GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 00:37:00 +08:00
Code Issues Packages Projects Releases Wiki Activity

sec-mod: made logging consistent with the main server

Browse Source
This commit is contained in:
Nikos Mavrogiannopoulos
2014-12-01 22:44:45 +01:00
parent c402c03d09
commit 7b0e20e6ad
5 changed files with 140 additions and 133 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
src/sec-mod-auth.c
View File

@@ -111,7 +111,7 @@ int send_sec_auth_reply(sec_mod_st * sec, client_entry_st * entry, AUTHREP r)
/* fill message */
ret = generate_cookie(sec, entry);
if (ret < 0) {
seclog(LOG_INFO, "cannot generate cookie");
seclog(sec, LOG_INFO, "cannot generate cookie");
return ret;
}
@@ -147,7 +147,7 @@ int send_sec_auth_reply(sec_mod_st * sec, client_entry_st * entry, AUTHREP r)
if (ret < 0) {
int e = errno;
seclog(LOG_ERR, "send_msg: %s", strerror(e));
seclog(sec, LOG_ERR, "send_msg: %s", strerror(e));
return ret;
}
@@ -180,7 +180,7 @@ int send_sec_auth_reply_msg(sec_mod_st * sec, client_entry_st * e)
(pack_size_func) sec_auth_reply_msg__get_packed_size,
(pack_func) sec_auth_reply_msg__pack);
if (ret < 0) {
seclog(LOG_ERR, "send_auth_reply_msg error");
seclog(sec, LOG_ERR, "send_auth_reply_msg error");
}
return ret;
@@ -201,7 +201,7 @@ static int check_user_group_status(sec_mod_st * sec, client_entry_st * e,
}
if (tls_auth_ok == 0 && need_cert != 0) {
seclog(LOG_INFO, "user '%s' presented no certificate",
seclog(sec, LOG_INFO, "user '%s' presented no certificate",
e->username);
return -1;
}
@@ -210,7 +210,7 @@ static int check_user_group_status(sec_mod_st * sec, client_entry_st * e,
if (tls_auth_ok != 0) {
if (e->username[0] == 0 && sec->config->cert_user_oid != NULL) {
if (cert_user == NULL) {
seclog(LOG_INFO, "no username in the certificate!");
seclog(sec, LOG_INFO, "no username in the certificate!");
return -1;
}
@@ -221,7 +221,7 @@ static int check_user_group_status(sec_mod_st * sec, client_entry_st * e,
"%s", cert_groups[0]);
} else {
if (sec->config->cert_user_oid != NULL && cert_user && strcmp(e->username, cert_user) != 0) {
seclog(LOG_INFO,
seclog(sec, LOG_INFO,
"user '%s' presented a certificate from user '%s'",
e->username, cert_user);
return -1;
@@ -236,7 +236,7 @@ static int check_user_group_status(sec_mod_st * sec, client_entry_st * e,
}
}
if (found == 0) {
seclog(LOG_INFO,
seclog(sec, LOG_INFO,
"user '%s' presented a certificate from group '%s' but he isn't a member of it",
e->username, e->groupname);
return -1;
@@ -264,7 +264,7 @@ int handle_sec_auth_res(sec_mod_st * sec, client_entry_st * e, int result)
ret = send_sec_auth_reply_msg(sec, e);
if (ret < 0) {
e->status = PS_AUTH_FAILED;
seclog(LOG_ERR, "could not send reply auth cmd.");
seclog(sec, LOG_ERR, "could not send reply auth cmd.");
return ret;
}
return 0; /* wait for another command */
@@ -274,28 +274,28 @@ int handle_sec_auth_res(sec_mod_st * sec, client_entry_st * e, int result)
ret = send_sec_auth_reply(sec, e, AUTH__REP__OK);
if (ret < 0) {
e->status = PS_AUTH_FAILED;
seclog(LOG_ERR, "could not send reply auth cmd.");
seclog(sec, LOG_ERR, "could not send reply auth cmd.");
return ret;
}
ret = 0;
if (module != NULL && (sec->config->session_control == 0 || module->open_session == NULL)) {
del_client_entry(sec->client_db, e);
