summaryrefslogtreecommitdiffstats
path: root/plugin/eurephia.c
Commit message (Collapse)AuthorAgeFilesLines
* plugin: Don't treat not found sessions in eurephinalearn_address() as a failureDavid Sommerseth2015-01-081-1/+5
| | | | | | | | This function is called also with IP adresses from networks behind clients, and eurephia doesn't really need to process them. Signed-off-by: David Sommerseth <dazo@eurephia.org> (cherry picked from commit 31193a9d4f764bd54e00fc9e277c98319f198acd)
* plugin: Improved logging of not found addresses in eurephia_learn_addressDavid Sommerseth2015-01-081-3/+1
| | | | | | | | | | If routing subnets over the VPN tunnel, OpenVPN will learn addresses inside these subnets. As these IP addresses are not directly connected to a eurephia session, these errors can be silenced in normal operation. So this logging was moved to DEBUG(). Signed-off-by: David Sommerseth <dazo@eurephia.org> (cherry picked from commit 0628a765e4ecdf44a966b9a3fd6717aca9b9d09f)
* Correct ugly boundary checks in database initDavid Sommerseth2014-12-051-1/+1
| | | | | | | | The check if dbargc exceeds MAX_ARGUMENTS was done _after_ it was checked if the array element is NULL. This was not the intention. Signed-off-by: David Sommerseth <dazo@eurephia.org> (cherry picked from commit 51f8c8e930221cc5feeac4f84be5550b4e5be9dd)
* Added a new database driver function: eDBregister_vpnclientaddr()David Sommerseth2012-09-131-9/+8
| | | | | | | | | | | | This function replaces eDBregister_vpnmacaddr(). This new function will in addition to the MAC address (if OpenVPN is running in TAP mode) also register the client's IPv4 VPN address. It's also prepared for logging the client's IPv6 VPN address. This function supports both TUN and TAP mode, while the old function only handled TAP mode. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Implemented proper TUN support in eurephiaDavid Sommerseth2010-12-141-7/+51
| | | | | | | | | | Now eurephia will support both TUN and TAP configurations in OpenVPN. Thanks to Tavis Paquette and Matthew Gyurgyik for their willingness to test out this patch. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Fixed memory leak in eurephiaInit()David Sommerseth2010-12-051-2/+4
| | | | | | | | This memory leak got introduced with commit 525d75316848f79208101e48a54e2 which moves the daemonisation of the firewall thread. Two environment variables was not freed after usage. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Fixed a memory leak in eurephia_learn_address(...)David Sommerseth2010-12-051-0/+2
| | | | | | | The char buffer returned by eDBget_firewall_profile() must be freed after usage. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Add preliminary support for using IP addresses in the firewall moduleDavid Sommerseth2010-12-011-8/+16
| | | | | | | | | | | The current implementation uses the MAC address of the client's VPN interface. This also restricts eurephia to use TAP mode. This patch adds preliminary support for also accepting the clients IP address when updating the firewall rules. But the complete support for TUN mode is not completed yet. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Move daemonize() code to be called in the firewall child thread onlyDavid Sommerseth2010-11-261-2/+7
| | | | | | | | The eurephia plug-in would daemonize the OpenVPN process by calling daemonize() too early. This patch renames daemoinze() to efw_daemonize() and calls it only in the firewall child process. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Removed misleading documentation of eurephiaInit()David Sommerseth2010-08-291-3/+1
| | | | Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Show eurephia-auth version during initialisationDavid Sommerseth2010-08-291-0/+2
| | | | Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Completed the needed changes for the new firewall plug-in APIDavid Sommerseth2010-08-251-7/+17
| | | | | | | Moved over the missing pieces to use the eFWupdateRequest struct. This is a continuation of the work started in commit bdd956adcccd91ff553278fd73cea7 Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Updated doxygen documentation for eurephia.c:245:eurephia_tlsverify()David Sommerseth2010-07-301-3/+4
| | | | This is related to the changes done in commit c6621d108bb8beb97ca61.
