1 /* $NetBSD: isakmp_xauth.c,v 1.35 2025/03/07 15:55:29 christos Exp $ */
2
3 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
4
5 /*
6 * Copyright (C) 2004-2005 Emmanuel Dreyfus
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "config.h"
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39 #include <sys/queue.h>
40
41 #include <netinet/in.h>
42
43 #include <assert.h>
44 #include <stdlib.h>
45 #include <stdio.h>
46 #include <string.h>
47 #include <errno.h>
48 #include <pwd.h>
49 #include <grp.h>
50 #if TIME_WITH_SYS_TIME
51 # include <sys/time.h>
52 # include <time.h>
53 #else
54 # if HAVE_SYS_TIME_H
55 # include <sys/time.h>
56 # else
57 # include <time.h>
58 # endif
59 #endif
60 #include <netdb.h>
61 #ifdef HAVE_UNISTD_H
62 #include <unistd.h>
63 #endif
64 #include <ctype.h>
65 #include <resolv.h>
66
67 #ifdef HAVE_SHADOW_H
68 #include <shadow.h>
69 #endif
70
71 #include "var.h"
72 #include "misc.h"
73 #include "vmbuf.h"
74 #include "plog.h"
75 #include "sockmisc.h"
76 #include "schedule.h"
77 #include "debug.h"
78
79 #include "crypto_openssl.h"
80 #include "isakmp_var.h"
81 #include "isakmp.h"
82 #include "admin.h"
83 #include "privsep.h"
84 #include "evt.h"
85 #include "handler.h"
86 #include "throttle.h"
87 #include "remoteconf.h"
88 #include "isakmp_inf.h"
89 #include "isakmp_xauth.h"
90 #include "isakmp_unity.h"
91 #include "isakmp_cfg.h"
92 #include "strnames.h"
93 #include "ipsec_doi.h"
94 #include "remoteconf.h"
95 #include "localconf.h"
96
97 #ifdef HAVE_LIBRADIUS
98 #include <radlib.h>
99 static struct rad_handle *radius_auth_state = NULL;
100 struct rad_handle *radius_acct_state = NULL;
101 struct xauth_rad_config xauth_rad_config;
102 #endif
103
104 #ifdef HAVE_LIBPAM
105 #include <security/pam_appl.h>
106
107 static char *PAM_usr = NULL;
108 static char *PAM_pwd = NULL;
109 static int PAM_conv(int, const struct pam_message **,
110 struct pam_response **, void *);
111 static struct pam_conv PAM_chat = { &PAM_conv, NULL };
112 #endif
113
114 #ifdef HAVE_LIBLDAP
115 #include "ldap.h"
116 #include <arpa/inet.h>
117 struct xauth_ldap_config xauth_ldap_config;
118 #endif
119
120 void
xauth_sendreq(struct ph1handle * iph1)121 xauth_sendreq(struct ph1handle *iph1)
122 {
123 vchar_t *buffer;
124 struct isakmp_pl_attr *attr;
125 struct isakmp_data *typeattr;
126 struct isakmp_data *usrattr;
127 struct isakmp_data *pwdattr;
128 struct xauth_state *xst = &iph1->mode_cfg->xauth;
129 size_t tlen;
130
131 /* Status checks */
132 if (iph1->status < PHASE1ST_ESTABLISHED) {
133 plog(LLV_ERROR, LOCATION, NULL,
134 "Xauth request while phase 1 is not completed\n");
135 return;
136 }
137
138 if (xst->status != XAUTHST_NOTYET) {
139 plog(LLV_ERROR, LOCATION, NULL,
140 "Xauth request whith Xauth state %d\n", xst->status);
141 return;
142 }
143
144 plog(LLV_INFO, LOCATION, NULL, "Sending Xauth request\n");
145
146 tlen = sizeof(*attr) +
147 + sizeof(*typeattr) +
148 + sizeof(*usrattr) +
149 + sizeof(*pwdattr);
150
151 if ((buffer = vmalloc(tlen)) == NULL) {
152 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n");
153 return;
154 }
155
156 attr = (struct isakmp_pl_attr *)buffer->v;
157 memset(attr, 0, tlen);
158
159 attr->h.len = htons(tlen);
160 attr->type = ISAKMP_CFG_REQUEST;
161 attr->id = htons(eay_random());
162
163 typeattr = (struct isakmp_data *)(attr + 1);
164 typeattr->type = htons(XAUTH_TYPE | ISAKMP_GEN_TV);
165 typeattr->lorv = htons(XAUTH_TYPE_GENERIC);
166
167 usrattr = (struct isakmp_data *)(typeattr + 1);
168 usrattr->type = htons(XAUTH_USER_NAME | ISAKMP_GEN_TLV);
169 usrattr->lorv = htons(0);
170
171 pwdattr = (struct isakmp_data *)(usrattr + 1);
172 pwdattr->type = htons(XAUTH_USER_PASSWORD | ISAKMP_GEN_TLV);
173 pwdattr->lorv = htons(0);
174
175 isakmp_cfg_send(iph1, buffer,
176 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1);
177
178 vfree(buffer);
179
180 xst->status = XAUTHST_REQSENT;
181
182 return;
183 }
184
185 int