del_client_entry(sec, e);
} /* else do nothing, and wait for session close/open messages */
} else {
e->status = PS_AUTH_FAILED;
add_ip_to_ban_list(sec->ban_db, e->ip, time(0) + sec->config->min_reauth_time);
add_ip_to_ban_list(sec, e->ip, time(0) + sec->config->min_reauth_time);
ret = send_sec_auth_reply(sec, e, AUTH__REP__FAILED);
if (ret < 0) {
seclog(LOG_ERR, "could not send reply auth cmd.");
seclog(sec, LOG_ERR, "could not send reply auth cmd.");
return ret;
}
if (result < 0) {
ret = result;
} else {
seclog(LOG_ERR, "unexpected auth result: %d\n", result);
seclog(sec, LOG_ERR, "unexpected auth result: %d\n", result);
ret = ERR_BAD_COMMAND;
}
}
@@ -314,19 +314,19 @@ int handle_sec_auth_session_cmd(sec_mod_st * sec, const SecAuthSessionMsg * req,
return 0;
if (sec->config->session_control == 0) {
seclog(LOG_ERR, "auth session open/close but session control is disabled!");
seclog(sec, LOG_ERR, "auth session open/close but session control is disabled!");
return 0;
}
if (req->sid.len != SID_SIZE) {
seclog(LOG_ERR, "auth session open/close but with illegal sid size (%d)!",
seclog(sec, LOG_ERR, "auth session open/close but with illegal sid size (%d)!",
(int)req->sid.len);
return -1;
}
e = find_client_entry(sec->client_db, req->sid.data);
e = find_client_entry(sec, req->sid.data);
if (e == NULL) {
seclog(LOG_INFO, "session open/close but with non-existing sid!");
seclog(sec, LOG_INFO, "session open/close but with non-existing sid!");
return -1;
}
@@ -334,13 +334,13 @@ int handle_sec_auth_session_cmd(sec_mod_st * sec, const SecAuthSessionMsg * req,
ret = module->open_session(e->auth_ctx);
if (ret < 0) {
e->status = PS_AUTH_FAILED;
seclog(LOG_ERR, "could not open session.");
del_client_entry(sec->client_db, e);
seclog(sec, LOG_ERR, "could not open session.");
del_client_entry(sec, e);
return ret;
}
e->have_session = 1;
} else {
del_client_entry(sec->client_db, e);
del_client_entry(sec, e);
}
return 0;
@@ -351,33 +351,33 @@ int handle_sec_auth_cont(sec_mod_st * sec, const SecAuthContMsg * req)
client_entry_st *e;
int ret;
if (check_if_banned(sec->ban_db, req->ip) != 0) {
seclog(LOG_INFO,
if (check_if_banned(sec, req->ip) != 0) {
seclog(sec, LOG_INFO,
"IP '%s' is banned", req->ip);
return -1;
}
if (req->sid.len != SID_SIZE) {
seclog(LOG_ERR, "auth cont but with illegal sid size (%d)!",
seclog(sec, LOG_ERR, "auth cont but with illegal sid size (%d)!",
(int)req->sid.len);
return -1;
}
e = find_client_entry(sec->client_db, req->sid.data);
e = find_client_entry(sec, req->sid.data);
if (e == NULL) {
seclog(LOG_ERR, "auth cont but with non-existing sid!");
seclog(sec, LOG_ERR, "auth cont but with non-existing sid!");
return -1;
}
if (e->status != PS_AUTH_INIT) {
seclog(LOG_ERR, "auth cont received but we are on state %u!", e->status);
seclog(sec, LOG_ERR, "auth cont received but we are on state %u!", e->status);
return -1;
}
seclog(LOG_DEBUG, "auth cont for user '%s'", e->username);
seclog(sec, LOG_DEBUG, "auth cont for user '%s'", e->username);
if (req->password == NULL) {
seclog(LOG_ERR, "no password given in auth cont for user '%s'",
seclog(sec, LOG_ERR, "no password given in auth cont for user '%s'",
e->username);
return -1;
}
@@ -386,7 +386,7 @@ int handle_sec_auth_cont(sec_mod_st * sec, const SecAuthContMsg * req)
module->auth_pass(e->auth_ctx, req->password,