* Updated Copyright dates to include 2010David Sommerseth2010-07-301-1/+1
|
* Restrict log length of mac addressDavid Sommerseth2009-10-131-2/+2
|
* Always process certificate depth as integerDavid Sommerseth2009-10-131-6/+7
|
* Fixed memory leak in the firewall implementation and added mlock() usageDavid Sommerseth2009-10-061-0/+17
| | | | | | | | | | | The memory leak was caused by not freeing the shadow context the firewall child process uses for logging. In addition this child process had a connection to the database open as well, which was not needed. This connection is now disconnected immediately after the child process has started. Added also usage of mlock() to protect sensitive information from being swapped out to disk.
* Use macros to extract values via get_env()David Sommerseth2009-10-051-36/+36
| | | | | This has two purposes. To make the code more readable and to use the same maximum length of the data being retrieved from the environment table.
* Moved the get_env() function into its own fileDavid Sommerseth2009-10-041-59/+2
|
* Restrict input data length for plug-in arguments from openvpnDavid Sommerseth2009-10-041-2/+2
| | | | This only affects functions related to MAC address and certificate depth
* Modified get_env() function to limit number of bytes to extractDavid Sommerseth2009-10-021-55/+142
| | | | | This is to enhance the security and to avoid possible buffer overflows based on input received from the client
* Added extra parameter to eurephia_log_init() to set log ident for syslogDavid Sommerseth2009-09-241-2/+2
|
* Rewritten the eurephia_log() to support syslog logging as wellDavid Sommerseth2009-09-241-35/+11
| | | | | | | | | | | | | | | | | | | | | | | | Also simplified the initialisation of the logging module. By calling the eurephia_log_init(eurephiaCTX *, char *dest, int loglevel) function, a log context will be setup inside the eurephiaCTX. To close the log file, eurephia_log_close(eurephiaCTX *) must be called. The destination string to eurephia_log_init() can be: - stdout: Log everything to stdout - stderr: Log everything to stderr - none: Do no logging at all - syslog:<facility> Log via syslog. <facility> can be: user, local[0-7], daemon or authpriv. - Filename All logging goes to the given filename. If the filename string is not recognised by any of the reserved words above, it will be handled as a filename.
* Added debug logging of free_nullsafe() calls as wellDavid Sommerseth2009-09-071-8/+8
|
* Moved all malloc() operations over to a calloc wrapper, malloc_nullsafe()David Sommerseth2009-09-071-4/+7
| | | | This also improves debugging as well, if debug logging is enabled and log level is >= 40.
* Cleaned up and added some missing commentsDavid Sommerseth2009-09-051-2/+2
|
* Added doxygen commentsDavid Sommerseth2009-09-021-10/+85
|
* Added missing #include statementsDavid Sommerseth2009-09-021-0/+1
|
* Corrected a log entry on login/logoutDavid Sommerseth2009-03-261-2/+2
|
* Made the licence explicit GPLv2 onlyDavid Sommerseth2009-03-261-1/+1
|
* Cleaned up the code a little bitDavid Sommerseth2009-03-261-2/+3
| | | | | Made sure we only include needed include files and checked that the copyright headers are equal and correct
* Renamed passwdhash(...) function to eurephia_quick_hash(...)David Sommerseth2009-03-211-1/+1
| | | | | | | | | | This to make it clearer that passwdhash(...) is not good for password hashing, but suitable when you need a quick hashing algorithm. The eurephia_quick_hash(...) are now used for password caching hashing, and is still suitable here since the salt used for the passwords are in memory only and never written to disk, as they are supposed to be temporary hashes.