xauth_attr_reply(struct ph1handle * iph1,struct isakmp_data * attr,int id)186 xauth_attr_reply(struct ph1handle *iph1, struct isakmp_data *attr, int id)
187 {
188 char **outlet = NULL;
189 size_t alen = 0;
190 int type;
191 struct xauth_state *xst = &iph1->mode_cfg->xauth;
192
193 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
194 plog(LLV_ERROR, LOCATION, NULL,
195 "Xauth reply but peer did not declare "
196 "itself as Xauth capable\n");
197 return -1;
198 }
199
200 if (xst->status != XAUTHST_REQSENT) {
201 plog(LLV_ERROR, LOCATION, NULL,
202 "Xauth reply while Xauth state is %d\n", xst->status);
203 return -1;
204 }
205
206 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
207 switch (type) {
208 case XAUTH_TYPE:
209 switch (ntohs(attr->lorv)) {
210 case XAUTH_TYPE_GENERIC:
211 xst->authtype = XAUTH_TYPE_GENERIC;
212 break;
213 default:
214 plog(LLV_WARNING, LOCATION, NULL,
215 "Unexpected authentication type %d\n",
216 ntohs(type));
217 return -1;
218 }
219 break;
220
221 case XAUTH_USER_NAME:
222 outlet = &xst->authdata.generic.usr;
223 break;
224
225 case XAUTH_USER_PASSWORD:
226 outlet = &xst->authdata.generic.pwd;
227 break;
228
229 default:
230 plog(LLV_WARNING, LOCATION, NULL,
231 "ignored Xauth attribute %d\n", type);
232 break;
233 }
234
235 if (outlet != NULL) {
236 alen = ntohs(attr->lorv);
237
238 if ((*outlet = racoon_malloc(alen + 1)) == NULL) {
239 plog(LLV_ERROR, LOCATION, NULL,
240 "Cannot allocate memory for Xauth Data\n");
241 return -1;
242 }
243
244 memcpy(*outlet, attr + 1, alen);
245 (*outlet)[alen] = '\0';
246 outlet = NULL;
247 }
248
249
250 if ((xst->authdata.generic.usr != NULL) &&
251 (xst->authdata.generic.pwd != NULL)) {
252 int port;
253 int res;
254 char *usr = xst->authdata.generic.usr;
255 char *pwd = xst->authdata.generic.pwd;
256 time_t throttle_delay = 0;
257
258 #if 0 /* Real debug, don't do that at home */
259 plog(LLV_DEBUG, LOCATION, NULL,
260 "Got username \"%s\", password \"%s\"\n", usr, pwd);
261 #endif
262 strncpy(iph1->mode_cfg->login, usr, LOGINLEN);
263 iph1->mode_cfg->login[LOGINLEN] = '\0';
264
265 res = -1;
266 if ((port = isakmp_cfg_getport(iph1)) == -1) {
267 plog(LLV_ERROR, LOCATION, NULL,
268 "Port pool depleted\n");
269 goto skip_auth;
270 }
271
272 switch (isakmp_cfg_config.authsource) {
273 case ISAKMP_CFG_AUTH_SYSTEM:
274 res = privsep_xauth_login_system(usr, pwd);
275 break;
276 #ifdef HAVE_LIBRADIUS
277 case ISAKMP_CFG_AUTH_RADIUS:
278 res = xauth_login_radius(iph1, usr, pwd);
279 break;
280 #endif
281 #ifdef HAVE_LIBPAM
282 case ISAKMP_CFG_AUTH_PAM:
283 res = privsep_xauth_login_pam(iph1->mode_cfg->port,
284 iph1->remote, usr, pwd);
285 break;
286 #endif
287 #ifdef HAVE_LIBLDAP
288 case ISAKMP_CFG_AUTH_LDAP:
289 res = xauth_login_ldap(iph1, usr, pwd);
290 break;
291 #endif
292 default:
293 plog(LLV_ERROR, LOCATION, NULL,
294 "Unexpected authentication source\n");
295 res = -1;
296 break;
297 }
298
299 /*
300 * Optional group authentication
301 */
302 if (!res && (isakmp_cfg_config.groupcount))
303 res = group_check(iph1,
304 isakmp_cfg_config.grouplist,
305 isakmp_cfg_config.groupcount);
306
307 /*
308 * On failure, throttle the connexion for the remote host
309 * in order to make password attacks more difficult.
310 */
311 throttle_delay = throttle_host(iph1->remote, res);
312 if (throttle_delay > 0) {
313 char *str;
314
315 str = saddrwop2str(iph1->remote);
316
317 plog(LLV_ERROR, LOCATION, NULL,
318 "Throttling in action for %s: delay %lds\n",
319 str, (unsigned long)throttle_delay);
320 res = -1;
321 } else {
322 throttle_delay = 0;
323 }
324
325 skip_auth:
326 if (throttle_delay != 0) {
327 struct xauth_reply_arg *xra;
328
329 if ((xra = racoon_calloc(1, sizeof(*xra))) == NULL) {
330 plog(LLV_ERROR, LOCATION, NULL,
331 "malloc failed, bypass throttling\n");
332 return xauth_reply(iph1, port, id, res);
333 }
334
335 /*
336 * We need to store the ph1, but it might have
337 * disapeared when xauth_reply is called, so
338 * store the index instead.
