summaryrefslogtreecommitdiffstats
path: root/plugin
Commit message (Collapse)AuthorAgeFilesLines
* New feature: Added config option auth_disable_internalDavid Sommerseth2013-03-031-6/+24
| | | | | | | | | | | | By setting this config option in the eurephia database, eurephia will expect all user account/certificate links to be set up with an external plug-in for username/password authentications. Further, it is now ensured that system configuration issues or general failures not related to the user authentication itself, is not counted as a login attempt. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* auth plug-in: Implemented the authentication plug-in into the core eurephia ↵David Sommerseth2013-03-031-4/+113
| | | | | | | | | | | | framework This enables using an external authentication plug-in if a user account/certification link is configured to make user of it. This change ensures that all configured authentiaction plug-ins are loaded and is available when eurephia is initialised. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Added the first stab of an authentication plug-in frameworkDavid Sommerseth2013-03-031-2/+4
| | | | | | | | | This enables a run-time loadable support for other authentication modules. This can be used to make eurephia authenticate user's passwords against other sources than the local eurephia database itself. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Added error checking before calling eDBget_uid()David Sommerseth2012-11-021-0/+6
| | | | | | | This is to prepare for eDBget_uid() to also do lookups when certid is not set. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* eurephia-auth: Fixed a double-free situation with dev-type is not obviousDavid Sommerseth2012-10-111-3/+2
| | | | | | | | | | | | | If OpenVPN is configured with a unkown --dev name and --dev-type is used, eurephia would in some specific situations double-free a memory region keeping the dev-type information. GETENV_*() functions returns a pointer to a buffer which is supposed to be free'd, but pointers returned by eGet_value() should not be free'd. And in the error situation if dev-type is not forced or detected, the memory allocated by GETENV_DEVNAME() was not properly free'd. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Updated copyright datesDavid Sommerseth2012-10-0815-15/+15
| | | | Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Fix bug with TUN mode disconnects being logged wrongly.David Sommerseth2012-09-131-8/+0
| | | | | | | | | | This fixes a bug which appeared with newer OpenVPN versions, where the OPENVPN_PLUGIN_LEARN_ADDRESS would be called in the end - also in tun mode. And with the clean-up in session seed, in regards to the netmask not being part of the session seed, this little code made things worse. So lets get rid of it! Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Added a new database driver function: eDBregister_vpnclientaddr()David Sommerseth2012-09-131-9/+8
| | | | | | | | | | | | This function replaces eDBregister_vpnmacaddr(). This new function will in addition to the MAC address (if OpenVPN is running in TAP mode) also register the client's IPv4 VPN address. It's also prepared for logging the client's IPv6 VPN address. This function supports both TUN and TAP mode, while the old function only handled TAP mode. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Remove VPN IP netmask from session seedDavid Sommerseth2012-09-131-4/+4
| | | | | | | | | | | This is sometimes NULL, which is noticed more often when OpenVPN is configured in tun mode. This makes it difficult to identify the proper session key, as the seed isn't consistent. It does not affect much in regarding to the seed itself, as the netmask is most likely going to be the same for all clients anyhow. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* eurephia-auth: eurephiaInit() may not always return a contextDavid Sommerseth2012-01-051-1/+4
| | | | | | Check if we have a context available before setting ctx->tuntype. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Do not link in libdl explicitlyDavid Sommerseth2010-12-311-1/+1
| | | | | | | | | The functions related to dynamic loading of shared objects are a part of the standard libc library on FreeBSD, while in Linux it is in libdl. However, the linker on Linux seems to add the libdl linking automatically when needed, so no need to explicitly link this library. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* efw-iptables: Use the iptables conntrack moduleMatthew Gyurgyik2010-12-241-4/+4
| | | | | | | Make use of the iptables conntrack module instead of the older state module for stateful firewalling. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Implemented proper TUN support in eurephiaDavid Sommerseth2010-12-145-23/+103
| | | | | | | | | | Now eurephia will support both TUN and TAP configurations in OpenVPN. Thanks to Tavis Paquette and Matthew Gyurgyik for their willingness to test out this patch. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Fixed memory leak in eurephiaInit()David Sommerseth2010-12-051-2/+4
