| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
info
The eurephia result XML document is also changed, and all parsing of the result must
be rewritten. To simplify this parsing, a new function is introduced,
eurephiaXML_ParseResultMsg().
|
|
|
|
|
|
| |
This error caused eurephia_pwd_crypt() to fail, especially when salt length
was requested to be longer. The solution was to retrieve the salt length
before allocating memory for it.
|
|
|
|
| |
and vars
|
|
|
|
| |
eurephiaVALUES chain
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
This also improves debugging as well, if debug logging is enabled and log level is >= 40.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
This static library is later on linked in. This is to avoid recompiling
the same source files several times during a complete eurephia
compilation.
|
|
|
|
| |
Make them work without the need of defining BENCHMARK during compilation
|
| |
|
| |
|
|
|
|
|
|
| |
Do proper conversion from char * to xmlChar *. Need to figure out a
better way how to return xmlChar * to char * when returning strings
which may contain UTF-8.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to the current implementation of SHA512 salts, it could be
experienced as if the application hung on wrong passwords. This is
because the rounds count for the passwords are scrambled, with values
based on the given password. When a wrong password is given, this will
also result in getting a wrong salt length and hash rounds for the
following hash calculation.
Due to this, the extracted rounds value from the salt string could
return some really high number of rounds on wrong
passwords (possibly the max value if integer). And this is why the
"hang" is experienced.
To avoid this, a check is added to make sure the rounds is not
unreasonably much higher than the configured max rounds values. If the
descrambled rounds number from the salt exceeds max rounds * 1.5, the
password (most probaly) is wrong. In this case we do a sleep() to slow
down bruteforce attacks and return NULL.
The drawback is if the maxrounds later on is changed to a value which
hits this scenario:
passwordsalt_rounds > maxrounds_cfg * 1.5
In this case these old passwords will be invalidated by that
configuration change. This is considered to be a feature and not a bug.
The reason for mulitiplying by 1.5, is to allow a little room for a
degrading the max rounds setting. By adjusting the max rounds up again,
these passwords will be valid again.
Added also a sleep() when wrong username is attempted.
|
| |
|
|
|
|
|
| |
Made sure we only include needed include files and checked that
the copyright headers are equal and correct
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This to make it clearer that passwdhash(...) is not good for password
hashing, but suitable when you need a quick hashing algorithm.
The eurephia_quick_hash(...) are now used for password caching hashing,
and is still suitable here since the salt used for the passwords are in
memory only and never written to disk, as they are supposed to be
temporary hashes.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This new function, eurephia_pwd_crypt(...) implements a modified SHA512
hashing algorithm based on the SHA512 crypt implementation proposed by
Ulrich Drepper for glibc.
The original implementation adds support for variable hashing rounds.
The eurephia version implements dynamic hashing rounds, controlled by
minimum and maximum rounds set in the configuration. If not set, it
will minimum use 5000 rounds and maximum 7500 rounds. The amount of
rounds is supposed to be random.
In addition to this, the salt information is now encoded into a hex
value. In this value the salt length and the hash rounds are defined.
This hex value is then encoded (quasi crypt) based on a modulus of the
sum of the characters in the password + the password length. So if you
give the wrong password, you will also get the wrong salt length and the
wrong number of hashing rounds used.
The default salt length is also increased to 32 bytes (256 bit)
|
| |
|
| |
|
|
|
|
| |
eurephia_randstring(...) function
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is to prepare eurephia-auth plugin to use other and
more CPU intensive hashing algorithms for passwords. In addition,
open sessions will now not be rejected/closed due to wrong
password if the user changes the password with an open session
running.
The patch adds a new server_salt attribute in the eurephiaCTX
structure. This is used as a temporary salt and is created of
random data when OpenVPN is started.
When a user is being authenticated (eurephia.c/eurephia_userauth)
a authentication session (not the same as a 'normal' session) is
opened and checked for a cached password. If it does not exist
or match, normal password check will be done against the user
database. If a cached password is found and matches, it is
considered to be authenticated.
The cached password uses the SHA512 algorithm, together with the
eurephiaCTX->server_salt.
|
|
|
|
| |
hashing algorithms
|
|
|
|
|
| |
Changed certinfo.[ch] to add cert.digest as well, and using this
modified struct to handle the parse result after parsing the certfile.
|
| |
|
| |
|
| |
|
|
|
|
| |
documents
|
|
|
|
|
|
| |
When xmlExtractContent() was used together with the defaultValue() macro, a
compiler warning appeared. Changed the xmlExtractContent() macro to a inline
function, hopefully the overhead will be minimal with this change.
|
| |
|