339 */
340 xra->index = iph1->index;
341 xra->port = port;
342 xra->id = id;
343 xra->res = res;
344 sched_schedule(&xra->sc, throttle_delay,
345 xauth_reply_stub);
346 } else {
347 return xauth_reply(iph1, port, id, res);
348 }
349 }
350
351 return 0;
352 }
353
354 void
xauth_reply_stub(struct sched * sc)355 xauth_reply_stub(struct sched *sc)
356 {
357 struct xauth_reply_arg *xra = container_of(sc, struct xauth_reply_arg, sc);
358 struct ph1handle *iph1;
359
360 if ((iph1 = getph1byindex(&xra->index)) != NULL)
361 (void)xauth_reply(iph1, xra->port, xra->id, xra->res);
362 else
363 plog(LLV_ERROR, LOCATION, NULL,
364 "Delayed Xauth reply: phase 1 no longer exists.\n");
365
366 racoon_free(xra);
367 }
368
369 int
xauth_reply(struct ph1handle * iph1,int port,int id,int res)370 xauth_reply(struct ph1handle *iph1, int port, int id, int res)
371 {
372 struct xauth_state *xst = &iph1->mode_cfg->xauth;
373 char *usr = xst->authdata.generic.usr;
374
375 if (res != 0) {
376 if (port != -1)
377 isakmp_cfg_putport(iph1, port);
378
379 plog(LLV_INFO, LOCATION, NULL,
380 "login failed for user \"%s\"\n", usr);
381
382 xauth_sendstatus(iph1, XAUTH_STATUS_FAIL, id);
383 xst->status = XAUTHST_NOTYET;
384
385 /* Delete Phase 1 SA */
386 if (iph1->status >= PHASE1ST_ESTABLISHED)
387 isakmp_info_send_d1(iph1);
388 remph1(iph1);
389 delph1(iph1);
390
391 return -1;
392 }
393
394 xst->status = XAUTHST_OK;
395 plog(LLV_INFO, LOCATION, NULL,
396 "login succeeded for user \"%s\"\n", usr);
397
398 xauth_sendstatus(iph1, XAUTH_STATUS_OK, id);
399
400 return 0;
401 }
402
403 void
xauth_sendstatus(struct ph1handle * iph1,int status,int id)404 xauth_sendstatus(struct ph1handle *iph1, int status, int id)
405 {
406 vchar_t *buffer;
407 struct isakmp_pl_attr *attr;
408 struct isakmp_data *stattr;
409 size_t tlen;
410
411 tlen = sizeof(*attr) +
412 + sizeof(*stattr);
413
414 if ((buffer = vmalloc(tlen)) == NULL) {
415 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n");
416 return;
417 }
418
419 attr = (struct isakmp_pl_attr *)buffer->v;
420 memset(attr, 0, tlen);
421
422 attr->h.len = htons(tlen);
423 attr->type = ISAKMP_CFG_SET;
424 attr->id = htons(id);
425
426 stattr = (struct isakmp_data *)(attr + 1);
427 stattr->type = htons(XAUTH_STATUS | ISAKMP_GEN_TV);
428 stattr->lorv = htons(status);
429
430 isakmp_cfg_send(iph1, buffer,
431 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1);
432
433 vfree(buffer);
434
435 return;
436 }
437
438 #ifdef HAVE_LIBRADIUS
439 int
xauth_radius_init_conf(int free)440 xauth_radius_init_conf(int free)
441 {
442 /* free radius config resources */
443 if (free) {
444 int i;
445 for (i = 0; i < xauth_rad_config.auth_server_count; i++) {
446 vfree(xauth_rad_config.auth_server_list[i].host);
447 vfree(xauth_rad_config.auth_server_list[i].secret);
448 }
449 for (i = 0; i < xauth_rad_config.acct_server_count; i++) {
450 vfree(xauth_rad_config.acct_server_list[i].host);
451 vfree(xauth_rad_config.acct_server_list[i].secret);
452 }
453 if (radius_auth_state != NULL) {
454 rad_close(radius_auth_state);
455 radius_auth_state = NULL;
456 }
457 if (radius_acct_state != NULL) {
458 rad_close(radius_acct_state);
459 radius_acct_state = NULL;
460 }
461 }
462
463 /* initialize radius config */
464 memset(&xauth_rad_config, 0, sizeof(xauth_rad_config));
465 return 0;
466 }
467
468 int
xauth_radius_init(void)469 xauth_radius_init(void)
470 {
471 /* For first time use, initialize Radius */
472 if ((isakmp_cfg_config.authsource == ISAKMP_CFG_AUTH_RADIUS) &&
473 (radius_auth_state == NULL)) {
474 if ((radius_auth_state = rad_auth_open()) == NULL) {
475 plog(LLV_ERROR, LOCATION, NULL,
476 "Cannot init libradius\n");
477 return -1;
478 }
479
480 int auth_count = xauth_rad_config.auth_server_count;
481 int auth_added = 0;
482 if (auth_count) {
483 int i;
484 for (i = 0; i < auth_count; i++) {
485 if(!rad_add_server(
486 radius_auth_state,
487 xauth_rad_config.auth_server_list[i].host->v,
488 xauth_rad_config.auth_server_list[i].port,
489 xauth_rad_config.auth_server_list[i].secret->v,
490 xauth_rad_config.timeout,
491 xauth_rad_config.retries ))
492 auth_added++;
493 else
494 plog(LLV_WARNING, LOCATION, NULL,
