| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
This function is called also with IP adresses from networks behind clients, and
eurephia doesn't really need to process them.
Signed-off-by: David Sommerseth <dazo@eurephia.org>
(cherry picked from commit 31193a9d4f764bd54e00fc9e277c98319f198acd)
|
|
|
|
|
|
|
|
|
|
| |
If routing subnets over the VPN tunnel, OpenVPN will learn addresses
inside these subnets. As these IP addresses are not directly connected
to a eurephia session, these errors can be silenced in normal operation.
So this logging was moved to DEBUG().
Signed-off-by: David Sommerseth <dazo@eurephia.org>
(cherry picked from commit 0628a765e4ecdf44a966b9a3fd6717aca9b9d09f)
|
|
|
|
|
|
|
|
| |
The check if dbargc exceeds MAX_ARGUMENTS was done _after_ it was checked
if the array element is NULL. This was not the intention.
Signed-off-by: David Sommerseth <dazo@eurephia.org>
(cherry picked from commit 51f8c8e930221cc5feeac4f84be5550b4e5be9dd)
|
|
|
|
|
|
|
|
|
|
|
|
| |
This function replaces eDBregister_vpnmacaddr(). This new function
will in addition to the MAC address (if OpenVPN is running in TAP mode)
also register the client's IPv4 VPN address. It's also prepared for
logging the client's IPv6 VPN address.
This function supports both TUN and TAP mode, while the old function
only handled TAP mode.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
|
|
|
| |
Now eurephia will support both TUN and TAP configurations in
OpenVPN.
Thanks to Tavis Paquette and Matthew Gyurgyik for their willingness
to test out this patch.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
|
| |
This memory leak got introduced with commit 525d75316848f79208101e48a54e2
which moves the daemonisation of the firewall thread. Two environment
variables was not freed after usage.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
| |
The char buffer returned by eDBget_firewall_profile() must be freed after
usage.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
|
|
|
|
| |
The current implementation uses the MAC address of the client's VPN
interface. This also restricts eurephia to use TAP mode.
This patch adds preliminary support for also accepting the clients
IP address when updating the firewall rules. But the complete support
for TUN mode is not completed yet.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
|
| |
The eurephia plug-in would daemonize the OpenVPN process by calling
daemonize() too early. This patch renames daemoinze() to efw_daemonize()
and calls it only in the firewall child process.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
| |
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
| |
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
| |
Moved over the missing pieces to use the eFWupdateRequest struct. This is
a continuation of the work started in commit bdd956adcccd91ff553278fd73cea7
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
| |
This is related to the changes done in commit c6621d108bb8beb97ca61.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The memory leak was caused by not freeing the shadow context the firewall
child process uses for logging. In addition this child process had a
connection to the database open as well, which was not needed. This
connection is now disconnected immediately after the child process has
started.
Added also usage of mlock() to protect sensitive information from being
swapped out to disk.
|
|
|
|
|
| |
This has two purposes. To make the code more readable and to use the
same maximum length of the data being retrieved from the environment table.
|
| |
|
|
|
|
| |
This only affects functions related to MAC address and certificate depth
|
|
|
|
|
| |
This is to enhance the security and to avoid possible buffer overflows
based on input received from the client
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also simplified the initialisation of the logging module. By calling
the eurephia_log_init(eurephiaCTX *, char *dest, int loglevel) function,
a log context will be setup inside the eurephiaCTX.
To close the log file, eurephia_log_close(eurephiaCTX *) must be called.
The destination string to eurephia_log_init() can be:
- stdout:
Log everything to stdout
- stderr:
Log everything to stderr
- none:
Do no logging at all
- syslog:<facility>
Log via syslog. <facility> can be: user, local[0-7],
daemon or authpriv.
- Filename
All logging goes to the given filename. If the filename
string is not recognised by any of the reserved words above,
it will be handled as a filename.
|
| |
|
|
|
|
| |
This also improves debugging as well, if debug logging is enabled and log level is >= 40.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Made sure we only include needed include files and checked that
the copyright headers are equal and correct
|
|
|
|
|
|
|
|
|
|
| |
This to make it clearer that passwdhash(...) is not good for password
hashing, but suitable when you need a quick hashing algorithm.
The eurephia_quick_hash(...) are now used for password caching hashing,
and is still suitable here since the salt used for the passwords are in
memory only and never written to disk, as they are supposed to be
temporary hashes.
|
|
|
|
| |
eurephia_randstring(...) function
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is to prepare eurephia-auth plugin to use other and
more CPU intensive hashing algorithms for passwords. In addition,
open sessions will now not be rejected/closed due to wrong
password if the user changes the password with an open session
running.
The patch adds a new server_salt attribute in the eurephiaCTX
structure. This is used as a temporary salt and is created of
random data when OpenVPN is started.
When a user is being authenticated (eurephia.c/eurephia_userauth)
a authentication session (not the same as a 'normal' session) is
opened and checked for a cached password. If it does not exist
or match, normal password check will be done against the user
database. If a cached password is found and matches, it is
considered to be authenticated.
The cached password uses the SHA512 algorithm, together with the
eurephiaCTX->server_salt.
|
|\ |
|
| | |
|
| |
| |
| |
| | |
context type.
|
|/
|
|
|
|
|
|
|
| |
One part is a generic session handling part
(common/eurephiadb_session_common.[ch]) and the other part
is left in the old plugin/eurephiadb_session.[ch].
This splitting should make it easiser to reuse some of the session
handling functions for the admin utils.
|
| |
|
|
|
|
|
| |
Moved eurephiadb_session_struct.h to the common directory and
made sure that eurephiadb_session.h is only included where needed
|
|
|
|
|
|
|
|
|
| |
eurephia_context.h do only need to know about the eurephiaFWINTF *
struct when compiling the auth plug-in and firewall modules.
To enable this, EUREPHIA_FWINTF needs to be defined as well as the
eurephiafw_struct.h must be included before including eurephia_context.h
in the source. When this is not done, *fwcfg will just be a void *.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since this include file now only consists of eurephiaCTX definition,
it was moved to the common/ directory and renamed.
Moved the SESSION_* definitions out of this file and into
plugin/eurephiadb_session.h where they belong.
Moved the Posix MQ definitions into plugin/firewall/eurephiafw_struct.h
where they belong.
eurephia_context.h is now containing only context related things.
|
|
|
|
| |
separate include files
|
|
|
|
|
|
| |
The attempt counter for certificates was reset too early. It was reset
on successful TLS verification. But the only place these counters should
be reset is after successful authentication in eurephia_userauth(...)
|
|
|
|
|
|
|
|
| |
If the configuration variable 'firewall_blacklist_destination' is
set, it will insert DROP rules when a blacklisted IP address is
attempted.
Feature not tested yet.
|
|
Moved all OpenVPN plug-in related things into ./plugins, including firewall
Moved all shared code into ./common and moved the generic part of the
database files into ./database
Updated all CMakeLists.txt files and created a new one for the root directory
|