strlen(req->password));
if (ret < 0) {
seclog(LOG_DEBUG,
seclog(sec, LOG_DEBUG,
"error in password given in auth cont for user '%s'",
e->username);
}
@@ -399,22 +399,22 @@ int handle_sec_auth_init(sec_mod_st * sec, const SecAuthInitMsg * req)
int ret = -1;
client_entry_st *e;
if (check_if_banned(sec->ban_db, req->ip) != 0) {
seclog(LOG_INFO,
if (check_if_banned(sec, req->ip) != 0) {
seclog(sec, LOG_INFO,
"IP '%s' is banned", req->ip);
return -1;
}
if ((req->user_name == NULL || req->user_name[0] == 0)
&& (sec->config->auth_types & AUTH_TYPE_USERNAME_PASS)) {
seclog(LOG_DEBUG,
seclog(sec, LOG_DEBUG,
"auth init from '%s' with no username present", req->ip);
return -1;
}
e = new_client_entry(sec->client_db, req->ip);
e = new_client_entry(sec, req->ip);
if (e == NULL) {
seclog(LOG_ERR, "cannot initialize memory");
seclog(sec, LOG_ERR, "cannot initialize memory");
return -1;
}
@@ -461,7 +461,7 @@ int handle_sec_auth_init(sec_mod_st * sec, const SecAuthInitMsg * req)
}
if (found == 0) {
seclog(LOG_AUTH, "user '%s' requested group '%s' but is not included on his certificate groups",
seclog(sec, LOG_AUTH, "user '%s' requested group '%s' but is not included on his certificate groups",
req->user_name, req->group_name);
return -1;
}
@@ -477,7 +477,7 @@ int handle_sec_auth_init(sec_mod_st * sec, const SecAuthInitMsg * req)
}
e->status = PS_AUTH_INIT;
seclog(LOG_DEBUG, "auth init %sfor user '%s' (group: '%s') from '%s'",
seclog(sec, LOG_DEBUG, "auth init %sfor user '%s' (group: '%s') from '%s'",
req->tls_auth_ok?"(with cert) ":"",
e->username, e->groupname, req->ip);
@@ -491,12 +491,12 @@ int handle_sec_auth_init(sec_mod_st * sec, const SecAuthInitMsg * req)
return handle_sec_auth_res(sec, e, ret);
}
void sec_auth_user_deinit(client_entry_st * e)
void sec_auth_user_deinit(sec_mod_st * sec, client_entry_st * e)
{
if (module == NULL)
return;
seclog(LOG_DEBUG, "auth deinit for user '%s'", e->username);
seclog(sec, LOG_DEBUG, "auth deinit for user '%s'", e->username);
if (e->auth_ctx != NULL) {
if (e->have_session) {
module->close_session(e->auth_ctx);

29
src/sec-mod-ban.c
View File

@@ -54,20 +54,21 @@ static size_t rehash(const void *_e, void *unused)
}
void *sec_mod_ban_db_init(void *pool)
void *sec_mod_ban_db_init(sec_mod_st *sec)
{
struct htable *db = talloc(pool, struct htable);
struct htable *db = talloc(sec, struct htable);
if (db == NULL)
return NULL;
htable_init(db, rehash, NULL);
sec->ban_db = db;
return db;
}
void sec_mod_ban_db_deinit(void *_db)
void sec_mod_ban_db_deinit(sec_mod_st *sec)
{
struct htable *db = _db;
struct htable *db = sec->ban_db;
if (db != NULL) {
htable_clear(db);
@@ -75,9 +76,9 @@ struct htable *db = _db;
}
}
unsigned sec_mod_ban_db_elems(void *_db)
unsigned sec_mod_ban_db_elems(sec_mod_st *sec)
{
struct htable *db = _db;
struct htable *db = sec->ban_db;
if (db)
return db->elems;
@@ -85,9 +86,9 @@ struct htable *db = _db;
return 0;
}
void add_ip_to_ban_list(void *_db, const char *ip, time_t reenable_time)
void add_ip_to_ban_list(sec_mod_st *sec, const char *ip, time_t reenable_time)
{
struct htable *db = _db;
struct htable *db = sec->ban_db;
struct ban_entry_st *e;
if (db == NULL)
@@ -102,12 +103,12 @@ void add_ip_to_ban_list(void *_db, const char *ip, time_t reenable_time)
e->expires = reenable_time;