495 "could not add radius auth server %s\n",
496 xauth_rad_config.auth_server_list[i].host->v);
497 }
498 }
499
500 if (!auth_added) {
501 if (rad_config(radius_auth_state, NULL) != 0) {
502 plog(LLV_ERROR, LOCATION, NULL,
503 "Cannot open libradius config file: %s\n",
504 rad_strerror(radius_auth_state));
505 rad_close(radius_auth_state);
506 radius_auth_state = NULL;
507 return -1;
508 }
509 }
510 }
511
512 if ((isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS) &&
513 (radius_acct_state == NULL)) {
514 if ((radius_acct_state = rad_acct_open()) == NULL) {
515 plog(LLV_ERROR, LOCATION, NULL,
516 "Cannot init libradius\n");
517 return -1;
518 }
519
520 int acct_count = xauth_rad_config.acct_server_count;
521 int acct_added = 0;
522 if (acct_count) {
523 int i;
524 for (i = 0; i < acct_count; i++) {
525 if(!rad_add_server(
526 radius_acct_state,
527 xauth_rad_config.acct_server_list[i].host->v,
528 xauth_rad_config.acct_server_list[i].port,
529 xauth_rad_config.acct_server_list[i].secret->v,
530 xauth_rad_config.timeout,
531 xauth_rad_config.retries ))
532 acct_added++;
533 else
534 plog(LLV_WARNING, LOCATION, NULL,
535 "could not add radius account server %s\n",
536 xauth_rad_config.acct_server_list[i].host->v);
537 }
538 }
539
540 if (!acct_added) {
541 if (rad_config(radius_acct_state, NULL) != 0) {
542 plog(LLV_ERROR, LOCATION, NULL,
543 "Cannot open libradius config file: %s\n",
544 rad_strerror(radius_acct_state));
545 rad_close(radius_acct_state);
546 radius_acct_state = NULL;
547 return -1;
548 }
549 }
550 }
551
552 return 0;
553 }
554
555 int
xauth_login_radius(struct ph1handle * iph1,char * usr,char * pwd)556 xauth_login_radius(struct ph1handle *iph1, char *usr, char *pwd)
557 {
558 int res;
559 const void *data;
560 size_t len;
561 int type;
562
563 if (rad_create_request(radius_auth_state, RAD_ACCESS_REQUEST) != 0) {
564 plog(LLV_ERROR, LOCATION, NULL,
565 "rad_create_request failed: %s\n",
566 rad_strerror(radius_auth_state));
567 return -1;
568 }
569
570 if (rad_put_string(radius_auth_state, RAD_USER_NAME, usr) != 0) {
571 plog(LLV_ERROR, LOCATION, NULL,
572 "rad_put_string failed: %s\n",
573 rad_strerror(radius_auth_state));
574 return -1;
575 }
576
577 if (rad_put_string(radius_auth_state, RAD_USER_PASSWORD, pwd) != 0) {
578 plog(LLV_ERROR, LOCATION, NULL,
579 "rad_put_string failed: %s\n",
580 rad_strerror(radius_auth_state));
581 return -1;
582 }
583
584 if (rad_put_string(radius_auth_state, RAD_CALLING_STATION_ID,
585 saddr2str(iph1->remote)) != 0)
586 return -1;
587
588 if (isakmp_cfg_radius_common(radius_auth_state, iph1->mode_cfg->port) != 0)
589 return -1;
590
591 switch (res = rad_send_request(radius_auth_state)) {
592 case RAD_ACCESS_ACCEPT:
593 while ((type = rad_get_attr(radius_auth_state, &data, &len)) != 0) {
594 switch (type) {
595 case RAD_FRAMED_IP_ADDRESS:
596 iph1->mode_cfg->addr4 = rad_cvt_addr(data);
597 iph1->mode_cfg->flags
598 |= ISAKMP_CFG_ADDR4_EXTERN;
599 break;
600
601 case RAD_FRAMED_IP_NETMASK:
602 iph1->mode_cfg->mask4 = rad_cvt_addr(data);
603 iph1->mode_cfg->flags
604 |= ISAKMP_CFG_MASK4_EXTERN;
605 break;
606
607 default:
608 plog(LLV_INFO, LOCATION, NULL,
609 "Unexpected attribute: %d\n", type);
610 break;
611 }
612 }
613
614 return 0;
615
616 case RAD_ACCESS_REJECT:
617 return -1;
618
619 case -1:
620 plog(LLV_ERROR, LOCATION, NULL,
621 "rad_send_request failed: %s\n",
622 rad_strerror(radius_auth_state));
623 return -1;
624 default:
625 plog(LLV_ERROR, LOCATION, NULL,
626 "rad_send_request returned %d\n", res);
627 return -1;
628 }
629
630 }
631 #endif
632
633 #ifdef HAVE_LIBPAM
634 /*ARGSUSED*/
635 static int
PAM_conv(int msg_count,const struct pam_message ** msg,struct pam_response ** rsp,void * dontcare __unused)636 PAM_conv(int msg_count, const struct pam_message **msg,
637 struct pam_response **rsp, void *dontcare __unused)
638 {
639 int i;
640 struct pam_response *reply = NULL;
641
642 if ((reply = racoon_malloc(sizeof(*reply) * msg_count)) == NULL)
643 return PAM_CONV_ERR;
644 bzero(reply, sizeof(*reply) * msg_count);
645
646 for (i = 0; i < msg_count; i++) {
647 switch (msg[i]->msg_style) {
648 case PAM_PROMPT_ECHO_ON:
649 /* Send the username, libpam frees resp */
