GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 08:46:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'tmp-syslog-fix' into 'master'

Browse Source 
syslog: LOG_AUTH is not a priority

See merge request openconnect/ocserv!188
This commit is contained in:
Nikos Mavrogiannopoulos
2020-06-28 16:05:34 +00:00
parent 8457249a8e 63866a7770
commit 7a03b9c6a0
9 changed files with 60 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/acct/pam.c
View File

@@ -50,7 +50,7 @@ pam_handle_t *ph;
struct pam_conv dc;
if (ai->username[0] == 0) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"PAM-acct: no username present");
return ERR_AUTH_FAIL;
}
@@ -59,7 +59,7 @@ struct pam_conv dc;
dc.appdata_ptr = NULL;
pret = pam_start(PACKAGE, ai->username, &dc, &ph);
if (pret != PAM_SUCCESS) {
syslog(LOG_AUTH, "PAM-acct init: %s", pam_strerror(ph, pret));
syslog(LOG_NOTICE, "PAM-acct init: %s", pam_strerror(ph, pret));
goto fail1;
}

4
src/acct/radius.c
View File

@@ -191,7 +191,7 @@ static void radius_acct_session_stats(void *_vctx, unsigned auth_method, const c
rc_avpair_free(recvd);
if (ret != OK_RC) {
syslog(LOG_AUTH, "radius-auth: radius_open_session: %d", ret);
syslog(LOG_NOTICE, "radius-auth: radius_open_session: %d", ret);
goto cleanup;
}
@@ -233,7 +233,7 @@ static int radius_acct_open_session(void *_vctx, unsigned auth_method, const com
rc_avpair_free(recvd);
if (ret != OK_RC) {
syslog(LOG_AUTH, "radius-auth: radius_open_session: %d", ret);
syslog(LOG_NOTICE, "radius-auth: radius_open_session: %d", ret);
ret = -1;
goto cleanup;
}

2
src/auth-unix.c
View File

@@ -64,7 +64,7 @@ unsigned found;
}
if (found == 0) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"user '%s' requested group '%s' but is not a member",
username, suggested);
return -1;

