| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The memory leak was caused by not freeing the shadow context the firewall
child process uses for logging. In addition this child process had a
connection to the database open as well, which was not needed. This
connection is now disconnected immediately after the child process has
started.
Added also usage of mlock() to protect sensitive information from being
swapped out to disk.
|
| |
|
|
|
|
|
| |
This has two purposes. To make the code more readable and to use the
same maximum length of the data being retrieved from the environment table.
|
| |
|
| |
|
|
|
|
| |
This only affects functions related to MAC address and certificate depth
|
|
|
|
| |
This is a follow up of commit 80b41e27b7361633bee17c64bbb95490dc94ab9f
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The eDBopen_session_seed() function was prune to an integer overflow issue, if
the input data (some which comes from clients) exeeds the size_t max value which
calloc() uses (via malloc_nullsafe()). The totlen variable was in addition defined
as int and the totlen value was multiplied by 2.
The fix was to use the maximum values used when calling get_env(). These values the
maximum can then be added together to retrieve the maximum length of the seeddata string.
This should also make the execution go slightly quicker as strlen_nullsafe() is no
longer called for each of the input variables. In addition, there are no reasons to
multiply the totlen value by two as it did.
Credit goes to Larry Highsmith for noticing this potential problem.
|
|
|
|
|
| |
This is to enhance the security and to avoid possible buffer overflows
based on input received from the client
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also simplified the initialisation of the logging module. By calling
the eurephia_log_init(eurephiaCTX *, char *dest, int loglevel) function,
a log context will be setup inside the eurephiaCTX.
To close the log file, eurephia_log_close(eurephiaCTX *) must be called.
The destination string to eurephia_log_init() can be:
- stdout:
Log everything to stdout
- stderr:
Log everything to stderr
- none:
Do no logging at all
- syslog:<facility>
Log via syslog. <facility> can be: user, local[0-7],
daemon or authpriv.
- Filename
All logging goes to the given filename. If the filename
string is not recognised by any of the reserved words above,
it will be handled as a filename.
|
|
|
|
| |
and vars
|
| |
|
|
|
|
| |
This also improves debugging as well, if debug logging is enabled and log level is >= 40.
|
|
|
|
| |
A compiler warning showed up when --debug mode was enabled.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
This static library is later on linked in. This is to avoid recompiling
the same source files several times during a complete eurephia
compilation.
|
|
|
|
| |
Also added install rules to XSLT files
|
| |
|
| |
|
|
|
|
|
| |
Made sure we only include needed include files and checked that
the copyright headers are equal and correct
|
|
|
|
|
|
|
|
|
|
| |
This to make it clearer that passwdhash(...) is not good for password
hashing, but suitable when you need a quick hashing algorithm.
The eurephia_quick_hash(...) are now used for password caching hashing,
and is still suitable here since the salt used for the passwords are in
memory only and never written to disk, as they are supposed to be
temporary hashes.
|
|
|
|
| |
eurephia_randstring(...) function
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is to prepare eurephia-auth plugin to use other and
more CPU intensive hashing algorithms for passwords. In addition,
open sessions will now not be rejected/closed due to wrong
password if the user changes the password with an open session
running.
The patch adds a new server_salt attribute in the eurephiaCTX
structure. This is used as a temporary salt and is created of
random data when OpenVPN is started.
When a user is being authenticated (eurephia.c/eurephia_userauth)
a authentication session (not the same as a 'normal' session) is
opened and checked for a cached password. If it does not exist
or match, normal password check will be done against the user
database. If a cached password is found and matches, it is
considered to be authenticated.
The cached password uses the SHA512 algorithm, together with the
eurephiaCTX->server_salt.
|
| |
|
|\ |
|
| | |
|
| | |
|
| |
| |
| |
| | |
context type.
|
| |
| |
| |
| | |
0c35035dc8ac5d099f53353938a66b33227d3342
|
|/
|
|
|
|
|
|
|
| |
One part is a generic session handling part
(common/eurephiadb_session_common.[ch]) and the other part
is left in the old plugin/eurephiadb_session.[ch].
This splitting should make it easiser to reuse some of the session
handling functions for the admin utils.
|
| |
|
|
|
|
|
| |
Moved eurephiadb_session_struct.h to the common directory and
made sure that eurephiadb_session.h is only included where needed
|
|
|
|
|
|
|
|
|
| |
eurephia_context.h do only need to know about the eurephiaFWINTF *
struct when compiling the auth plug-in and firewall modules.
To enable this, EUREPHIA_FWINTF needs to be defined as well as the
eurephiafw_struct.h must be included before including eurephia_context.h
in the source. When this is not done, *fwcfg will just be a void *.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since this include file now only consists of eurephiaCTX definition,
it was moved to the common/ directory and renamed.
Moved the SESSION_* definitions out of this file and into
plugin/eurephiadb_session.h where they belong.
Moved the Posix MQ definitions into plugin/firewall/eurephiafw_struct.h
where they belong.
eurephia_context.h is now containing only context related things.
|
|
|
|
| |
separate include files
|
|
|
|
| |
be built
|
|
|
|
| |
implementation
|
| |
|