650 reply[i].resp_retcode = PAM_SUCCESS;
651 if ((reply[i].resp = strdup(PAM_usr)) == NULL) {
652 plog(LLV_ERROR, LOCATION,
653 NULL, "strdup failed\n");
654 exit(1);
655 }
656 break;
657
658 case PAM_PROMPT_ECHO_OFF:
659 /* Send the password, libpam frees resp */
660 reply[i].resp_retcode = PAM_SUCCESS;
661 if ((reply[i].resp = strdup(PAM_pwd)) == NULL) {
662 plog(LLV_ERROR, LOCATION,
663 NULL, "strdup failed\n");
664 exit(1);
665 }
666 break;
667
668 case PAM_TEXT_INFO:
669 case PAM_ERROR_MSG:
670 reply[i].resp_retcode = PAM_SUCCESS;
671 reply[i].resp = NULL;
672 break;
673
674 default:
675 if (reply != NULL)
676 racoon_free(reply);
677 return PAM_CONV_ERR;
678 }
679 }
680
681 if (reply != NULL)
682 *rsp = reply;
683
684 return PAM_SUCCESS;
685 }
686
687 int
xauth_login_pam(int port,struct sockaddr * raddr,char * usr,char * pwd)688 xauth_login_pam(int port, struct sockaddr *raddr, char *usr, char *pwd)
689 {
690 int error;
691 char *remote = NULL;
692 pam_handle_t *pam = NULL;
693
694 if (isakmp_cfg_config.port_pool == NULL) {
695 plog(LLV_ERROR, LOCATION, NULL,
696 "isakmp_cfg_config.port_pool == NULL\n");
697 return -1;
698 }
699
700 if ((error = pam_start("racoon", usr,
701 &PAM_chat, &isakmp_cfg_config.port_pool[port].pam)) != 0) {
702 if (isakmp_cfg_config.port_pool[port].pam == NULL) {
703 plog(LLV_ERROR, LOCATION, NULL, "pam_start failed\n");
704 return -1;
705 } else {
706 plog(LLV_ERROR, LOCATION, NULL,
707 "pam_start failed: %s\n",
708 pam_strerror(isakmp_cfg_config.port_pool[port].pam,
709 error));
710 goto out;
711 }
712 }
713 pam = isakmp_cfg_config.port_pool[port].pam;
714
715 if ((remote = strdup(saddrwop2str(raddr))) == NULL) {
716 plog(LLV_ERROR, LOCATION, NULL,
717 "cannot allocate memory: %s\n", strerror(errno));
718 goto out;
719 }
720
721 if ((error = pam_set_item(pam, PAM_RHOST, remote)) != 0) {
722 plog(LLV_ERROR, LOCATION, NULL,
723 "pam_set_item failed: %s\n",
724 pam_strerror(pam, error));
725 goto out;
726 }
727
728 if ((error = pam_set_item(pam, PAM_RUSER, usr)) != 0) {
729 plog(LLV_ERROR, LOCATION, NULL,
730 "pam_set_item failed: %s\n",
731 pam_strerror(pam, error));
732 goto out;
733 }
734
735 PAM_usr = usr;
736 PAM_pwd = pwd;
737 error = pam_authenticate(pam, 0);
738 PAM_usr = NULL;
739 PAM_pwd = NULL;
740 if (error != 0) {
741 plog(LLV_ERROR, LOCATION, NULL,
742 "pam_authenticate failed: %s\n",
743 pam_strerror(pam, error));
744 goto out;
745 }
746
747 if ((error = pam_acct_mgmt(pam, 0)) != 0) {
748 plog(LLV_ERROR, LOCATION, NULL,
749 "pam_acct_mgmt failed: %s\n",
750 pam_strerror(pam, error));
751 goto out;
752 }
753
754 if ((error = pam_setcred(pam, 0)) != 0) {
755 plog(LLV_ERROR, LOCATION, NULL,
756 "pam_setcred failed: %s\n",
757 pam_strerror(pam, error));
758 goto out;
759 }
760
761 if (remote != NULL)
762 free(remote);
763
764 return 0;
765
766 out:
767 pam_end(pam, error);
768 isakmp_cfg_config.port_pool[port].pam = NULL;
769 if (remote != NULL)
770 free(remote);
771 return -1;
772 }
773 #endif
774
775 #ifdef HAVE_LIBLDAP
776 int
xauth_ldap_init_conf(void)777 xauth_ldap_init_conf(void)
778 {
779 size_t tmplen;
780 int error = -1;
781
782 xauth_ldap_config.pver = 3;
783 xauth_ldap_config.debug = 0;
784 xauth_ldap_config.timeout = -1;
785 xauth_ldap_config.uri = NULL;
786 xauth_ldap_config.host = NULL;
787 xauth_ldap_config.port = LDAP_PORT;
788 xauth_ldap_config.tls = 0;
789 xauth_ldap_config.base = NULL;
790 xauth_ldap_config.subtree = 0;
791 xauth_ldap_config.bind_dn = NULL;
792 xauth_ldap_config.bind_pw = NULL;
793 xauth_ldap_config.auth_type = LDAP_AUTH_SIMPLE;
794 xauth_ldap_config.attr_user = NULL;
795 xauth_ldap_config.attr_addr = NULL;
796 xauth_ldap_config.attr_mask = NULL;
797 xauth_ldap_config.attr_group = NULL;
798 xauth_ldap_config.attr_member = NULL;
799
800 /* set default host */
801 tmplen = strlen(LDAP_DFLT_HOST);
802 xauth_ldap_config.host = vmalloc(tmplen);
803 if (xauth_ldap_config.host == NULL)
804 goto out;
805 memcpy(xauth_ldap_config.host->v, LDAP_DFLT_HOST, tmplen);
806
807 /* set default user naming attribute */
808 tmplen = strlen(LDAP_DFLT_USER);
809 xauth_ldap_config.attr_user = vmalloc(tmplen);
810 if (xauth_ldap_config.attr_user == NULL)
