| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- SSLAPI_OPENSSL isn't available in this version. Print a warning
during compile time that OpenVPN must be compiled against OpenSSL.
If OpenVPN is not compiled against OpenSSL, it may most likely crash.
OpenVPN 2.3.2 and below can be compiled against PolarSSL and does
not contain the needed arguments->ssl_api variable to identify
SSL implementation at runtime.
- Bug: When moving the certificate information extraction to
openvpn_plugin_func_v1(), the certificate level was not
extracted correctly. It needs to be converted to an integer.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
|
|
| |
This can authenticate username/passwords via a file socket to
an authentication service.
A simple authentication service written in Python is added as well.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
| |
If the tunnel type was detected and a understandable device name
was found, the local devtype was not freed at all.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
|
|
|
|
| |
As the X.509 certificate data isn't available when the certificate has been
validated, save the parsed certificate information in the per-client-context
OpenVPN provides in the v3 plug-in API.
When the client disconnects, the certificate information and per-client-context
buffer is released as well.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
|
|
|
| |
OpenVPN
The OpenVPN plug-in v3 API there is direct access to the X.509 certificate
data. This patch starts the adoptation to make use of that, but also to
preserve backwards compatibility.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
| |
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
| |
This is related to that certinfo has been extended and now
need to pull in the openssl/x509.h to compile properly.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
|
|
| |
Added a function to extract the needed information from an
OpenSSL X509 object. Also extended parse_tlsid() to include
a pointer to the certificate digest, to have a common behaviour
between parse_tlsid() and parse_x509_cert().
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
| |
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
| |
These changes should provide both the v1 API and the new v3 API,
depending on which OpenVPN is being used.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
| |
This is to enable an improved logging feature in OpenVPN v2.3 and newer.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
| |
In OpenVPN v2.3 there's a new plug-in API with a more integrated log features.
This patch prepares the logging infrastructure for this API.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
| |
This enables setting authentication plug-in and the alternative
authentication username for user-certificate links.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
|
| |
This auth-plugin will authenticate users against a simple
text file containing username and password hashes, separated
by a '|' (pipe).
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
| |
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
| |
This file should have been added to commit 2cb8244efca21c48db523df9a12a337d3679e26b
but got forgotten.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This implements a authentication plug-in framework which can be
used to do username/password authentication against another backend
per user/certificate.
Conflicts:
database/eurephiadb.c
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
| |
| |
| |
| |
| | |
Seems delta-2 was already "taken" in master.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
| |
| |
| |
| |
| |
| | |
This enables plug-in support management via the eDBadminPlugins() function,
used by eurephiadm.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
| |
| |
| |
| |
| |
| | |
This adds the 'plugins' command, which is used to register, remove
or modify plug-in parameters.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
| |
| |
| |
| |
| |
| | |
This function will be used by the admin interface to configure
eurephia plug-ins.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
| |
| |
| |
| |
| |
| | |
This field type ensures boolean values will be predictable when
working in the database driver layer.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
| |
| |
| |
| |
| |
| |
| | |
The field mapping id changed to unsigned long long in
commit 60800a7030c7aa3a9e1a1b6155abc4079a0e34f1. This function
needs to support that as well.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
| |
| |
| |
| |
| |
| | |
This will enable the database plug-ins and eurephiadm to manipulate
this table.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
| |
| |
| |
| |
| |
| | |
This will enable the database plug-ins and eurephiadm to manipulate
this table.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
| |
| |
| |
| |
| |
| | |
This slightly changes the eDBmappingGetValue() function to reuse
some of the same look-up logic for eDBmappingSetValue()
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
| |
| |
| | |
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
| |
| |
| |
| |
| |
| | |
This will temporarily load a plug-in and extract information about
it. The gathered information is returned in a struct on success.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
| |
| |
| |
| |
| |
| | |
This optional function may be declared in the auth-plugins and will be
called via the eAuthPlugin_Close() function.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
| |
| |
| |
| |
| |
| |
| | |
This is a dummy plug-in, which should NEVER EVER be used in production.
Its purpose is just to solely test the authentication plug-in API and
to provide a demo implementation of the API.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
| |
| |
| |
| |
| |
| | |
This is needed to provide config data to a configured plug-in when it is loaded
and initialised.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
| |
| |
| |
| |
| | |
This can be used to pass a configuration to the authentication plug-in.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
memset() and free_nullsafe() was performed on a NULL pointer before
it would be used.
Also make uicid be 0 on generic database issues, not triggering a
logging of a log-in attempt. A database error is hardly a user problem,
and logging the log-in attempt may even fail as well.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
| |
| |
| | |
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
| |
| |
| |
| |
| |
| | |
This new PluginInfo() will return a struct instead, containing all the
needed plug-in info. It also replaces the APIversion() function completely.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
By setting this config option in the eurephia database, eurephia will
expect all user account/certificate links to be set up with an external
plug-in for username/password authentications.
Further, it is now ensured that system configuration issues or general
failures not related to the user authentication itself, is not counted
as a login attempt.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If the configured authentication plug-in was disabled, edb-sqlite
would still insist on using the plug-in as authentication method.
This patch changes the behaviour to use the internal eurephia
database for authentication if the authentication plug-in is
disabled.
The code also was modified slighly so that the internal eurephia
database will be the fallback method if any other checks are
skipped.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This adds the needed functions the eurephia framework requires to
retrieve a list of all configured plug-ins - eDBget_plugins(). And
it includes eDBauth_GetAuthMethod() which is used to lookup what
kind of authentication method a specific user account/certificate
combination should use. If the authentication backend requires
a different username for this, that can also be configured in
this user account/certification setup.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
framework
This enables using an external authentication plug-in if a user
account/certification link is configured to make user of it.
This change ensures that all configured authentiaction plug-ins are
loaded and is available when eurephia is initialised.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This enables a run-time loadable support for other authentication
modules. This can be used to make eurephia authenticate user's
passwords against other sources than the local eurephia database
itself.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
| |
| |
| |
| |
| |
| |
| | |
eGetSym_optional()
Will be used by the authentication plug-in framework.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
| |
| |
| |
| |
| |
| | |
As the lastlog table doesn't contain MAC or IP addresses of the VPN client any more,
make the lastlog extraction gather the data from the vpnaddr_history table instead.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
| |
| |
| |
| |
| |
| | |
This will now log VPN client addresses only in the vpnaddr_history table,
and lastlog will log the firewall profile the session used.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
| |
| |
| |
| |
| |
| |
| | |
This retrieves the accessprofile ID field from the database for a
given uid/certid combination. This is useful when logging which
firewall profile was used for a certain session.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
function
This will save the access profile in the lastlog table. However, it will not save
the VPN IP address and netmask any more. This should be saved in the vpnaddr_history
table, using the eDBregister_vpnclientaddr() function.
eDBregister_login() is now just a wrapper around the eDBregister_login2(), ignoring
the access profile id and VPN addresses. This exists purely as a compatibility layer
if the updated driver is used against an older eurephia-auth.so plug-in.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|/
|
|
|
|
|
|
| |
- Only Linux have MADV_DONTFORK, so make it Linux specific
- Added a few missing include files which Linux included through their
include chains
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
|
|
|
| |
add/delete operations
Instead of having to look up the UID manually when adding a user-cert link, it
is now possible to user --username | -u instead of --uid | -i and provide a
username directly.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
| |
By passing '0' as certid, the lookup will only be done against the user table.
Any other values will consider the user-certification links as well.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
| |
This is to prepare for eDBget_uid() to also do lookups when certid
is not set.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
| |
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|