* Moved eDBsessionGetRandString(...) to a more global and independent ↵David Sommerseth2009-01-101-1/+2
| | | | eurephia_randstring(...) function
* BUGFIX: Removed several memory leaksDavid Sommerseth2009-01-031-0/+5
|
* Introduced password caching on authenticated sessionsDavid Sommerseth2009-01-031-4/+64
| | | | | | | | | | | | | | | | | | | | | | This is to prepare eurephia-auth plugin to use other and more CPU intensive hashing algorithms for passwords. In addition, open sessions will now not be rejected/closed due to wrong password if the user changes the password with an open session running. The patch adds a new server_salt attribute in the eurephiaCTX structure. This is used as a temporary salt and is created of random data when OpenVPN is started. When a user is being authenticated (eurephia.c/eurephia_userauth) a authentication session (not the same as a 'normal' session) is opened and checked for a cached password. If it does not exist or match, normal password check will be done against the user database. If a cached password is found and matches, it is considered to be authenticated. The cached password uses the SHA512 algorithm, together with the eurephiaCTX->server_salt.
* Merge branch 'master' into eurephiadmDavid Sommerseth2008-12-021-0/+2
|\
| * Added login and logout info messages when log-level is 1David Sommerseth2008-12-021-0/+2
| |
* | Added context_type into eurephiaCTX struct. Database queries limited due to ↵David Sommerseth2008-11-291-0/+1
| | | | | | | | context type.
* | Splitted plugin/eurephiadb_session.[ch] into two partsDavid Sommerseth2008-11-281-0/+1
|/ | | | | | | | | One part is a generic session handling part (common/eurephiadb_session_common.[ch]) and the other part is left in the old plugin/eurephiadb_session.[ch]. This splitting should make it easiser to reuse some of the session handling functions for the admin utils.
* Added minimum API version check when loading database driver.David Sommerseth2008-11-281-1/+1
|
* Cleaned up eurephiadb_session dependenciesDavid Sommerseth2008-11-281-0/+1
| | | | | Moved eurephiadb_session_struct.h to the common directory and made sure that eurephiadb_session.h is only included where needed
* Made eurephia_context.h even more generic and independentDavid Sommerseth2008-11-281-0/+2
| | | | | | | | | eurephia_context.h do only need to know about the eurephiaFWINTF * struct when compiling the auth plug-in and firewall modules. To enable this, EUREPHIA_FWINTF needs to be defined as well as the eurephiafw_struct.h must be included before including eurephia_context.h in the source. When this is not done, *fwcfg will just be a void *.
* Renamed eurephia_struct.h to eurephia_context.hDavid Sommerseth2008-11-271-1/+1
| | | | | | | | | | | | | Since this include file now only consists of eurephiaCTX definition, it was moved to the common/ directory and renamed. Moved the SESSION_* definitions out of this file and into plugin/eurephiadb_session.h where they belong. Moved the Posix MQ definitions into plugin/firewall/eurephiafw_struct.h where they belong. eurephia_context.h is now containing only context related things.
* Code cleanup: Splitted all structures defined in eurephia_struct.h into ↵David Sommerseth2008-11-051-0/+1
| | | | separate include files
* BUGFIX: Fixed wrong attempt count reset during eurephia_tlsverify(...)v0.9.2_betaDavid Sommerseth2008-11-011-3/+0
| | | | | | The attempt counter for certificates was reset too early. It was reset on successful TLS verification. But the only place these counters should be reset is after successful authentication in eurephia_userauth(...)
* Added (untested) firewall block when IP addresses are blacklistedDavid Sommerseth2008-10-211-0/+10
| | | | | | | | If the configuration variable 'firewall_blacklist_destination' is set, it will insert DROP rules when a blacklisted IP address is attempted. Feature not tested yet.
* Reorganised the source codeDavid Sommerseth2008-10-151-0/+527
Moved all OpenVPN plug-in related things into ./plugins, including firewall Moved all shared code into ./common and moved the generic part of the database files into ./database Updated all CMakeLists.txt files and created a new one for the root directory
generated by cgit (git 2.34.1) at 2024-06-17 05:12:38 +0000