811 goto out;
812 memcpy(xauth_ldap_config.attr_user->v, LDAP_DFLT_USER, tmplen);
813
814 /* set default address attribute */
815 tmplen = strlen(LDAP_DFLT_ADDR);
816 xauth_ldap_config.attr_addr = vmalloc(tmplen);
817 if (xauth_ldap_config.attr_addr == NULL)
818 goto out;
819 memcpy(xauth_ldap_config.attr_addr->v, LDAP_DFLT_ADDR, tmplen);
820
821 /* set default netmask attribute */
822 tmplen = strlen(LDAP_DFLT_MASK);
823 xauth_ldap_config.attr_mask = vmalloc(tmplen);
824 if (xauth_ldap_config.attr_mask == NULL)
825 goto out;
826 memcpy(xauth_ldap_config.attr_mask->v, LDAP_DFLT_MASK, tmplen);
827
828 /* set default group naming attribute */
829 tmplen = strlen(LDAP_DFLT_GROUP);
830 xauth_ldap_config.attr_group = vmalloc(tmplen);
831 if (xauth_ldap_config.attr_group == NULL)
832 goto out;
833 memcpy(xauth_ldap_config.attr_group->v, LDAP_DFLT_GROUP, tmplen);
834
835 /* set default member attribute */
836 tmplen = strlen(LDAP_DFLT_MEMBER);
837 xauth_ldap_config.attr_member = vmalloc(tmplen);
838 if (xauth_ldap_config.attr_member == NULL)
839 goto out;
840 memcpy(xauth_ldap_config.attr_member->v, LDAP_DFLT_MEMBER, tmplen);
841
842 error = 0;
843 out:
844 if (error != 0)
845 plog(LLV_ERROR, LOCATION, NULL, "cannot allocate memory\n");
846
847 return error;
848 }
849
850 int
xauth_login_ldap(struct ph1handle * iph1,char * usr,char * pwd)851 xauth_login_ldap(struct ph1handle *iph1, char *usr, char *pwd)
852 {
853 int rtn = -1;
854 int res = -1;
855 LDAP *ld = NULL;
856 LDAPMessage *lr = NULL;
857 LDAPMessage *le = NULL;
858 struct berval cred;
859 struct berval **bv = NULL;
860 struct timeval timeout;
861 char *init = NULL;
862 char *filter = NULL;
863 char *atlist[3];
864 char *basedn = NULL;
865 char *userdn = NULL;
866 size_t tmplen = 0;
867 int ecount = 0;
868 int scope = LDAP_SCOPE_ONE;
869
870 atlist[0] = NULL;
871 atlist[1] = NULL;
872 atlist[2] = NULL;
873
874 if (xauth_ldap_config.uri != NULL) {
875 tmplen = strlen(xauth_ldap_config.uri->v);
876 init = racoon_malloc(tmplen);
877 if (init == NULL) {
878 plog(LLV_ERROR, LOCATION, NULL,
879 "unable to alloc ldap init url\n");
880 goto ldap_end;
881 }
882 sprintf(init,"%s", xauth_ldap_config.uri->v);
883 } else {
884 /* build our initialization url */
885 tmplen = strlen("ldap://:") + 17;
886 tmplen += strlen(xauth_ldap_config.host->v);
887 init = racoon_malloc(tmplen);
888 if (init == NULL) {
889 plog(LLV_ERROR, LOCATION, NULL,
890 "unable to alloc ldap init url\n");
891 goto ldap_end;
892 }
893 sprintf(init,"ldap://%s:%d",
894 xauth_ldap_config.host->v,
895 xauth_ldap_config.port );
896 }
897 /* initialize the debug level */
898 ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &xauth_ldap_config.debug);
899 ber_set_option(NULL, LBER_OPT_DEBUG_LEVEL, &xauth_ldap_config.debug);
900
901 plog(LLV_DEBUG, LOCATION, NULL, "ldap URI: %s\n", init);
902 /* initialize the ldap handle */
903 res = ldap_initialize(&ld, init);
904 if (res != LDAP_SUCCESS) {
905 plog(LLV_ERROR, LOCATION, NULL,
906 "ldap_initialize failed: %s\n",
907 ldap_err2string(res));
908 goto ldap_end;
909 }
910
911 /* initialize the protocol version */
912 if ((res = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
913 &xauth_ldap_config.pver)) != LDAP_OPT_SUCCESS) {
914 plog(LLV_ERROR, LOCATION, NULL,
915 "LDAP_OPT_PROTOCOL_VERSION %d failed: %s\n",
916 xauth_ldap_config.pver,
917 ldap_err2string(res));
918 goto ldap_end;
919 }
920
921 if (xauth_ldap_config.timeout > 0) {
922 static struct timeval timeout1;
923 timeout1.tv_sec = xauth_ldap_config.timeout;
924 timeout1.tv_usec = 0;
925 if ((res = ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT,
926 (void *)&timeout1)) != LDAP_OPT_SUCCESS) {
927 plog(LLV_ERROR, LOCATION, NULL,
928 "LDAP_OPT_NETWORK_TIMEOUT %d failed: %s\n",
929 xauth_ldap_config.timeout,
930 ldap_err2string(res));
931 goto ldap_end;
932 }
933 }
934
935 /* Enable TLS */
936 if (xauth_ldap_config.tls) {
937 res = ldap_start_tls_s(ld, NULL, NULL);
938 if (res != LDAP_SUCCESS) {
939 plog(LLV_ERROR, LOCATION, NULL,
940 "ldap_start_tls_s failed: %s\n",
941 ldap_err2string(res));
942 goto ldap_end;
943 }
944 }
945
946 /*
947 * attempt to bind to the ldap server.