if (htable_add(db, rehash(e, NULL), e) == 0) {
seclog(LOG_INFO,
seclog(sec, LOG_INFO,
"could not add ban entry to hash table");
goto fail;
}
seclog(LOG_INFO,"added IP '%s' to ban list, will be removed at: %u", ip, (unsigned)reenable_time);
seclog(sec, LOG_INFO,"added IP '%s' to ban list, will be removed at: %u", ip, (unsigned)reenable_time);
return;
fail:
talloc_free(e);
@@ -127,9 +128,9 @@ static bool ban_entry_cmp(const void *_c1, void *_c2)
return 0;
}
unsigned check_if_banned(void *_db, const char *ip)
unsigned check_if_banned(sec_mod_st *sec, const char *ip)
{
struct htable *db = _db;
struct htable *db = sec->ban_db;
ban_entry_st t;
if (db == NULL || ip == NULL || ip[0] == 0)
@@ -144,9 +145,9 @@ unsigned check_if_banned(void *_db, const char *ip)
return 0;
}
void cleanup_banned_entries(void *_db)
void cleanup_banned_entries(sec_mod_st *sec)
{
struct htable *db = _db;
struct htable *db = sec->ban_db;
ban_entry_st *t;
struct htable_iter iter;
time_t now = time(0);

41
src/sec-mod-db.c
View File

@@ -52,29 +52,30 @@ static size_t rehash(const void *_e, void *unused)
return hash_any(e->sid, sizeof(e->sid), 0);
}
void *sec_mod_client_db_init(void *pool)
void *sec_mod_client_db_init(sec_mod_st *sec)
{
struct htable *db = talloc(pool, struct htable);
struct htable *db = talloc(sec, struct htable);
if (db == NULL)
return NULL;
htable_init(db, rehash, NULL);
sec->client_db = db;
return db;
}
void sec_mod_client_db_deinit(void *_db)
void sec_mod_client_db_deinit(sec_mod_st *sec)
{
struct htable *db = _db;
struct htable *db = sec->client_db;
htable_clear(db);
talloc_free(db);
}
/* The number of elements */
unsigned sec_mod_client_db_elems(void *_db)
unsigned sec_mod_client_db_elems(sec_mod_st *sec)
{
struct htable *db = _db;
struct htable *db = sec->client_db;
if (db)
return db->elems;
@@ -82,9 +83,9 @@ struct htable *db = _db;
return 0;
}
client_entry_st *new_client_entry(void *_db, const char *ip)
client_entry_st *new_client_entry(sec_mod_st *sec, const char *ip)
{
struct htable *db = _db;
struct htable *db = sec->client_db;
client_entry_st *e;
int ret;
@@ -96,13 +97,13 @@ client_entry_st *new_client_entry(void *_db, const char *ip)
snprintf(e->ip, sizeof(e->ip), "%s", ip);
ret = gnutls_rnd(GNUTLS_RND_RANDOM, e->sid, sizeof(e->sid));
if (ret < 0) {
seclog(LOG_ERR, "error generating SID");
seclog(sec, LOG_ERR, "error generating SID");
goto fail;
}
e->time = time(0);
if (htable_add(db, rehash(e, NULL), e) == 0) {
seclog(LOG_ERR,
seclog(sec, LOG_ERR,
"could not add client entry to hash table");
goto fail;
}
@@ -124,9 +125,9 @@ static bool client_entry_cmp(const void *_c1, void *_c2)
return 0;
}
client_entry_st *find_client_entry(void *_db, uint8_t sid[SID_SIZE])
client_entry_st *find_client_entry(sec_mod_st *sec, uint8_t sid[SID_SIZE])
{
struct htable *db = _db;
struct htable *db = sec->client_db;
client_entry_st t;
memcpy(t.sid, sid, SID_SIZE);
@@ -134,9 +135,9 @@ client_entry_st *find_client_entry(void *_db, uint8_t sid[SID_SIZE])
return htable_get(db, rehash(&t, NULL), client_entry_cmp, &t);
}
static void clean_entry(client_entry_st * e)
static void clean_entry(sec_mod_st *sec, client_entry_st * e)
{
sec_auth_user_deinit(e);
sec_auth_user_deinit(sec, e);
talloc_free(e);
}
@@ -145,9 +146,9 @@ static void clean_entry(client_entry_st * e)