68
src/auth/openidconnect.c
View File

@@ -254,7 +254,7 @@ static json_t *oidc_fetch_json_from_uri(void * pool, const char *uri)
curl = curl_easy_init();
if (!curl) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"ocserv-oidc: failed to download JSON document: URI %s\n",
uri);
goto cleanup;
@@ -262,7 +262,7 @@ static json_t *oidc_fetch_json_from_uri(void * pool, const char *uri)
res = curl_easy_setopt(curl, CURLOPT_URL, uri);
if (res != CURLE_OK) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"ocserv-oidc: failed to download JSON document: URI %s, CURLcode %d\n",
uri, res);
goto cleanup;
@@ -272,7 +272,7 @@ static json_t *oidc_fetch_json_from_uri(void * pool, const char *uri)
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION,
oidc_json_parser_context_callback);
if (res != CURLE_OK) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"ocserv-oidc: failed to download JSON document: URI %s, CURLcode %d\n",
uri, res);
goto cleanup;
@@ -280,7 +280,7 @@ static json_t *oidc_fetch_json_from_uri(void * pool, const char *uri)
res = curl_easy_setopt(curl, CURLOPT_WRITEDATA, &context);
if (res != CURLE_OK) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"ocserv-oidc: failed to download JSON document: URI %s, CURLcode %d\n",
uri, res);
goto cleanup;
@@ -288,7 +288,7 @@ static json_t *oidc_fetch_json_from_uri(void * pool, const char *uri)
res = curl_easy_perform(curl);
if (res != CURLE_OK) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"ocserv-oidc: failed to download JSON document: URI %s, CURLcode %d\n",
uri, res);
goto cleanup;
@@ -296,7 +296,7 @@ static json_t *oidc_fetch_json_from_uri(void * pool, const char *uri)
json = json_loadb(context.buffer, context.offset, 0, &err);
if (!json) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"ocserv-oidc: failed to parse JSON document: URI %s\n",
uri);
goto cleanup;
@@ -327,7 +327,7 @@ static bool oidc_fetch_oidc_keys(oidc_vctx_st * vctx)
json_t *value;
if (!openid_configuration_url) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"ocserv-oidc: openid_configuration_url missing from config\n");
goto cleanup;
}
@@ -338,21 +338,21 @@ static bool oidc_fetch_oidc_keys(oidc_vctx_st * vctx)
(openid_configuration_url));
if (!oidc_config) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"ocserv-oidc: Unable to fetch config doc from %s\n", json_string_value(openid_configuration_url));
goto cleanup;
}
json_t *jwks_uri = json_object_get(oidc_config, "jwks_uri");
if (!jwks_uri || !json_string_value(jwks_uri)) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"ocserv-oidc: jwks_uri missing from config doc\n");
goto cleanup;
}
jwks = oidc_fetch_json_from_uri(vctx->pool, json_string_value(jwks_uri));
if (!jwks) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"ocserv-oidc: failed to fetch keys from jwks_uri %s\n",
json_string_value(jwks_uri));
goto cleanup;
@@ -360,7 +360,7 @@ static bool oidc_fetch_oidc_keys(oidc_vctx_st * vctx)
array = json_object_get(jwks, "keys");
if (array == NULL) {
syslog(LOG_AUTH, "ocserv-oidc: JWK keys malformed\n");
syslog(LOG_NOTICE, "ocserv-oidc: JWK keys malformed\n");
goto cleanup;
}
@@ -405,24 +405,24 @@ static bool oidc_verify_lifetime(json_t * token_claims)
time_t current_time = time(NULL);
if (!token_nbf || !json_integer_value(token_nbf)) {
syslog(LOG_AUTH, "ocserv-oidc: Token missing 'nbf' claim\n");
syslog(LOG_NOTICE, "ocserv-oidc: Token missing 'nbf' claim\n");
goto cleanup;
}
if (!token_exp || !json_integer_value(token_exp)) {
syslog(LOG_AUTH, "ocserv-oidc: Token missing 'exp' claim\n");
syslog(LOG_NOTICE, "ocserv-oidc: Token missing 'exp' claim\n");
goto cleanup;
}
if (!token_iat || !json_integer_value(token_iat)) {
syslog(LOG_AUTH, "ocserv-oidc: Token missing 'iat' claim\n");
syslog(LOG_NOTICE, "ocserv-oidc: Token missing 'iat' claim\n");
goto cleanup;
}
// Check to ensure the token is within it's validity
if (json_integer_value(token_nbf) > current_time
|| json_integer_value(token_exp) < current_time) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"ocserv-oidc: Token not within validity period NBF: %lld EXP: %lld Current: %ld\n",
json_integer_value(token_nbf),
json_integer_value(token_exp), current_time);
@@ -450,7 +450,7 @@ static bool oidc_verify_required_claims(json_t * required_claims,
token_claim_value =
json_object_get(token_claims, required_claim_name);
if (!json_equal(required_claim_value, token_claim_value)) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"ocserv-oidc: Required claim not met. Claim: %s Expected Value: %s\n",
required_claim_name,
json_string_value(required_claim_value));
@@ -474,7 +474,7 @@ static bool oidc_map_user_name(json_t * user_name_claim,