948 * default to anonymous bind unless a
949 * user dn and password has been
950 * specified in our configuration
951 */
952 if ((xauth_ldap_config.bind_dn != NULL)&&
953 (xauth_ldap_config.bind_pw != NULL))
954 {
955 cred.bv_val = xauth_ldap_config.bind_pw->v;
956 cred.bv_len = strlen( cred.bv_val );
957 res = ldap_sasl_bind_s(ld,
958 xauth_ldap_config.bind_dn->v, LDAP_SASL_SIMPLE, &cred,
959 NULL, NULL, NULL);
960 }
961 else
962 {
963 cred.bv_val = NULL;
964 cred.bv_len = 0;
965 res = ldap_sasl_bind_s(ld,
966 NULL, LDAP_SASL_SIMPLE, &cred,
967 NULL, NULL, NULL);
968 }
969
970 if (res!=LDAP_SUCCESS) {
971 plog(LLV_ERROR, LOCATION, NULL,
972 "ldap_sasl_bind_s (search) failed: %s\n",
973 ldap_err2string(res));
974 goto ldap_end;
975 }
976
977 /* build an ldap user search filter */
978 tmplen = strlen(xauth_ldap_config.attr_user->v);
979 tmplen += 1;
980 tmplen += strlen(usr);
981 tmplen += 1;
982 filter = racoon_malloc(tmplen);
983 if (filter == NULL) {
984 plog(LLV_ERROR, LOCATION, NULL,
985 "unable to alloc ldap search filter buffer\n");
986 goto ldap_end;
987 }
988 sprintf(filter, "%s=%s",
989 xauth_ldap_config.attr_user->v, usr);
990
991 /* build our return attribute list */
992 tmplen = strlen(xauth_ldap_config.attr_addr->v) + 1;
993 atlist[0] = racoon_malloc(tmplen);
994 tmplen = strlen(xauth_ldap_config.attr_mask->v) + 1;
995 atlist[1] = racoon_malloc(tmplen);
996 if ((atlist[0] == NULL)||(atlist[1] == NULL)) {
997 plog(LLV_ERROR, LOCATION, NULL,
998 "unable to alloc ldap attrib list buffer\n");
999 goto ldap_end;
1000 }
1001 strcpy(atlist[0],xauth_ldap_config.attr_addr->v);
1002 strcpy(atlist[1],xauth_ldap_config.attr_mask->v);
1003
1004 /* attempt to locate the user dn */
1005 if (xauth_ldap_config.base != NULL)
1006 basedn = xauth_ldap_config.base->v;
1007 if (xauth_ldap_config.subtree)
1008 scope = LDAP_SCOPE_SUBTREE;
1009 timeout.tv_sec = 15;
1010 timeout.tv_usec = 0;
1011 res = ldap_search_ext_s(ld, basedn, scope,
1012 filter, atlist, 0, NULL, NULL,
1013 &timeout, 2, &lr);
1014 if (res != LDAP_SUCCESS) {
1015 plog(LLV_ERROR, LOCATION, NULL,
1016 "ldap_search_ext_s failed: %s\n",
1017 ldap_err2string(res));
1018 goto ldap_end;
1019 }
1020
1021 /* check the number of ldap entries returned */
1022 ecount = ldap_count_entries(ld, lr);
1023 if (ecount < 1) {
1024 plog(LLV_WARNING, LOCATION, NULL,
1025 "no ldap results for filter \'%s\'\n",
1026 filter);
1027 goto ldap_end;
1028 }
1029 if (ecount > 1) {
1030 plog(LLV_WARNING, LOCATION, NULL,
1031 "multiple (%i) ldap results for filter \'%s\'\n",
1032 ecount, filter);
1033 }
1034
1035 /* obtain the dn from the first result */
1036 le = ldap_first_entry(ld, lr);
1037 if (le == NULL) {
1038 plog(LLV_ERROR, LOCATION, NULL,
1039 "ldap_first_entry failed: invalid entry returned\n");
1040 goto ldap_end;
1041 }
1042 userdn = ldap_get_dn(ld, le);
1043 if (userdn == NULL) {
1044 plog(LLV_ERROR, LOCATION, NULL,
1045 "ldap_get_dn failed: invalid string returned\n");
1046 goto ldap_end;
1047 }
1048
1049 /* cache the user dn in the xauth state */
1050 iph1->mode_cfg->xauth.udn = racoon_malloc(strlen(userdn)+1);
1051 strcpy(iph1->mode_cfg->xauth.udn,userdn);
1052
1053 /* retrieve modecfg address */
1054 bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_addr->v);
1055 if (bv != NULL) {
1056 char tmpaddr[16];
1057 /* sanity check for address value */
1058 if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) {
1059 plog(LLV_DEBUG, LOCATION, NULL,
1060 "ldap returned invalid modecfg address\n");
1061 ldap_value_free_len(bv);
1062 goto ldap_end;
1063 }
1064 memcpy(tmpaddr,bv[0]->bv_val,bv[0]->bv_len);
1065 tmpaddr[bv[0]->bv_len]=0;
1066 iph1->mode_cfg->addr4.s_addr = inet_addr(tmpaddr);
1067 iph1->mode_cfg->flags |= ISAKMP_CFG_ADDR4_EXTERN;
1068 plog(LLV_INFO, LOCATION, NULL,
1069 "ldap returned modecfg address %s\n", tmpaddr);
1070 ldap_value_free_len(bv);
1071 }
1072
1073 /* retrieve modecfg netmask */
1074 bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_mask->v);
1075 if (bv != NULL) {
1076 char tmpmask[16];
1077 /* sanity check for netmask value */
1078 if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) {
1079 plog(LLV_DEBUG, LOCATION, NULL,
