX *ctx, const char **env, const char *depth) DEBUG(ctx, 21, "** Function call: eurephia_tlsverify(...)"); // Check if IP address is blacklisted - ipaddr = (char *) get_env(ctx, env, "untrusted_ip"); + ipaddr = (char *) get_env(ctx, 0, env, "untrusted_ip"); if( eDBblacklist_check(ctx, attempt_IPADDR, ipaddr) == 1 ) { eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr); return 0; } // Check if certificate digest is blacklisted - tls_digest = (char *) get_env(ctx, env, "tls_digest_%s", depth); + tls_digest = (char *) get_env(ctx, 0, env, "tls_digest_%s", depth); if( eDBblacklist_check(ctx, attempt_CERTIFICATE, tls_digest) == 1 ) { eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr); eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, tls_digest); @@ -218,7 +270,7 @@ int eurephia_tlsverify(eurephiaCTX *ctx, const char **env, const char *depth) } // Check if certificate is registered and allowed - tls_id = (char *) get_env(ctx, env, "tls_id_%s", depth); + tls_id = (char *) get_env(ctx, 0, env, "tls_id_%s", depth); ci = parse_tlsid(tls_id); result = eDBauth_TLS(ctx, ci->org, ci->common_name, ci->email, tls_digest, depth); if( result < 1 ) { @@ -248,14 +300,14 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env) // Check if IP address is blacklisted - ipaddr = (char *) get_env(ctx, env, "untrusted_ip"); + ipaddr = (char *) get_env(ctx, 0, env, "untrusted_ip"); if( eDBblacklist_check(ctx, attempt_IPADDR, ipaddr) == 1 ) { eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr); return 0; } // Check if certificate digest is blacklisted - tls_digest = (char *) get_env(ctx, env, "tls_digest_0"); + tls_digest = (char *) get_env(ctx, 0, env, "tls_digest_0"); if( eDBblacklist_check(ctx, attempt_CERTIFICATE, tls_digest) == 1 ) { eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr); eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, tls_digest); @@ -263,7 +315,7 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env) } // Check if username is blacklisted - username = (char *) get_env(ctx, env, "username"); + username = (char *) get_env(ctx, 0, env, "username"); if( eDBblacklist_check(ctx, attempt_USERNAME, username) == 1 ) { eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr); eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, tls_digest); @@ -272,7 +324,7 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env) } // Get certificate ID - tls_id = (char *) get_env(ctx, env, "tls_id_0"); + tls_id = (char *) get_env(ctx, 0, env, "tls_id_0"); ci = parse_tlsid(tls_id); certid = eDBauth_TLS(ctx, ci->org, ci->common_name, ci->email, tls_digest, "0"); if( certid < 1 ) { @@ -285,7 +337,7 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env) free_certinfo(ci); // Do username/password/certificate authentication - passwd = (char *)get_env(ctx, env, "password"); + passwd = (char *)get_env(ctx, 1, env, "password"); result = eDBauth_user(ctx, certid, username, passwd); if( result < 1 ) { eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr); @@ -314,15 +366,15 @@ int eurephia_connect(eurephiaCTX *ctx, const char **env) { DEBUG(ctx, 21, "** Function call: eurephia_connect(...)"); // Fetch needed info - digest = get_env(ctx, env, "tls_digest_0"); - tlsid = get_env(ctx, env, "tls_id_0"); - cname = get_env(ctx, env, "common_name"); - uname = get_env(ctx, env, "username"); - vpnipaddr = get_env(ctx, env, "ifconfig_pool_remote_ip"); - vpnipmask = get_env(ctx, env, "ifconfig_pool_netmask"); - remipaddr = get_env(ctx, env, "trusted_ip"); - remport = get_env(ctx, env, "trusted_port"); - proto = get_env(ctx, env, "proto_1"); + digest = get_env(ctx, 0, env, "tls_digest_0"); + tlsid = get_env(ctx, 0, env, "tls_id_0"); + cname = get_env(ctx, 0, env, "common_name"); + uname = get_env(ctx, 0, env, "username"); + vpnipaddr = get_env(ctx, 0, env, "ifconfig_pool_remote_ip"); + vpnipmask = get_env(ctx, 0, env, "ifconfig_pool_netmask"); + remipaddr = get_env(ctx, 0, env, "trusted_ip"); + remport = get_env(ctx, 0, env, "trusted_port"); + proto = get_env(ctx, 0, env, "proto_1"); // Get a session ticket session = eDBopen_session_seed(ctx, digest, cname, uname, vpnipaddr, vpnipmask, remipaddr, remport); @@ -359,16 +411,16 @@ int eurephia_disconnect(eurephiaCTX *ctx, const char **env) { DEBUG(ctx, 21, "** Function call: eurephia_disconnect(...)"); // Fetch needed info - digest = get_env(ctx, env, "tls_digest_0"); - cname = get_env(ctx, env, "common_name"); - uname = get_env(ctx, env, "username"); - vpnipaddr = get_env(ctx, env, "ifconfig_pool_remote_ip"); - vpnipmask = get_env(ctx, env, "ifconfig_pool_netmask"); - remipaddr = get_env(ctx, env, "trusted_ip"); - remport = get_env(ctx, env, "trusted_port"); - bytes_sent= get_env(ctx, env, "bytes_sent"); - bytes_rec = get_env(ctx, env, "bytes_received"); - duration = get_env(ctx, env, "time_duration"); + digest = get_env(ctx, 0, env, "tls_digest_0"); + cname = get_env(ctx, 0, env, "common_name"); + uname = get_env(ctx, 0, env, "username"); + vpnipaddr = get_env(ctx, 0, env, "ifconfig_pool_remote_ip"); + vpnipmask = get_env(ctx, 0, env, "ifconfig_pool_netmask"); + remipaddr = get_env(ctx, 0, env, "trusted_ip"); + remport = get_env(ctx, 0, env, "trusted_port"); + bytes_sent= get_env(ctx, 0, env, "bytes_sent"); + bytes_rec = get_env(ctx, 0, env, "bytes_received"); + duration = get_env(ctx, 0, env, "time_duration"); // Get a session ticket session = eDBopen_session_seed(ctx, digest, cname, uname, vpnipaddr, vpnipmask, remipaddr, remport); @@ -403,13 +455,13 @@ int eurephia_learn_address(eurephiaCTX *ctx, const char *mode, const char *macad if( strncmp(mode, "add", 3) == 0 ) { // Fetch needed info - digest = get_env(ctx, env, "tls_digest_0"); - cname = get_env(ctx, env, "common_name"); - uname = get_env(ctx, env, "username"); - vpnipaddr = get_env(ctx, env, "ifconfig_pool_remote_ip"); - vpnipmask = get_env(ctx, env, "ifconfig_pool_netmask"); - remipaddr = get_env(ctx, env, "trusted_ip"); - remport = get_env(ctx, env, "trusted_port"); + digest = get_env(ctx, 0, env, "tls_digest_0"); + cname = get_env(ctx, 0, env, "common_name"); + uname = get_env(ctx, 0, env, "username"); + vpnipaddr = get_env(ctx, 0, env, "ifconfig_pool_remote_ip"); + vpnipmask = get_env(ctx, 0, env, "ifconfig_pool_netmask"); + remipaddr = get_env(ctx, 0, env, "trusted_ip"); + remport = get_env(ctx, 0, env, "trusted_port"); // Get a session ticket session = eDBopen_session_seed(ctx, digest, cname, uname, vpnipaddr, vpnipmask, diff --git a/eurephia_log.c b/eurephia_log.c index b1e7634..a598278 100644 --- a/eurephia_log.c +++ b/eurephia_log.c @@ -20,6 +20,8 @@ #include <stdio.h> #include <stdarg.h> +#include <string.h> +#include <time.h> #include "eurephia_struct.h" #include "eurephia_log.h" @@ -37,14 +39,34 @@ const char *erp_logtypes[] = { // Simple log function ... Write log data to the context log file void eurephia_log(eurephiaCTX *ctx, int logdst, int loglvl, const char *fmt, ... ) { - // Only log info which is according to the log level set in the context - if( ctx->loglevel >= loglvl ) { + + // Only log if we have an open log file and which has high enough log level + if( (ctx->log != NULL) && (ctx->loglevel >= loglvl) ) { va_list ap; + char tstmp_str[200]; + time_t tstmp; + struct tm *loctstmp; + + // Get timestamp + memset(&tstmp_str, 0, 200); + tstmp = time(NULL); + loctstmp = localtime(&tstmp); + if( loctstmp != NULL ) { + if( strftime(tstmp_str, 198, "%Y-%m-%d %H:%M:%S %Z", loctstmp) == 0 ) { + snprintf(tstmp_str, 198, "(error getting timestamp string)"); + } + } else { + snprintf(tstmp_str, 198, "(error getting