| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
This retrieves the accessprofile ID field from the database for a
given uid/certid combination. This is useful when logging which
firewall profile was used for a certain session.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
function
This will save the access profile in the lastlog table. However, it will not save
the VPN IP address and netmask any more. This should be saved in the vpnaddr_history
table, using the eDBregister_vpnclientaddr() function.
eDBregister_login() is now just a wrapper around the eDBregister_login2(), ignoring
the access profile id and VPN addresses. This exists purely as a compatibility layer
if the updated driver is used against an older eurephia-auth.so plug-in.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
| |
By passing '0' as certid, the lookup will only be done against the user table.
Any other values will consider the user-certification links as well.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
localtime
All CURRENT_TIMESTAMP calls are returned in UTC/GMT, and this value is stored in the
database. When using eurephiadm to look at these datetime fields the UTC/GMT value
is used, and needs to be taken in consideration when looking at the reports. This
patch is the first step to handle the local time zone better.
This patch also fixes the 'debug' program in sqlite.c, making use of the
eurephia_log_init() and eurephia_log_close() calls for log preparations.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This commit implements the eDBregister_vpnclientaddr() needed by the
newer eurephia-auth plug-in. This is needed to improve the tun support
in eurephia.
In addition, this also updates the SQL schema to include IPv4 and in
the future IPv6 addresses in the lastlog and VPN address history
(openvpn_vpnaddr_history). The old openvpn_macaddr_history table
is deprecated.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
|
|
|
| |
This will change the driver to use the new error routines made available
in the SQLite3 framework. Some of the code is also restructured a little
bit to simplify the code with these changes.
The functionality should be the same as for, but better error messages
are now sent back to the caller on the functions supporting XML.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
| |
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
| |
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| | |
|
| |
|
|
|
|
|
| |
This is a follow up of commit de7a3d88c78cdf400fcee78f71946da8b12ec74f.That
commit introduced an SQL error when eDBregister_attempts() was attempting
to update certificate digest attempt records. Overhauled and fixed the
complete eDBregister_attempts() function.
|
| |
|
|
|
| |
This makes sure that all interactions with the database will convert
the digest strings to lower case.
|
| | |
|
| |
|
|
| |
This only affects functions related to MAC address and certificate depth
|
| | |
|
| | |
|
| |
|
|
| |
This also improves debugging as well, if debug logging is enabled and log level is >= 40.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to the current implementation of SHA512 salts, it could be
experienced as if the application hung on wrong passwords. This is
because the rounds count for the passwords are scrambled, with values
based on the given password. When a wrong password is given, this will
also result in getting a wrong salt length and hash rounds for the
following hash calculation.
Due to this, the extracted rounds value from the salt string could
return some really high number of rounds on wrong
passwords (possibly the max value if integer). And this is why the
"hang" is experienced.
To avoid this, a check is added to make sure the rounds is not
unreasonably much higher than the configured max rounds values. If the
descrambled rounds number from the salt exceeds max rounds * 1.5, the
password (most probaly) is wrong. In this case we do a sleep() to slow
down bruteforce attacks and return NULL.
The drawback is if the maxrounds later on is changed to a value which
hits this scenario:
passwordsalt_rounds > maxrounds_cfg * 1.5
In this case these old passwords will be invalidated by that
configuration change. This is considered to be a feature and not a bug.
The reason for mulitiplying by 1.5, is to allow a little room for a
degrading the max rounds setting. By adjusting the max rounds up again,
these passwords will be valid again.
Added also a sleep() when wrong username is attempted.
|
| | |
|
| |
|
|
|
| |
Made sure we only include needed include files and checked that
the copyright headers are equal and correct
|
| |
|
|
| |
Follow up from commit 062a3c92343a5fa371f8637f8bca88aacca14cc4
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is to prepare eurephia-auth plugin to use other and
more CPU intensive hashing algorithms for passwords. In addition,
open sessions will now not be rejected/closed due to wrong
password if the user changes the password with an open session
running.
The patch adds a new server_salt attribute in the eurephiaCTX
structure. This is used as a temporary salt and is created of
random data when OpenVPN is started.
When a user is being authenticated (eurephia.c/eurephia_userauth)
a authentication session (not the same as a 'normal' session) is
opened and checked for a cached password. If it does not exist
or match, normal password check will be done against the user
database. If a cached password is found and matches, it is
considered to be authenticated.
The cached password uses the SHA512 algorithm, together with the
eurephiaCTX->server_salt.
|
| |
|
|
| |
hashing algorithms
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
- cmd_Logout(...) used the wrong argv[] index for sessionkey.
- Improved eDBadminValidateSession(...) to set status to '5' on sessions
which are getting logged out due to missing privileges
|
| |
|
|
| |
user is about to logout
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Added one more status code, for active sessions. Auto-logout will now
also delete session variables
|
| |
|
|
| |
Auto-logout implemented as well
|
| | |
|
| |
|
|
|
|
| |
Follow up of commit 103acd7c2e1467401f0795930be9140dc5ed47ff. Seems
to work fine via both plugin mode and eurephiadm, regarding core dumping
too.
|
| |\ |
|
| | |
| |
| |
| | |
if config parameters is not set
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
One part is a generic session handling part
(common/eurephiadb_session_common.[ch]) and the other part
is left in the old plugin/eurephiadb_session.[ch].
This splitting should make it easiser to reuse some of the session
handling functions for the admin utils.
|
| |/ |
|
| |
|