json_t *token_user_name_claim =
json_object_get(token_claims, json_string_value(user_name_claim));
if (!token_user_name_claim || !json_string_value(token_user_name_claim)) {
syslog(LOG_AUTH, "ocserv-oidc: Token missing '%s' claim\n",
syslog(LOG_NOTICE, "ocserv-oidc: Token missing '%s' claim\n",
json_string_value(user_name_claim));
goto cleanup;
}
@@ -497,7 +497,7 @@ static json_t *oidc_extract_claims(cjose_jws_t * jws)
// Extract the claim portion from the token
if (!cjose_jws_get_plaintext(jws, &plain_text, &plain_text_size, &err)) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"ocserv-oidc: Failed to get plain text from token\n");
goto cleanup;
}
@@ -506,7 +506,7 @@ static json_t *oidc_extract_claims(cjose_jws_t * jws)
token_claims =
json_loadb((char *)plain_text, plain_text_size, 0, &json_err);
if (!token_claims) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"ocserv-oidc: Failed to get claims from token\n");
goto cleanup;
}
@@ -529,20 +529,20 @@ static bool oidc_verify_singature(oidc_vctx_st * vctx, cjose_jws_t * jws)
json_t *value;
if (vctx->jwks == NULL) {
syslog(LOG_AUTH, "ocserv-oidc: JWK keys not available\n");
syslog(LOG_NOTICE, "ocserv-oidc: JWK keys not available\n");
goto cleanup;
}
array = json_object_get(vctx->jwks, "keys");
if (array == NULL) {
syslog(LOG_AUTH, "ocserv-oidc: JWK keys malformed\n");
syslog(LOG_NOTICE, "ocserv-oidc: JWK keys malformed\n");
goto cleanup;
}
// Get the token header
token_header = cjose_jws_get_protected(jws);
if (token_header == NULL) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"ocserv-oidc: Token malformed - no header\n");
goto cleanup;
}
@@ -550,13 +550,13 @@ static bool oidc_verify_singature(oidc_vctx_st * vctx, cjose_jws_t * jws)
// Get the kid of the key used to sign this token
token_kid = json_object_get(token_header, "kid");
if (token_kid == NULL || !json_string_value(token_kid)) {
syslog(LOG_AUTH, "ocserv-oidc: Token malformed - no kid\n");
syslog(LOG_NOTICE, "ocserv-oidc: Token malformed - no kid\n");
goto cleanup;
}
token_typ = json_object_get(token_header, "typ");
if (token_typ == NULL || !json_string_value(token_typ) || strcmp(json_string_value(token_typ), "JWT")) {
syslog(LOG_AUTH, "ocserv-oidc: Token malformed - wrong typ claim\n");
syslog(LOG_NOTICE, "ocserv-oidc: Token malformed - wrong typ claim\n");
goto cleanup;
}
@@ -571,16 +571,16 @@ static bool oidc_verify_singature(oidc_vctx_st * vctx, cjose_jws_t * jws)
if (jwk == NULL) {
time_t now;
syslog(LOG_AUTH, "ocserv-oidc: JWK with kid=%s not found\n",
syslog(LOG_NOTICE, "ocserv-oidc: JWK with kid=%s not found\n",
json_string_value(token_kid));
syslog(LOG_AUTH, "ocserv-oidc: attempting to download new JWKs");
syslog(LOG_NOTICE, "ocserv-oidc: attempting to download new JWKs");
now = time(0);
if ((now - vctx->last_jwks_load_time) > vctx->minimum_jwk_refresh_time) {
oidc_fetch_oidc_keys(vctx);
}
else {
syslog(LOG_AUTH, "ocserv-oidc: skipping JWK refresh");
syslog(LOG_NOTICE, "ocserv-oidc: skipping JWK refresh");
}
// Fail the request and let the client try again.
@@ -588,7 +588,7 @@ static bool oidc_verify_singature(oidc_vctx_st * vctx, cjose_jws_t * jws)
}
if (!cjose_jws_verify(jws, jwk, &err)) {
syslog(LOG_AUTH, "ocserv-oidc: Token failed validation %s\n",
syslog(LOG_NOTICE, "ocserv-oidc: Token failed validation %s\n",
err.message);
goto cleanup;
}
@@ -611,33 +611,33 @@ static bool oidc_verify_token(oidc_vctx_st * vctx, const char *token,
jws = cjose_jws_import(token, token_length, &err);
if (jws == NULL) {
syslog(LOG_AUTH, "ocserv-oidc: Token malformed - %s\n",
syslog(LOG_NOTICE, "ocserv-oidc: Token malformed - %s\n",
err.message);
goto cleanup;
}
if (!oidc_verify_singature(vctx, jws)) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"ocserv-oidc: Token signature validation failed\n");
goto cleanup;
}
token_claims = oidc_extract_claims(jws);
if (!token_claims) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"ocserv-oidc: Unable to access token claims\n");
goto cleanup;
}
if (!oidc_verify_lifetime(token_claims)) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"ocserv-oidc: Token lifetime validation failed\n");
goto cleanup;
}
if (!oidc_verify_required_claims
(json_object_get(vctx->config, "required_claims"), token_claims)) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"ocserv-oidc: Token required claims validation failed\n");
goto cleanup;
}
@@ -645,7 +645,7 @@ static bool oidc_verify_token(oidc_vctx_st * vctx, const char *token,
if (!oidc_map_user_name
(json_object_get(vctx->config, "user_name_claim"), token_claims,
user_name)) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"ocserv-oidc: Unable to map user name claim\n");
goto cleanup;
}