timestamp)"); + } + + // FIXME: Introduce pthread mutex locking to avoid processes writing to the log at the same time + va_start(ap, fmt); - fprintf(ctx->log, "%s [%i] ", erp_logtypes[logdst], loglvl); + fprintf(ctx->log, "[%s] %s [%i] ", tstmp_str, erp_logtypes[logdst], loglvl); vfprintf(ctx->log, fmt, ap); fprintf(ctx->log, "\n"); fflush(ctx->log); + va_end(ap); } } diff --git a/eurephia_log.h b/eurephia_log.h index 33f4a59..5bc4654 100644 --- a/eurephia_log.h +++ b/eurephia_log.h @@ -32,14 +32,17 @@ #define LOG_PANIC 7 #ifdef ENABLE_DEBUG -#warning ################################################################ -#warning ## DEBUG LOGGING IS ENABLED - THIS COULD BE AN SECURITY ISSUE ## -#warning ################################################################ +#warning ###### DEBUG LOGGING IS ENABLED - THIS COULD BE AN SECURITY ISSUE ###### #define DEBUG(ctx, lvl, rest...) eurephia_log(ctx, LOG_DEBUG, lvl, ## rest); #else #define DEBUG(ctx, lvl, rest...) {}; #endif +#ifdef SHOW_SECRETS +#warning ##################################################################################################### +#warning ## DEBUG LOGGING WITH SHOW_SECRETS IS ENABLED - THIS WILL PUT PASSWORDS IN CLEAR TEXT IN LOG FILES ## +#warning ##################################################################################################### +#endif void eurephia_log(eurephiaCTX *ctx, int logdst, int loglvl, const char *fmt, ... ); #endif /* !EUREPHIA_LOG_H_ */ diff --git a/eurephiadb_session.c b/eurephiadb_session.c index fc64971..1c9b831 100644 --- a/eurephiadb_session.c +++ b/eurephiadb_session.c @@ -287,7 +287,14 @@ eurephiaSESSION *eDBopen_session_seed(eurephiaCTX *ctx, const char *digest, } // Save this session key in the database and connect it to this session seed - eDBregister_sessionkey(ctx, seed, new_session->sessionkey); + if( eDBregister_sessionkey(ctx, seed, new_session->sessionkey) == 0) { + eurephia_log(ctx, LOG_FATAL, 0, "Could not register sessionkey"); + free_nullsafe(new_session->sessionkey); + free_nullsafe(new_session); + free_nullsafe(seeddata); + free_nullsafe(seed); + return NULL; + }; new_session->sessionstatus = SESSION_NEW; } else { new_session->sessionstatus = SESSION_EXISTING; diff --git a/firewall/iptables/efw_iptables.c b/firewall/iptables/efw_iptables.c index c82095a..343df9a 100644 --- a/firewall/iptables/efw_iptables.c +++ b/firewall/iptables/efw_iptables.c @@ -82,7 +82,7 @@ void eFW_RunFirewall(void *fwargs) { if( ! res ) { quit = 1; eurephia_log(ctx, LOG_FATAL, 0, - "eFW_RunFirewall: Invalid message on message queue, quiting"); + "eFW_RunFirewall: Failed updating iptables"); } } } @@ -148,7 +148,7 @@ int process_input(eurephiaCTX *ctx, const char *fwcmd, const char *input) { iptables_args[8] = jump; iptables_args[9] = NULL; - DEBUG(ctx, 23, "eFW_RunFirewall::process_input parsing " + eurephia_log(ctx, LOG_INFO, 2, "eFW_RunFirewall - updating iptables rules " "==> mode: %s macaddr: '%s' destchain: '%s' jump: '%s'", (mode[1] == 'A' ? "ADD":"DELETE"), macaddr, destchain, jump); break; @@ -157,7 +157,7 @@ int process_input(eurephiaCTX *ctx, const char *fwcmd, const char *input) { destchain = msg; iptables_args[2] = destchain; - DEBUG(ctx, 23, "eFW_RunFirewall::process_input parsing " + eurephia_log(ctx, LOG_INFO, 2, "eFW_RunFirewall - updating iptables rules " "==> mode: FLUSH destchain: '%s'", destchain); break; @@ -187,7 +187,7 @@ int process_input(eurephiaCTX *ctx, const char *fwcmd, const char *input) { "eFW_RunFirewall::process_input: Failed to wait for process for %s" " to complete (%s)", fwcmd, strerror(errno)); } - DEBUG(ctx, 23, "eFW_RunFirewall::process_input iptables exited with code: %i ", cmdret); + eurephia_log(ctx, LOG_INFO, 4, "eFW_RunFirewall - iptables exited with code: %i ", cmdret); } return 1; } |