summaryrefslogtreecommitdiffstats
path: root/plugin/eurephia.c
Commit message (Collapse)AuthorAgeFilesLines
* plugin: Remove usage of not really useful environment variable, ↵David Sommerseth2015-01-091-23/+11
| | | | | | | | | ifconfig_pool_netmask This isn't always present, and only triggers some warnings. As it's not used for anything critical, get rid of it. Signed-off-by: David Sommerseth <dazo@eurephia.org>
* plugin: Don't treat not found sessions in eurephinalearn_address() as a failureDavid Sommerseth2015-01-081-1/+5
| | | | | | | This function is called also with IP adresses from networks behind clients, and eurephia doesn't really need to process them. Signed-off-by: David Sommerseth <dazo@eurephia.org>
* plugin: Improved logging of not found addresses in eurephia_learn_addressDavid Sommerseth2015-01-081-3/+1
| | | | | | | | | If routing subnets over the VPN tunnel, OpenVPN will learn addresses inside these subnets. As these IP addresses are not directly connected to a eurephia session, these errors can be silenced in normal operation. So this logging was moved to DEBUG(). Signed-off-by: David Sommerseth <dazo@eurephia.org>
* Correct ugly boundary checks in database initDavid Sommerseth2014-12-051-1/+1
| | | | | | | The check if dbargc exceeds MAX_ARGUMENTS was done _after_ it was checked if the array element is NULL. This was not the intention. Signed-off-by: David Sommerseth <dazo@eurephia.org>
* Fixed variable mix-up when calling eDBregister_login2()David Sommerseth2013-06-251-1/+1
| | | | | | | | | | The uid and accessess profile variables had changed order. Which would cause a mismatch with the configured access profile and user-cert link. I'd like to thank Colin Ryan for catching this bug too. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* plugin: Reworked the certinfo integration and use the X.509 certificate from ↵David Sommerseth2013-06-071-88/+42
| | | | | | | | | | OpenVPN The OpenVPN plug-in v3 API there is direct access to the X.509 certificate data. This patch starts the adoptation to make use of that, but also to preserve backwards compatibility. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* common: Update callers of eurephia_log_init() to comply with the API changesDavid Sommerseth2013-06-051-5/+12
| | | | | | This is to enable an improved logging feature in OpenVPN v2.3 and newer. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Merge auth-plugin workDavid Sommerseth2013-05-281-4/+131
|\ | | | | | | | | | | | | | | | | | | | | This implements a authentication plug-in framework which can be used to do username/password authentication against another backend per user/certificate. Conflicts: database/eurephiadb.c Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
| * New feature: Added config option auth_disable_internalDavid Sommerseth2013-03-031-6/+24
| | | | | | | | | | | | | | | | | | | | | | | | By setting this config option in the eurephia database, eurephia will expect all user account/certificate links to be set up with an external plug-in for username/password authentications. Further, it is now ensured that system configuration issues or general failures not related to the user authentication itself, is not counted as a login attempt. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
| * auth plug-in: Implemented the authentication plug-in into the core eurephia ↵David Sommerseth2013-03-031-4/+113
| | | | | | | | | | | | | | | | | | | | | | | | framework This enables using an external authentication plug-in if a user account/certification link is configured to make user of it. This change ensures that all configured authentiaction plug-ins are loaded and is available when eurephia is initialised. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* | Make use of the new eDBregister_login2() call in the eurephia-auth plug-inDavid Sommerseth2012-12-261-4/+5
|/ | | | | | | This will now log VPN client addresses only in the vpnaddr_history table, and lastlog will log the firewall profile the session used. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Added error checking before calling eDBget_uid()David Sommerseth2012-11-021-0/+6
| | | | | | | This is to prepare for eDBget_uid() to also do lookups when certid is not set. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Added a new database driver function: eDBregister_vpnclientaddr()David Sommerseth2012-09-131-9/+8
| | | | | | | | | | | | This function replaces eDBregister_vpnmacaddr(). This new function will in addition to the MAC address (if OpenVPN is running in TAP mode) also register the client's IPv4 VPN address. It's also prepared for logging the client's IPv6 VPN address. This function supports both TUN and TAP mode, while the old function only handled TAP mode. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Implemented proper TUN support in eurephiaDavid Sommerseth2010-12-141-7/+51
