diff options
| author | David Sommerseth <dazo@users.sourceforge.net> | 2009-01-03 21:53:07 +0100 |
|---|---|---|
| committer | David Sommerseth <dazo@users.sourceforge.net> | 2009-01-03 21:53:07 +0100 |
| commit | 8a0b87ab7e99af1700aa80cb54373b68864eb0d4 (patch) | |
| tree | 54e05e1eb91efffb5268dce49368e756ed58d7a7 /plugin/eurephiadb_session.c | |
| parent | 241b14d771d247127508cf7b20f833b9dbe0abda (diff) | |
| download | eurephia-8a0b87ab7e99af1700aa80cb54373b68864eb0d4.tar.gz eurephia-8a0b87ab7e99af1700aa80cb54373b68864eb0d4.tar.xz eurephia-8a0b87ab7e99af1700aa80cb54373b68864eb0d4.zip | |
Introduced password caching on authenticated sessions
This is to prepare eurephia-auth plugin to use other and
more CPU intensive hashing algorithms for passwords. In addition,
open sessions will now not be rejected/closed due to wrong
password if the user changes the password with an open session
running.
The patch adds a new server_salt attribute in the eurephiaCTX
structure. This is used as a temporary salt and is created of
random data when OpenVPN is started.
When a user is being authenticated (eurephia.c/eurephia_userauth)
a authentication session (not the same as a 'normal' session) is
opened and checked for a cached password. If it does not exist
or match, normal password check will be done against the user
database. If a cached password is found and matches, it is
considered to be authenticated.
The cached password uses the SHA512 algorithm, together with the
eurephiaCTX->server_salt.
Diffstat (limited to 'plugin/eurephiadb_session.c')
| -rw-r--r-- | plugin/eurephiadb_session.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/plugin/eurephiadb_session.c b/plugin/eurephiadb_session.c index a9c886c..8ae338c 100644 --- a/plugin/eurephiadb_session.c +++ b/plugin/eurephiadb_session.c @@ -34,7 +34,7 @@ // Also defined in the eurephiadb_driver.h, but not as extern. -extern char *(*eDBget_sessionkey_seed) (eurephiaCTX *ctx, const char *sessionseed); +extern char *(*eDBget_sessionkey_seed) (eurephiaCTX *ctx, sessionType type, const char *sessionseed); extern char *(*eDBget_sessionkey_macaddr) (eurephiaCTX *ctx, const char *macaddr); extern int (*eDBcheck_sessionkey_uniqueness) (eurephiaCTX *ctx, const char *seskey); @@ -66,10 +66,13 @@ eurephiaSESSION *eDBopen_session_seed(eurephiaCTX *ctx, const char *digest, } memset(new_session, 0, sizeof(eurephiaSESSION) + 2); + // Session type is stSESSION if we do have VPN address and/or netmask + new_session->type = ((vpnipaddr == NULL) && (vpnipmask == NULL) ? stAUTHENTICATION : stSESSION); + // Build up a string containing all elements for the session seed totlen = strlen_nullsafe(digest) + strlen_nullsafe(cname) + strlen_nullsafe(username) + strlen_nullsafe(vpnipaddr) + strlen_nullsafe(vpnipmask) + strlen_nullsafe(remipaddr) - + strlen_nullsafe(remport) + 5; // +5 == len(pid) + + strlen_nullsafe(remport) + 20; // +5 == len(pid) + 15 extra buffer if some strings are (null) seeddata = (char *) malloc((totlen * 2) + 4); if( seeddata == NULL ) { @@ -108,7 +111,7 @@ eurephiaSESSION *eDBopen_session_seed(eurephiaCTX *ctx, const char *digest, DEBUG(ctx, 13, "Using session seed '%s'", seed); // Try to retrieve the sessionkey from the database, based on the session seed - new_session->sessionkey = eDBget_sessionkey_seed(ctx, seed); + new_session->sessionkey = eDBget_sessionkey_seed(ctx, new_session->type, seed); if( new_session->sessionkey == NULL ) { // ... if we do not find a sessionkey ... lets generate one int rndlen = 0; @@ -236,6 +239,8 @@ eurephiaSESSION *eDBopen_session_macaddr(eurephiaCTX *ctx, const char *macaddr) } memset(new_session, 0, sizeof(eurephiaSESSION) + 2); + new_session->type = stSESSION; // When we have macaddr - this is a stSESSION type of session + // Get the sessionkey from the database new_session->sessionkey = eDBget_sessionkey_macaddr(ctx, macaddr); if( new_session->sessionkey == NULL ) { |