| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| | |
|
| | |
|
| |
|
|
| |
This also improves debugging as well, if debug logging is enabled and log level is >= 40.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
This static library is later on linked in. This is to avoid recompiling
the same source files several times during a complete eurephia
compilation.
|
| |
|
|
| |
Make them work without the need of defining BENCHMARK during compilation
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Do proper conversion from char * to xmlChar *. Need to figure out a
better way how to return xmlChar * to char * when returning strings
which may contain UTF-8.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to the current implementation of SHA512 salts, it could be
experienced as if the application hung on wrong passwords. This is
because the rounds count for the passwords are scrambled, with values
based on the given password. When a wrong password is given, this will
also result in getting a wrong salt length and hash rounds for the
following hash calculation.
Due to this, the extracted rounds value from the salt string could
return some really high number of rounds on wrong
passwords (possibly the max value if integer). And this is why the
"hang" is experienced.
To avoid this, a check is added to make sure the rounds is not
unreasonably much higher than the configured max rounds values. If the
descrambled rounds number from the salt exceeds max rounds * 1.5, the
password (most probaly) is wrong. In this case we do a sleep() to slow
down bruteforce attacks and return NULL.
The drawback is if the maxrounds later on is changed to a value which
hits this scenario:
passwordsalt_rounds > maxrounds_cfg * 1.5
In this case these old passwords will be invalidated by that
configuration change. This is considered to be a feature and not a bug.
The reason for mulitiplying by 1.5, is to allow a little room for a
degrading the max rounds setting. By adjusting the max rounds up again,
these passwords will be valid again.
Added also a sleep() when wrong username is attempted.
|
| | |
|
| |
|
|
|
| |
Made sure we only include needed include files and checked that
the copyright headers are equal and correct
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
This to make it clearer that passwdhash(...) is not good for password
hashing, but suitable when you need a quick hashing algorithm.
The eurephia_quick_hash(...) are now used for password caching hashing,
and is still suitable here since the salt used for the passwords are in
memory only and never written to disk, as they are supposed to be
temporary hashes.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This new function, eurephia_pwd_crypt(...) implements a modified SHA512
hashing algorithm based on the SHA512 crypt implementation proposed by
Ulrich Drepper for glibc.
The original implementation adds support for variable hashing rounds.
The eurephia version implements dynamic hashing rounds, controlled by
minimum and maximum rounds set in the configuration. If not set, it
will minimum use 5000 rounds and maximum 7500 rounds. The amount of
rounds is supposed to be random.
In addition to this, the salt information is now encoded into a hex
value. In this value the salt length and the hash rounds are defined.
This hex value is then encoded (quasi crypt) based on a modulus of the
sum of the characters in the password + the password length. So if you
give the wrong password, you will also get the wrong salt length and the
wrong number of hashing rounds used.
The default salt length is also increased to 32 bytes (256 bit)
|
| | |
|
| | |
|
| |
|
|
| |
eurephia_randstring(...) function
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is to prepare eurephia-auth plugin to use other and
more CPU intensive hashing algorithms for passwords. In addition,
open sessions will now not be rejected/closed due to wrong
password if the user changes the password with an open session
running.
The patch adds a new server_salt attribute in the eurephiaCTX
structure. This is used as a temporary salt and is created of
random data when OpenVPN is started.
When a user is being authenticated (eurephia.c/eurephia_userauth)
a authentication session (not the same as a 'normal' session) is
opened and checked for a cached password. If it does not exist
or match, normal password check will be done against the user
database. If a cached password is found and matches, it is
considered to be authenticated.
The cached password uses the SHA512 algorithm, together with the
eurephiaCTX->server_salt.
|
| |
|
|
| |
hashing algorithms
|
| |
|
|
|
| |
Changed certinfo.[ch] to add cert.digest as well, and using this
modified struct to handle the parse result after parsing the certfile.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
documents
|
| |
|
|
|
|
| |
When xmlExtractContent() was used together with the defaultValue() macro, a
compiler warning appeared. Changed the xmlExtractContent() macro to a inline
function, hopefully the overhead will be minimal with this change.
|
| | |
|
| |
|
|
|
|
| |
Added RSETLASTUSED (last_accessed is set to NULL) and RSETLOGINCNT (lastlog
table has been modified). NEVERUSED flag will only be set if last_accessed
is NULL and login count == 0.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
The added account_flags are flags used to quickly identify the
account status.
Made also suret that all flags are not set when a new eurephiaUSERINFO
struct is initialised
|
| |
|
|
|
|
|
|
|
|
| |
Implemented saving VPN access profile to the eurephiaCERTINFO struct and
filling the eurephiaACCESSINFO with the proper information needed in the
eDBadminGetUserInfo(...) function.
The special thing about eurephiaACCESSINFO, is that it will not register
duplicate records. And when the eurephiaCERTINFO is free'd, the
eurephiaACCESSLIST will automatically be free'd as well.
|
| |
|
|
|
|
| |
New functions to simplify using these structs in the code. Extended
eurephiaUSERINFO to also have a eurephiaCERTLIST pointer, which can be
used to store all associated certificates to this user.
|
| |
|
|
|
|
|
| |
This can make it possible to get a value getting set to NULL if
this flag contains the FIELD_* value of the field being set to NULL.
If more fields wants to be reset, these field values can be bitwise
ORed together into the setnull_flag.
|
| |
|
|
|
|
|
| |
In other words, rewrote commit 6d4373e026b3f12c5685e45e35f9f060379ed0f3.
Moved over all functions from that commit which could take advantage of
the new API for unified table/field translation.
|
| | |
|
| |
|
|
|
|
| |
Changed it from free_nullsafe() to free(), since we already check if
session is null before we reach this free line. valgrind did not
complain afterwards.
|
| |
|
|
| |
declaration in .h
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Will contain common functions for the administration API. At the moment
only a generic function which converts unified field names to proper
database field names is implemented. This functions is made especially
for sorting keys (ORDER BY <fields>)
|