| | | | | | | | | | Now eurephia will support both TUN and TAP configurations in OpenVPN. Thanks to Tavis Paquette and Matthew Gyurgyik for their willingness to test out this patch. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Fixed memory leak in eurephiaInit()David Sommerseth2010-12-051-2/+4
| | | | | | | | This memory leak got introduced with commit 525d75316848f79208101e48a54e2 which moves the daemonisation of the firewall thread. Two environment variables was not freed after usage. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Fixed a memory leak in eurephia_learn_address(...)David Sommerseth2010-12-051-0/+2
| | | | | | | The char buffer returned by eDBget_firewall_profile() must be freed after usage. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Add preliminary support for using IP addresses in the firewall moduleDavid Sommerseth2010-12-011-8/+16
| | | | | | | | | | | The current implementation uses the MAC address of the client's VPN interface. This also restricts eurephia to use TAP mode. This patch adds preliminary support for also accepting the clients IP address when updating the firewall rules. But the complete support for TUN mode is not completed yet. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Move daemonize() code to be called in the firewall child thread onlyDavid Sommerseth2010-11-261-2/+7
| | | | | | | | The eurephia plug-in would daemonize the OpenVPN process by calling daemonize() too early. This patch renames daemoinze() to efw_daemonize() and calls it only in the firewall child process. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Removed misleading documentation of eurephiaInit()David Sommerseth2010-08-291-3/+1
| | | | Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Show eurephia-auth version during initialisationDavid Sommerseth2010-08-291-0/+2
| | | | Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Completed the needed changes for the new firewall plug-in APIDavid Sommerseth2010-08-251-7/+17
| | | | | | | Moved over the missing pieces to use the eFWupdateRequest struct. This is a continuation of the work started in commit bdd956adcccd91ff553278fd73cea7 Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Updated doxygen documentation for eurephia.c:245:eurephia_tlsverify()David Sommerseth2010-07-301-3/+4
| | | | This is related to the changes done in commit c6621d108bb8beb97ca61.
* Updated Copyright dates to include 2010David Sommerseth2010-07-301-1/+1
|
* Restrict log length of mac addressDavid Sommerseth2009-10-131-2/+2
|
* Always process certificate depth as integerDavid Sommerseth2009-10-131-6/+7
|
* Fixed memory leak in the firewall implementation and added mlock() usageDavid Sommerseth2009-10-061-0/+17
| | | | | | | | | | | The memory leak was caused by not freeing the shadow context the firewall child process uses for logging. In addition this child process had a connection to the database open as well, which was not needed. This connection is now disconnected immediately after the child process has started. Added also usage of mlock() to protect sensitive information from being swapped out to disk.
* Use macros to extract values via get_env()David Sommerseth2009-10-051-36/+36
| | | | | This has two purposes. To make the code more readable and to use the same maximum length of the data being retrieved from the environment table.
* Moved the get_env() function into its own fileDavid Sommerseth2009-10-041-59/+2
|
* Restrict input data length for plug-in arguments from openvpnDavid Sommerseth2009-10-041-2/+2
| | | | This only affects functions related to MAC address and certificate depth
* Modified get_env() function to limit number of bytes to extractDavid Sommerseth2009-10-021-55/+142
| | | | | This is to enhance the security and to avoid possible buffer overflows based on input received from the client
* Added extra parameter to eurephia_log_init() to set log ident for syslogDavid Sommerseth2009-09-241-2/+2
|
* Rewritten the eurephia_log() to support syslog logging as wellDavid Sommerseth2009-09-241-35/+11
| | | | | | | | | | | | | | | | | | | | | | | | Also simplified the initialisation of the logging module. By calling the eurephia_log_init(eurephiaCTX *, char *dest, int loglevel) function, a log context will be setup inside the eurephiaCTX. To close the log file, eurephia_log_close(eurephiaCTX *) must be called. The destination string to eurephia_log_init() can be: - stdout: Log everything to stdout - stderr: Log everything to stderr - none: Do no logging at all - syslog:<facility> Log via syslog. <facility> can be: user, local[0-7], daemon or authpriv. - Filename All logging goes to the given filename. If the filename string is not recognised by any of the reserved words above, it will be handled as a filename.