12
src/auth/pam.c
View File

@@ -160,7 +160,7 @@ int pret;
struct pam_ctx_st * pctx;
if (info->username == NULL || info->username[0] == 0) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"pam-auth: no username present");
return ERR_AUTH_FAIL;
}
@@ -175,7 +175,7 @@ struct pam_ctx_st * pctx;
pctx->dc.appdata_ptr = pctx;
pret = pam_start(PACKAGE, info->username, &pctx->dc, &pctx->ph);
if (pret != PAM_SUCCESS) {
syslog(LOG_AUTH, "PAM-auth init: %s", pam_strerror(pctx->ph, pret));
syslog(LOG_NOTICE, "PAM-auth init: %s", pam_strerror(pctx->ph, pret));
goto fail1;
}
@@ -214,7 +214,7 @@ size_t prompt_hash = 0;
co_call(pctx->cr);
if (pctx->cr_ret != PAM_SUCCESS) {
syslog(LOG_AUTH, "PAM-auth pam_auth_msg: %s", pam_strerror(pctx->ph, pctx->cr_ret));
syslog(LOG_NOTICE, "PAM-auth pam_auth_msg: %s", pam_strerror(pctx->ph, pctx->cr_ret));
return ERR_AUTH_FAIL;
}
}
@@ -254,7 +254,7 @@ struct pam_ctx_st * pctx = ctx;
return -1;
if (pctx->state != PAM_S_WAIT_FOR_PASS) {
syslog(LOG_AUTH, "PAM auth: conversation left in wrong state (%d/expecting %d)", pctx->state, PAM_S_WAIT_FOR_PASS);
syslog(LOG_NOTICE, "PAM auth: conversation left in wrong state (%d/expecting %d)", pctx->state, PAM_S_WAIT_FOR_PASS);
return ERR_AUTH_FAIL;
}
@@ -265,7 +265,7 @@ struct pam_ctx_st * pctx = ctx;
co_call(pctx->cr);
if (pctx->cr_ret != PAM_SUCCESS) {
syslog(LOG_AUTH, "PAM-auth pam_auth_pass: %s", pam_strerror(pctx->ph, pctx->cr_ret));
syslog(LOG_NOTICE, "PAM-auth pam_auth_pass: %s", pam_strerror(pctx->ph, pctx->cr_ret));
return ERR_AUTH_FAIL;
}
@@ -294,7 +294,7 @@ int pret;
pret = pam_get_item(pctx->ph, PAM_USER, (const void **)&user);
if (pret != PAM_SUCCESS) {
/*syslog(LOG_AUTH, "PAM-auth: pam_get_item(PAM_USER): %s", pam_strerror(pctx->ph, pret));*/
/*syslog(LOG_NOTICE, "PAM-auth: pam_get_item(PAM_USER): %s", pam_strerror(pctx->ph, pret));*/
return -1;
}

14
src/auth/plain.c
View File

@@ -158,7 +158,7 @@ static int read_auth_pass(struct plain_ctx_st *pctx)
fp = fopen(pctx->config->passwd, "r");
if (fp == NULL) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"error in plain authentication; cannot open: %s",
pctx->config->passwd);
return -1;
@@ -232,7 +232,7 @@ static int plain_auth_init(void **ctx, void *pool, void *vctx, const common_auth
int ret;
if (info->username == NULL || info->username[0] == 0) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"plain-auth: no username present");
return ERR_AUTH_FAIL;
}
@@ -283,7 +283,7 @@ static int plain_auth_group(void *ctx, const char *suggested, char *groupname, i
}
if (found == 0) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"user '%s' requested group '%s' but is not a member",
pctx->username, suggested);
return -1;
@@ -322,7 +322,7 @@ static int plain_auth_pass(void *ctx, const char *pass, unsigned pass_len)
pctx->pass_msg = pass_msg_failed;
return ERR_AUTH_CONTINUE;
} else {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"plain-auth: error authenticating user '%s'",
pctx->username);
return ERR_AUTH_FAIL;
@@ -330,7 +330,7 @@ static int plain_auth_pass(void *ctx, const char *pass, unsigned pass_len)
}
if (pctx->cpass[0] == 0 && pctx->config->otp_file == NULL) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"plain-auth: user '%s' has empty password and no OTP file configured",
pctx->username);
return ERR_AUTH_FAIL;
@@ -351,7 +351,7 @@ static int plain_auth_pass(void *ctx, const char *pass, unsigned pass_len)
ret = oath_authenticate_usersfile(pctx->config->otp_file, pctx->username,
pass, HOTP_WINDOW, NULL, &last);
if (ret != OATH_OK) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"plain-auth: OTP auth failed for '%s': %s",
pctx->username, oath_strerror(ret));
return ERR_AUTH_FAIL;
@@ -416,7 +416,7 @@ static void plain_group_list(void *pool, void *additional, char ***groupname, un
pool = talloc_init("plain");
fp = fopen(config->passwd, "r");
if (fp == NULL) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"error in plain authentication; cannot open: %s",
(char*)config->passwd);
return;