*/
#define SLACK_TIME 10
void cleanup_client_entries(void *_db)
void cleanup_client_entries(sec_mod_st *sec)
{
struct htable *db = _db;
struct htable *db = sec->client_db;
client_entry_st *t;
struct htable_iter iter;
time_t now = time(0);
@@ -156,17 +157,17 @@ void cleanup_client_entries(void *_db)
while (t != NULL) {
if (t->have_session == 0 && now - t->time > MAX_AUTH_SECS + SLACK_TIME) {
htable_delval(db, &iter);
clean_entry(t);
clean_entry(sec, t);
}
t = htable_next(db, &iter);
}
}
void del_client_entry(void *_db, client_entry_st * e)
void del_client_entry(sec_mod_st *sec, client_entry_st * e)
{
struct htable *db = _db;
struct htable *db = sec->client_db;
htable_del(db, rehash(e, NULL), e);
clean_entry(e);
clean_entry(sec, e);
}

83
src/sec-mod.c
View File

@@ -179,7 +179,7 @@ static int handle_op(void *pool, sec_mod_st * sec, uint8_t type, uint8_t * rep,
(pack_size_func) sec_op_msg__get_packed_size,
(pack_func) sec_op_msg__pack);
if (ret < 0) {
seclog(LOG_WARNING, "sec-mod error in sending reply");
seclog(sec, LOG_WARNING, "sec-mod error in sending reply");
}
return 0;
@@ -195,7 +195,7 @@ int process_packet(void *pool, sec_mod_st * sec, cmd_request_t cmd,
SecOpMsg *op;
PROTOBUF_ALLOCATOR(pa, pool);
seclog(LOG_DEBUG, "cmd [size=%d] %s\n", (int)buffer_size,
seclog(sec, LOG_DEBUG, "cmd [size=%d] %s\n", (int)buffer_size,
cmd_request_to_str(cmd));
data.data = buffer;
data.size = buffer_size;
@@ -205,13 +205,13 @@ int process_packet(void *pool, sec_mod_st * sec, cmd_request_t cmd,
case SM_CMD_DECRYPT:
op = sec_op_msg__unpack(&pa, data.size, data.data);
if (op == NULL) {
seclog(LOG_INFO, "error unpacking sec op\n");
seclog(sec, LOG_INFO, "error unpacking sec op\n");
return -1;
}
i = op->key_idx;
if (op->has_key_idx == 0 || i >= sec->key_size) {
seclog(LOG_INFO,
seclog(sec, LOG_INFO,
"received out-of-bounds key index (%d)", i);
return -1;
}
@@ -238,7 +238,7 @@ int process_packet(void *pool, sec_mod_st * sec, cmd_request_t cmd,
sec_op_msg__free_unpacked(op, &pa);
if (ret < 0) {
seclog(LOG_INFO, "error in crypto operation: %s",
seclog(sec, LOG_INFO, "error in crypto operation: %s",
gnutls_strerror(ret));
return -1;
}
@@ -255,7 +255,7 @@ int process_packet(void *pool, sec_mod_st * sec, cmd_request_t cmd,
sec_auth_init_msg__unpack(&pa, data.size,
data.data);
if (auth_init == NULL) {
seclog(LOG_INFO, "error unpacking auth init\n");
seclog(sec, LOG_INFO, "error unpacking auth init\n");
return -1;
}
@@ -270,7 +270,7 @@ int process_packet(void *pool, sec_mod_st * sec, cmd_request_t cmd,
sec_auth_cont_msg__unpack(&pa, data.size,
data.data);
if (auth_cont == NULL) {
seclog(LOG_INFO, "error unpacking auth cont\n");
seclog(sec, LOG_INFO, "error unpacking auth cont\n");
return -1;
}
@@ -284,7 +284,7 @@ int process_packet(void *pool, sec_mod_st * sec, cmd_request_t cmd,
SecAuthSessionReplyMsg rep = SEC_AUTH_SESSION_REPLY_MSG__INIT;
if (uid != 0) {
seclog(LOG_INFO, "received session open/close from unauthorized uid (%u)\n", (unsigned)uid);
seclog(sec, LOG_INFO, "received session open/close from unauthorized uid (%u)\n", (unsigned)uid);
return -1;
}
@@ -292,7 +292,7 @@ int process_packet(void *pool, sec_mod_st * sec, cmd_request_t cmd,
sec_auth_session_msg__unpack(&pa, data.size,
data.data);
if (msg == NULL) {
seclog(LOG_INFO, "error unpacking session close\n");