* Added debug logging of free_nullsafe() calls as wellDavid Sommerseth2009-09-071-8/+8
|
* Moved all malloc() operations over to a calloc wrapper, malloc_nullsafe()David Sommerseth2009-09-071-4/+7
| | | | This also improves debugging as well, if debug logging is enabled and log level is >= 40.
* Cleaned up and added some missing commentsDavid Sommerseth2009-09-051-2/+2
|
* Added doxygen commentsDavid Sommerseth2009-09-021-10/+85
|
* Added missing #include statementsDavid Sommerseth2009-09-021-0/+1
|
* Corrected a log entry on login/logoutDavid Sommerseth2009-03-261-2/+2
|
* Made the licence explicit GPLv2 onlyDavid Sommerseth2009-03-261-1/+1
|
* Cleaned up the code a little bitDavid Sommerseth2009-03-261-2/+3
| | | | | Made sure we only include needed include files and checked that the copyright headers are equal and correct
* Renamed passwdhash(...) function to eurephia_quick_hash(...)David Sommerseth2009-03-211-1/+1
| | | | | | | | | | This to make it clearer that passwdhash(...) is not good for password hashing, but suitable when you need a quick hashing algorithm. The eurephia_quick_hash(...) are now used for password caching hashing, and is still suitable here since the salt used for the passwords are in memory only and never written to disk, as they are supposed to be temporary hashes.
* Moved eDBsessionGetRandString(...) to a more global and independent ↵David Sommerseth2009-01-101-1/+2
| | | | eurephia_randstring(...) function
* BUGFIX: Removed several memory leaksDavid Sommerseth2009-01-031-0/+5
|
* Introduced password caching on authenticated sessionsDavid Sommerseth2009-01-031-4/+64
| | | | | | | | | | | | | | | | | | | | | | This is to prepare eurephia-auth plugin to use other and more CPU intensive hashing algorithms for passwords. In addition, open sessions will now not be rejected/closed due to wrong password if the user changes the password with an open session running. The patch adds a new server_salt attribute in the eurephiaCTX structure. This is used as a temporary salt and is created of random data when OpenVPN is started. When a user is being authenticated (eurephia.c/eurephia_userauth) a authentication session (not the same as a 'normal' session) is opened and checked for a cached password. If it does not exist or match, normal password check will be done against the user database. If a cached password is found and matches, it is considered to be authenticated. The cached password uses the SHA512 algorithm, together with the eurephiaCTX->server_salt.
* Merge branch 'master' into eurephiadmDavid Sommerseth2008-12-021-0/+2
|\
| * Added login and logout info messages when log-level is 1David Sommerseth2008-12-021-0/+2
| |
* | Added context_type into eurephiaCTX struct. Database queries limited due to ↵David Sommerseth2008-11-291-0/+1
| | | | | | | | context type.
* | Splitted plugin/eurephiadb_session.[ch] into two partsDavid Sommerseth2008-11-281-0/+1
|/ | | | | | | | | One part is a generic session handling part (common/eurephiadb_session_common.[ch]) and the other part is left in the old plugin/eurephiadb_session.[ch]. This splitting should make it easiser to reuse some of the session handling functions for the admin utils.
* Added minimum API version check when loading database driver.David Sommerseth2008-11-281-1/+1
|
* Cleaned up eurephiadb_session dependenciesDavid Sommerseth2008-11-281-0/+1
| | | | | Moved eurephiadb_session_struct.h to the common directory and made sure that eurephiadb_session.h is only included where needed
generated by cgit (git 2.34.1) at 2025-09-02 23:16:41 +0000