6
src/auth/radius.c
View File

@@ -111,7 +111,7 @@ static int radius_auth_init(void **ctx, void *pool, void *_vctx, const common_au
struct radius_vhost_ctx *vctx = _vctx;
if (info->username == NULL || info->username[0] == 0) {
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"radius-auth: no username present");
return ERR_AUTH_FAIL;
}
@@ -162,7 +162,7 @@ static int radius_auth_group(void *ctx, const char *suggested, char *groupname,
}
}
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"radius-auth: user '%s' requested group '%s' but is not a member",
pctx->username, suggested);
return -1;
@@ -471,7 +471,7 @@ static int radius_auth_pass(void *ctx, const char *pass, unsigned pass_len)
goto cleanup;
}
syslog(LOG_AUTH,
syslog(LOG_NOTICE,
"radius-auth: error authenticating user '%s' (code %d)",
pctx->username, ret);
ret = ERR_AUTH_FAIL;

8
src/sec-mod-auth.c
View File

@@ -302,7 +302,7 @@ int check_group(sec_mod_st * sec, client_entry_st * e)
}
if (found == 0) {
seclog(sec, LOG_AUTH, "user '%s' requested group '%s' but is not included on his certificate groups",
seclog(sec, LOG_NOTICE, "user '%s' requested group '%s' but is not included on his certificate groups",
e->acct_info.username, req_group);
return -1;
}
@@ -778,7 +778,7 @@ int handle_sec_auth_init(int cfd, sec_mod_st *sec, const SecAuthInitMsg *req, pi
time_t session_start_time;
if (req->hmac.len != HMAC_DIGEST_SIZE || !req->hmac.data) {
seclog(sec, LOG_AUTH, "hmac is the wrong size");
seclog(sec, LOG_NOTICE, "hmac is the wrong size");
return -1;
}
@@ -796,14 +796,14 @@ int handle_sec_auth_init(int cfd, sec_mod_st *sec, const SecAuthInitMsg *req, pi
generate_hmac(sizeof(sec->hmac_key), sec->hmac_key, sizeof(hmac_components) / sizeof(hmac_components[0]), hmac_components, computed_hmac);
if (memcmp(computed_hmac, req->hmac.data, req->hmac.len) != 0) {
seclog(sec, LOG_AUTH, "hmac presented by client doesn't match parameters provided - possible replay");
seclog(sec, LOG_NOTICE, "hmac presented by client doesn't match parameters provided - possible replay");
return -1;
}
vhost = find_vhost(sec->vconfig, req->vhost);
if ((now - session_start_time) > vhost->perm_config.config->auth_timeout) {
seclog(sec, LOG_AUTH, "hmac presented by client expired - possible replay");
seclog(sec, LOG_NOTICE, "hmac presented by client expired - possible replay");
return -1;
}

2
src/tlslib.c
View File

@@ -441,7 +441,7 @@ static void tls_audit_log_func(gnutls_session_t session, const char *str)
(void)(ws);
if (session == NULL)
syslog(LOG_AUTH, "warning: %s", str);
syslog(LOG_NOTICE, "warning: %s", str);
else {
ws = gnutls_session_get_ptr(session);