diff options
| author | David Sommerseth <dazo@users.sourceforge.net> | 2009-01-03 21:53:07 +0100 |
|---|---|---|
| committer | David Sommerseth <dazo@users.sourceforge.net> | 2009-01-03 21:53:07 +0100 |
| commit | 8a0b87ab7e99af1700aa80cb54373b68864eb0d4 (patch) | |
| tree | 54e05e1eb91efffb5268dce49368e756ed58d7a7 /database/sqlite/edb-sqlite.c | |
| parent | 241b14d771d247127508cf7b20f833b9dbe0abda (diff) | |
| download | eurephia-8a0b87ab7e99af1700aa80cb54373b68864eb0d4.tar.gz eurephia-8a0b87ab7e99af1700aa80cb54373b68864eb0d4.tar.xz eurephia-8a0b87ab7e99af1700aa80cb54373b68864eb0d4.zip | |
Introduced password caching on authenticated sessions
This is to prepare eurephia-auth plugin to use other and
more CPU intensive hashing algorithms for passwords. In addition,
open sessions will now not be rejected/closed due to wrong
password if the user changes the password with an open session
running.
The patch adds a new server_salt attribute in the eurephiaCTX
structure. This is used as a temporary salt and is created of
random data when OpenVPN is started.
When a user is being authenticated (eurephia.c/eurephia_userauth)
a authentication session (not the same as a 'normal' session) is
opened and checked for a cached password. If it does not exist
or match, normal password check will be done against the user
database. If a cached password is found and matches, it is
considered to be authenticated.
The cached password uses the SHA512 algorithm, together with the
eurephiaCTX->server_salt.
Diffstat (limited to 'database/sqlite/edb-sqlite.c')
| -rw-r--r-- | database/sqlite/edb-sqlite.c | 62 |
1 files changed, 43 insertions, 19 deletions
diff --git a/database/sqlite/edb-sqlite.c b/database/sqlite/edb-sqlite.c index 5b8073c..ef05536 100644 --- a/database/sqlite/edb-sqlite.c +++ b/database/sqlite/edb-sqlite.c @@ -608,24 +608,44 @@ int eDBregister_logout(eurephiaCTX *ctx, eurephiaSESSION *skey, // Retrieve a session key from openvpn_sessionkeys if it is a current session. Session seed is used // as criteria -char *eDBget_sessionkey_seed(eurephiaCTX *ctx, const char *sessionseed) { +char *eDBget_sessionkey_seed(eurephiaCTX *ctx, sessionType sesstype, const char *sessionseed) { dbresult *res = NULL; char *skey = NULL; - DEBUG(ctx, 20, "eDBget_sessionkey(ctx, '%s')", sessionseed); + DEBUG(ctx, 20, "eDBget_sessionkey_seed(ctx, %i, '%s')", sesstype, sessionseed); if( sessionseed == NULL ) { eurephia_log(ctx, LOG_FATAL, 1, "eDBget_sessionkey: No session seed given - cannot locate sessionkey"); return NULL; } - res = sqlite_query(ctx, - "SELECT sessionkey " - " FROM openvpn_sessionkeys " - " JOIN openvpn_lastlog USING (sessionkey)" - " WHERE sessionstatus IN (1,2)" - " AND sessionseed = '%q'", - sessionseed); + + switch( sesstype ) { + case stSESSION: + res = sqlite_query(ctx, + "SELECT sessionkey " + " FROM openvpn_sessionkeys " + " JOIN openvpn_lastlog USING (sessionkey)" + " WHERE sessionstatus IN (1,2)" + " AND sessionseed = '%q'", + sessionseed); + break; + + case stAUTHENTICATION: + res = sqlite_query(ctx, + "SELECT sessionkey" + " FROM openvpn_sessionkeys" + " LEFT JOIN openvpn_lastlog USING(sessionkey)" + " WHERE sessionstatus IS NULL" + " AND sessionseed = '%q'", + sessionseed); + break; + + default: + eurephia_log(ctx, LOG_ERROR, 0, "Invalid session type: %i", sesstype); + return NULL; + } + if( res == NULL ) { eurephia_log(ctx, LOG_FATAL, 0,"Could not retrieve sessionkey from openvpn_sessionkeys (%s)", sessionseed); @@ -644,6 +664,8 @@ char *eDBget_sessionkey_macaddr(eurephiaCTX *ctx, const char *macaddr) { dbresult *res = NULL; char *skey = NULL; + DEBUG(ctx, 20, "eDBget_sessionkey_macaddr(ctx, '%s')", macaddr); + // Find sessionkey from MAC address res = sqlite_query(ctx, "SELECT sessionkey " @@ -855,17 +877,19 @@ int eDBdestroy_session(eurephiaCTX *ctx, eurephiaSESSION *session) { return 1; } - // Update session status - res = sqlite_query(ctx, - "UPDATE openvpn_lastlog " - " SET sessionstatus = 4, session_deleted = CURRENT_TIMESTAMP " - " WHERE sessionkey = '%q' AND sessionstatus = 3", session->sessionkey); - if( res == NULL ) { - eurephia_log(ctx, LOG_FATAL, 0, - "Could not update session status in lastlog (%s))", session->sessionkey); - return 0; + // Update session status - if we have a "real" session (not auth-session) + if( session->type == stSESSION ) { + res = sqlite_query(ctx, + "UPDATE openvpn_lastlog " + " SET sessionstatus = 4, session_deleted = CURRENT_TIMESTAMP " + " WHERE sessionkey = '%q' AND sessionstatus = 3", session->sessionkey); + if( res == NULL ) { + eurephia_log(ctx, LOG_FATAL, 0, + "Could not update session status in lastlog (%s))", session->sessionkey); + return 0; + } + sqlite_free_results(res); } - sqlite_free_results(res); // Delete session variables res = sqlite_query(ctx, "DELETE FROM openvpn_sessions WHERE sessionkey = '%q'", session->sessionkey); |