| | | | | | | | This memory leak got introduced with commit 525d75316848f79208101e48a54e2 which moves the daemonisation of the firewall thread. Two environment variables was not freed after usage. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Fixed a memory leak in eurephia_learn_address(...)David Sommerseth2010-12-051-0/+2
| | | | | | | The char buffer returned by eDBget_firewall_profile() must be freed after usage. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Add preliminary support for using IP addresses in the firewall moduleDavid Sommerseth2010-12-012-25/+33
| | | | | | | | | | | The current implementation uses the MAC address of the client's VPN interface. This also restricts eurephia to use TAP mode. This patch adds preliminary support for also accepting the clients IP address when updating the firewall rules. But the complete support for TUN mode is not completed yet. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Update efw-iptables version number and API versionDavid Sommerseth2010-11-302-3/+8
| | | | | | | | | | | | As the firewall API has changed in regards to moving a way from a string based implementation to a struct based implementation, the older eurephia firewall module will not work any longer. To make sure nothing bad happens, enforce that the efw-iptables module is at least using API version 2. Also updated the module version to reflect some changes as well. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Implemented detection of OpenVPN tunnel device typeDavid Sommerseth2010-11-302-2/+111
| | | | | | | | | | | | This will later be used to be able to support OpenVPN in tun mode as well as the now only supported tap mode. It will first try to detect the tunnel type based on the 'dev_type' environment variable if available. If not, it will try to figure it out based on the device name. If this fails, it is possible to force the eurephia to a specific device type by setting the openvpn_devtype config variable. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Move daemonize() code to be called in the firewall child thread onlyDavid Sommerseth2010-11-265-35/+37
| | | | | | | | The eurephia plug-in would daemonize the OpenVPN process by calling daemonize() too early. This patch renames daemoinze() to efw_daemonize() and calls it only in the firewall child process. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Removed misleading documentation of eurephiaInit()David Sommerseth2010-08-291-3/+1
| | | | Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Updated wrong log entriesDavid Sommerseth2010-08-291-1/+1
| | | | | | Removed old and obsolete expressions used to reference the eurephia database driver. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Show eurephia-auth version during initialisationDavid Sommerseth2010-08-291-0/+2
| | | | Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Fixed some issues with the firewall implementationDavid Sommerseth2010-08-261-3/+9
| | | | | | | | | | - OpenVPN would not exit gracefully due to mq_send() returns 0 on success - On-the-fly blacklisting with new API failed due to wrong value checking The request->rule_destination is empty when request->mode==BLACKLIST, so the check for rule_destination was moved to the appropriate place. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Fixed Doxygen complaintsDavid Sommerseth2010-08-261-1/+4
| | | | | | Removed some #defines which was not needed and added missing comments. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Completed the needed changes for the new firewall plug-in APIDavid Sommerseth2010-08-254-135/+114
| | | | | | | Moved over the missing pieces to use the eFWupdateRequest struct. This is a continuation of the work started in commit bdd956adcccd91ff553278fd73cea7 Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Fixed a few doxygen complaints - missing documentationDavid Sommerseth2010-07-301-0/+4
| | | | Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
* Added extra checks for POSIX semaphore functionsDavid Sommerseth2010-07-301-9/+31
| | | | | | On Fedora 13 and Rawhide, the sem_wait(), sem_timedwait() and sem_post() functions is no longer available in librt, only in libpthread. Added extra CMake checks to check if the functions are in libpthread if not found in librt.
* Added install rules for man pagesDavid Sommerseth2010-07-301-0/+1
|
* Updated doxygen documentation for eurephia.c:245:eurephia_tlsverify()David Sommerseth2010-07-301-3/+4
| | | | This is related to the changes done in commit c6621d108bb8beb97ca61.
* Moved all man pages from section 8 to the more proper section 7.David Sommerseth2010-07-301-2/+2
|
* Added man pages for eurephia-auth.so and edb-sqlite.soDavid Sommerseth2010-07-301-0/+49
|
* Updated Copyright dates to include 2010David Sommerseth2010-07-3016-16/+16
|
* Changed main firewall implementation to use eFWupdateRequest structDavid Sommerseth2009-11-093-57/+142
| | | | | All functions calling eFW_UpdateFirewall() and the iptables driver needs to be updated as well.