seclog(sec, LOG_INFO, "error unpacking session close\n");
return -1;
}
@@ -309,14 +309,14 @@ int process_packet(void *pool, sec_mod_st * sec, cmd_request_t cmd,
(pack_size_func) sec_auth_session_reply_msg__get_packed_size,
(pack_func) sec_auth_session_reply_msg__pack);
if (ret < 0) {
seclog(LOG_WARNING, "sec-mod error in sending session reply");
seclog(sec, LOG_WARNING, "sec-mod error in sending session reply");
}
}
return ret;
}
default:
seclog(LOG_WARNING, "unknown type 0x%.2x", cmd);
seclog(sec, LOG_WARNING, "unknown type 0x%.2x", cmd);
return -1;
}
@@ -347,25 +347,25 @@ static void check_other_work(sec_mod_st *sec)
gnutls_privkey_deinit(sec->key[i]);
}
sec_mod_client_db_deinit(sec->client_db);
sec_mod_ban_db_deinit(sec->ban_db);
sec_mod_client_db_deinit(sec);
sec_mod_ban_db_deinit(sec);
talloc_free(sec);
exit(0);
}
if (need_reload) {
seclog(LOG_DEBUG, "reloading configuration");
seclog(sec, LOG_DEBUG, "reloading configuration");
reload_cfg_file(sec, sec->config);
need_reload = 0;
}
if (need_maintainance) {
seclog(LOG_DEBUG, "performing maintenance");
cleanup_client_entries(sec->client_db);
cleanup_banned_entries(sec->ban_db);
seclog(LOG_DEBUG, "active sessions %d, banned entries %d",
sec_mod_client_db_elems(sec->client_db),
sec_mod_ban_db_elems(sec->ban_db));
seclog(sec, LOG_DEBUG, "performing maintenance");
cleanup_client_entries(sec);
cleanup_banned_entries(sec);
seclog(sec, LOG_DEBUG, "active sessions %d, banned entries %d",
sec_mod_client_db_elems(sec),
sec_mod_ban_db_elems(sec));
alarm(MAINTAINANCE_TIME);
need_maintainance = 0;
}
@@ -420,13 +420,13 @@ void sec_mod_server(void *main_pool, struct cfg_st *config, const char *socket_f
sec_mod_pool = talloc_init("sec-mod");
if (sec_mod_pool == NULL) {
seclog(LOG_ERR, "error in memory allocation");
seclog(sec, LOG_ERR, "error in memory allocation");
exit(1);
}
sec = talloc_zero(sec_mod_pool, sec_mod_st);
if (sec == NULL) {
seclog(LOG_ERR, "error in memory allocation");
seclog(sec, LOG_ERR, "error in memory allocation");
exit(1);
}
@@ -457,24 +457,23 @@ void sec_mod_server(void *main_pool, struct cfg_st *config, const char *socket_f
#ifdef HAVE_PKCS11
ret = gnutls_pkcs11_reinit();
if (ret < 0) {
seclog(LOG_WARNING, "error in PKCS #11 reinitialization: %s",
seclog(sec, LOG_WARNING, "error in PKCS #11 reinitialization: %s",
gnutls_strerror(ret));
}
#endif
sec->client_db = sec_mod_client_db_init(sec);
if (sec->client_db == NULL) {
seclog(LOG_ERR, "error in client db initialization");
if (sec_mod_client_db_init(sec) == NULL) {
seclog(sec, LOG_ERR, "error in client db initialization");
exit(1);
}
if (config->min_reauth_time > 0)
sec->ban_db = sec_mod_ban_db_init(sec);
sec_mod_ban_db_init(sec);
buffer_size = 8 * 1024;
buffer = talloc_size(sec, buffer_size);
if (buffer == NULL) {
seclog(LOG_ERR, "error in memory allocation");
seclog(sec, LOG_ERR, "error in memory allocation");
exit(1);
}
@@ -482,7 +481,7 @@ void sec_mod_server(void *main_pool, struct cfg_st *config, const char *socket_f
sd = socket(AF_UNIX, SOCK_STREAM, 0);
if (sd == -1) {
e = errno;
seclog(LOG_ERR, "could not create socket '%s': %s", SOCKET_FILE,
seclog(sec, LOG_ERR, "could not create socket '%s': %s", SOCKET_FILE,
strerror(e));
exit(1);
}
@@ -491,7 +490,7 @@ void sec_mod_server(void *main_pool, struct cfg_st *config, const char *socket_f