* Cleaned up the driver/interface API for database and firewallDavid Sommerseth2009-11-041-3/+5
|
* Restrict log length of mac addressDavid Sommerseth2009-10-131-2/+2
|
* Always process certificate depth as integerDavid Sommerseth2009-10-131-6/+7
|
* Fixed memory leak in the firewall implementation and added mlock() usageDavid Sommerseth2009-10-062-1/+25
| | | | | | | | | | | The memory leak was caused by not freeing the shadow context the firewall child process uses for logging. In addition this child process had a connection to the database open as well, which was not needed. This connection is now disconnected immediately after the child process has started. Added also usage of mlock() to protect sensitive information from being swapped out to disk.
* Added missing doxygen comments to environment.hDavid Sommerseth2009-10-051-17/+182
|
* Use macros to extract values via get_env()David Sommerseth2009-10-054-42/+97
| | | | | This has two purposes. To make the code more readable and to use the same maximum length of the data being retrieved from the environment table.
* Only DEBUG log what get_env() will returnDavid Sommerseth2009-10-051-3/+3
|
* Moved the get_env() function into its own fileDavid Sommerseth2009-10-044-59/+144
|
* Restrict input data length for plug-in arguments from openvpnDavid Sommerseth2009-10-042-8/+11
| | | | This only affects functions related to MAC address and certificate depth
* Tightening the building of the seeddata string even moreDavid Sommerseth2009-10-021-1/+1
| | | | This is a follow up of commit 80b41e27b7361633bee17c64bbb95490dc94ab9f
* Fixed possible integer overflow issueDavid Sommerseth2009-10-021-7/+7
| | | | | | | | | | | | | | | The eDBopen_session_seed() function was prune to an integer overflow issue, if the input data (some which comes from clients) exeeds the size_t max value which calloc() uses (via malloc_nullsafe()). The totlen variable was in addition defined as int and the totlen value was multiplied by 2. The fix was to use the maximum values used when calling get_env(). These values the maximum can then be added together to retrieve the maximum length of the seeddata string. This should also make the execution go slightly quicker as strlen_nullsafe() is no longer called for each of the input variables. In addition, there are no reasons to multiply the totlen value by two as it did. Credit goes to Larry Highsmith for noticing this potential problem.
* Modified get_env() function to limit number of bytes to extractDavid Sommerseth2009-10-023-60/+152
| | | | | This is to enhance the security and to avoid possible buffer overflows based on input received from the client
* Added extra parameter to eurephia_log_init() to set log ident for syslogDavid Sommerseth2009-09-241-2/+2
|
* Rewritten the eurephia_log() to support syslog logging as wellDavid Sommerseth2009-09-243-39/+14
| | | | | | | | | | | | | | | | | | | | | | | | Also simplified the initialisation of the logging module. By calling the eurephia_log_init(eurephiaCTX *, char *dest, int loglevel) function, a log context will be setup inside the eurephiaCTX. To close the log file, eurephia_log_close(eurephiaCTX *) must be called. The destination string to eurephia_log_init() can be: - stdout: Log everything to stdout - stderr: Log everything to stderr - none: Do no logging at all - syslog:<facility> Log via syslog. <facility> can be: user, local[0-7], daemon or authpriv. - Filename All logging goes to the given filename. If the filename string is not recognised by any of the reserved words above, it will be handled as a filename.
* Fixed some new Doxygen warnings which came after enabling static functions ↵David Sommerseth2009-09-141-1/+9
| | | | and vars
* Added debug logging of free_nullsafe() calls as wellDavid Sommerseth2009-09-074-46/+46
|
* Moved all malloc() operations over to a calloc wrapper, malloc_nullsafe()David Sommerseth2009-09-073-30/+18
| | | | This also improves debugging as well, if debug logging is enabled and log level is >= 40.
generated by cgit (git 2.34.1) at 2024-05-29 00:27:55 +0000