ret = bind(sd, (struct sockaddr *)&sa, SUN_LEN(&sa));
if (ret == -1) {
e = errno;
seclog(LOG_ERR, "could not bind socket '%s': %s", SOCKET_FILE,
seclog(sec, LOG_ERR, "could not bind socket '%s': %s", SOCKET_FILE,
strerror(e));
exit(1);
}
@@ -499,21 +498,21 @@ void sec_mod_server(void *main_pool, struct cfg_st *config, const char *socket_f
ret = chown(SOCKET_FILE, config->uid, config->gid);
if (ret == -1) {
e = errno;
seclog(LOG_INFO, "could not chown socket '%s': %s", SOCKET_FILE,
seclog(sec, LOG_INFO, "could not chown socket '%s': %s", SOCKET_FILE,
strerror(e));
}
ret = listen(sd, 1024);
if (ret == -1) {
e = errno;
seclog(LOG_ERR, "could not listen to socket '%s': %s",
seclog(sec, LOG_ERR, "could not listen to socket '%s': %s",
SOCKET_FILE, strerror(e));
exit(1);
}
ret = load_pins(config, &pins);
if (ret < 0) {
seclog(LOG_ERR, "error loading PIN files");
seclog(sec, LOG_ERR, "error loading PIN files");
exit(1);
}
@@ -521,7 +520,7 @@ void sec_mod_server(void *main_pool, struct cfg_st *config, const char *socket_f
sec->key_size = config->key_size;
sec->key = talloc_size(sec, sizeof(*sec->key) * config->key_size);
if (sec->key == NULL) {
seclog(LOG_ERR, "error in memory allocation");
seclog(sec, LOG_ERR, "error in memory allocation");
exit(1);
}
@@ -542,7 +541,7 @@ void sec_mod_server(void *main_pool, struct cfg_st *config, const char *socket_f
gnutls_datum_t data;
ret = gnutls_load_file(config->key[i], &data);
if (ret < 0) {
seclog(LOG_ERR, "error loading file '%s'",
seclog(sec, LOG_ERR, "error loading file '%s'",
config->key[i]);
GNUTLS_FATAL_ERR(ret);
}
@@ -557,7 +556,7 @@ void sec_mod_server(void *main_pool, struct cfg_st *config, const char *socket_f
}
}
seclog(LOG_INFO, "sec-mod initialized (socket: %s)", SOCKET_FILE);
seclog(sec, LOG_INFO, "sec-mod initialized (socket: %s)", SOCKET_FILE);
for (;;) {
check_other_work(sec);
@@ -567,7 +566,7 @@ void sec_mod_server(void *main_pool, struct cfg_st *config, const char *socket_f
if (cfd == -1) {
e = errno;
if (e != EINTR) {
seclog(LOG_DEBUG,
seclog(sec, LOG_DEBUG,
"sec-mod error accepting connection: %s",
strerror(e));
}
@@ -578,7 +577,7 @@ void sec_mod_server(void *main_pool, struct cfg_st *config, const char *socket_f
*/
ret = check_upeer_id("sec-mod", cfd, config->uid, config->gid, &uid);
if (ret < 0) {
seclog(LOG_INFO, "rejected unauthorized connection");
seclog(sec, LOG_INFO, "rejected unauthorized connection");
goto cont;
}
@@ -588,7 +587,7 @@ void sec_mod_server(void *main_pool, struct cfg_st *config, const char *socket_f
goto cont;
else if (ret < 3) {
e = errno;
seclog(LOG_INFO, "error receiving msg head: %s",
seclog(sec, LOG_INFO, "error receiving msg head: %s",
strerror(e));
goto cont;
}
@@ -598,7 +597,7 @@ void sec_mod_server(void *main_pool, struct cfg_st *config, const char *socket_f
length = l16;
if (length > buffer_size - 4) {
seclog(LOG_INFO, "too big message (%d)", length);
seclog(sec, LOG_INFO, "too big message (%d)", length);
goto cont;
}
@@ -606,7 +605,7 @@ void sec_mod_server(void *main_pool, struct cfg_st *config, const char *socket_f
ret = force_read_timeout(cfd, buffer, length, MAX_WAIT_SECS);
if (ret < 0) {
e = errno;
seclog(LOG_INFO, "error receiving msg body: %s",
seclog(sec, LOG_INFO, "error receiving msg body: %s",
strerror(e));
goto cont;
}
@@ -615,7 +614,7 @@ void sec_mod_server(void *main_pool, struct cfg_st *config, const char *socket_f
sec->fd = cfd;
ret = process_packet(tpool, sec, cmd, uid, buffer, ret);
if (ret < 0) {
seclog(LOG_INFO, "error processing data for '%s' command (%d)", cmd_request_to_str(cmd), ret);
seclog(sec, LOG_INFO, "error processing data for '%s' command (%d)", cmd_request_to_str(cmd), ret);
}
talloc_free(tpool);

44
src/sec-mod.h
View File

@@ -22,6 +22,7 @@
#include <cookies.h>
#include <gnutls/abstract.h>
#include <ccan/htable/htable.h>
typedef struct sec_mod_st {
gnutls_datum_t dcookie_key; /* the key to generate cookies */
@@ -30,8 +31,8 @@ typedef struct sec_mod_st {
struct cfg_st *config;
gnutls_privkey_t *key;
unsigned key_size;
void *client_db;
void *ban_db;
struct htable *client_db;
struct htable *ban_db;
int fd;
} sec_mod_st;
@@ -62,19 +63,24 @@ typedef struct client_entry_st {
time_t time;
} client_entry_st;
void *sec_mod_client_db_init(void *pool);
void sec_mod_client_db_deinit(void *db);
unsigned sec_mod_client_db_elems(void *_db);
client_entry_st * new_client_entry(void *_db, const char *ip);
client_entry_st * find_client_entry(void *_db, uint8_t sid[SID_SIZE]);
void del_client_entry(void *_db, client_entry_st * e);
void cleanup_client_entries(void *_db);
void *sec_mod_client_db_init(sec_mod_st *sec);
void sec_mod_client_db_deinit(sec_mod_st *sec);
unsigned sec_mod_client_db_elems(sec_mod_st *sec);
client_entry_st * new_client_entry(sec_mod_st *sec, const char *ip);
client_entry_st * find_client_entry(sec_mod_st *sec, uint8_t sid[SID_SIZE]);
void del_client_entry(sec_mod_st *sec, client_entry_st * e);
void cleanup_client_entries(sec_mod_st *sec);
#ifdef __GNUC__
# define seclog(prio, fmt, ...) \
syslog(prio, "sec-mod: "fmt, ##__VA_ARGS__)
# define seclog(sec, prio, fmt, ...) \
if (prio != LOG_DEBUG || sec->config->debug != 0) { \
syslog(prio, "sec-mod: "fmt, ##__VA_ARGS__); \
}
#else
# define seclog syslog
# define seclog(sec,prio,...) \
if (prio != LOG_DEBUG || sec->config->debug != 0) { \
syslog(prio, __VA_ARGS__); \
}
#endif
void sec_auth_init(struct cfg_st *config);
@@ -82,16 +88,16 @@ void sec_auth_init(struct cfg_st *config);
int handle_sec_auth_init(sec_mod_st *sec, const SecAuthInitMsg * req);
int handle_sec_auth_cont(sec_mod_st *sec, const SecAuthContMsg * req);
int handle_sec_auth_session_cmd(sec_mod_st * sec, const SecAuthSessionMsg * req, unsigned cmd);
void sec_auth_user_deinit(client_entry_st * e);
void sec_auth_user_deinit(sec_mod_st * sec, client_entry_st * e);
void sec_mod_server(void *main_pool, struct cfg_st *config, const char *socket_file,
uint8_t cookie_key[COOKIE_KEY_SIZE]);
void cleanup_banned_entries(void *_db);
unsigned check_if_banned(void *_db, const char *ip);
void add_ip_to_ban_list(void *_db, const char *ip, time_t reenable_time);
void *sec_mod_ban_db_init(void *pool);
void sec_mod_ban_db_deinit(void *_db);
unsigned sec_mod_ban_db_elems(void *_db);
void cleanup_banned_entries(sec_mod_st *sec);
unsigned check_if_banned(sec_mod_st *sec, const char *ip);
void add_ip_to_ban_list(sec_mod_st *sec, const char *ip, time_t reenable_time);
void *sec_mod_ban_db_init(sec_mod_st *sec);
void sec_mod_ban_db_deinit(sec_mod_st *sec);
unsigned sec_mod_ban_db_elems(sec_mod_st *sec);
#endif