1080 "ldap returned invalid modecfg netmask\n");
1081 ldap_value_free_len(bv);
1082 goto ldap_end;
1083 }
1084 memcpy(tmpmask,bv[0]->bv_val,bv[0]->bv_len);
1085 tmpmask[bv[0]->bv_len]=0;
1086 iph1->mode_cfg->mask4.s_addr = inet_addr(tmpmask);
1087 iph1->mode_cfg->flags |= ISAKMP_CFG_MASK4_EXTERN;
1088 plog(LLV_INFO, LOCATION, NULL,
1089 "ldap returned modecfg netmask %s\n", tmpmask);
1090 ldap_value_free_len(bv);
1091 }
1092
1093 /*
1094 * finally, use the dn and the xauth
1095 * password to check the users given
1096 * credentials by attempting to bind
1097 * to the ldap server
1098 */
1099 plog(LLV_INFO, LOCATION, NULL,
1100 "attempting ldap bind for dn \'%s\'\n", userdn);
1101 cred.bv_val = pwd;
1102 cred.bv_len = strlen( cred.bv_val );
1103 res = ldap_sasl_bind_s(ld,
1104 userdn, NULL, &cred,
1105 NULL, NULL, NULL);
1106 if(res==LDAP_SUCCESS)
1107 rtn = 0;
1108
1109 ldap_end:
1110
1111 /* free ldap resources */
1112 if (userdn != NULL)
1113 ldap_memfree(userdn);
1114 if (atlist[0] != NULL)
1115 racoon_free(atlist[0]);
1116 if (atlist[1] != NULL)
1117 racoon_free(atlist[1]);
1118 if (filter != NULL)
1119 racoon_free(filter);
1120 if (lr != NULL)
1121 ldap_msgfree(lr);
1122 if (init != NULL)
1123 racoon_free(init);
1124
1125 ldap_unbind_ext_s(ld, NULL, NULL);
1126
1127 return rtn;
1128 }
1129
1130 static int
xauth_group_ldap(char * udn,char * grp)1131 xauth_group_ldap(char * udn, char * grp)
1132 {
1133 int rtn = -1;
1134 int res = -1;
1135 LDAP *ld = NULL;
1136 LDAPMessage *lr = NULL;
1137 LDAPMessage *le = NULL;
1138 struct berval cred;
1139 struct timeval timeout;
1140 char *init = NULL;
1141 char *filter = NULL;
1142 char *basedn = NULL;
1143 char *groupdn = NULL;
1144 size_t tmplen = 0;
1145 int ecount = 0;
1146 int scope = LDAP_SCOPE_ONE;
1147
1148 /* build our initialization url */
1149 tmplen = strlen("ldap://:") + 17;
1150 tmplen += strlen(xauth_ldap_config.host->v);
1151 init = racoon_malloc(tmplen);
1152 if (init == NULL) {
1153 plog(LLV_ERROR, LOCATION, NULL,
1154 "unable to alloc ldap init url\n");
1155 goto ldap_group_end;
1156 }
1157 sprintf(init,"ldap://%s:%d",
1158 xauth_ldap_config.host->v,
1159 xauth_ldap_config.port );
1160
1161 /* initialize the ldap handle */
1162 res = ldap_initialize(&ld, init);
1163 if (res != LDAP_SUCCESS) {
1164 plog(LLV_ERROR, LOCATION, NULL,
1165 "ldap_initialize failed: %s\n",
1166 ldap_err2string(res));
1167 goto ldap_group_end;
1168 }
1169
1170 /* initialize the protocol version */
1171 ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
1172 &xauth_ldap_config.pver);
1173
1174 /* Enable TLS */
1175 if (xauth_ldap_config.tls) {
1176 res = ldap_start_tls_s(ld, NULL, NULL);
1177 if (res != LDAP_SUCCESS) {
1178 plog(LLV_ERROR, LOCATION, NULL,
1179 "ldap_start_tls_s failed: %s\n",
1180 ldap_err2string(res));
1181 goto ldap_group_end;
1182 }
1183 }
1184
1185 /*
1186 * attempt to bind to the ldap server.
1187 * default to anonymous bind unless a
1188 * user dn and password has been
1189 * specified in our configuration
1190 */
1191 if ((xauth_ldap_config.bind_dn != NULL)&&
1192 (xauth_ldap_config.bind_pw != NULL))
1193 {
1194 cred.bv_val = xauth_ldap_config.bind_pw->v;
1195 cred.bv_len = strlen( cred.bv_val );
1196 res = ldap_sasl_bind_s(ld,
1197 xauth_ldap_config.bind_dn->v, NULL, &cred,
1198 NULL, NULL, NULL);
1199 }
1200 else
1201 {
1202 res = ldap_sasl_bind_s(ld,
1203 NULL, NULL, NULL,
1204 NULL, NULL, NULL);
1205 }
1206
1207 if (res!=LDAP_SUCCESS) {
1208 plog(LLV_ERROR, LOCATION, NULL,
1209 "ldap_sasl_bind_s (search) failed: %s\n",
1210 ldap_err2string(res));
1211 goto ldap_group_end;
1212 }
1213
1214 /* build an ldap group search filter */
1215 tmplen = strlen("(&(=)(=))") + 1;
1216 tmplen += strlen(xauth_ldap_config.attr_group->v);
1217 tmplen += strlen(grp);
1218 tmplen += strlen(xauth_ldap_config.attr_member->v);
1219 tmplen += strlen(udn);
1220 filter = racoon_malloc(tmplen);
1221 if (filter == NULL) {
1222 plog(LLV_ERROR, LOCATION, NULL,
1223 "unable to alloc ldap search filter buffer\n");
1224 goto ldap_group_end;
1225 }
1226 sprintf(filter, "(&(%s=%s)(%s=%s))",
1227 xauth_ldap_config.attr_group->v, grp,
1228 xauth_ldap_config.attr_member->v, udn);
1229
1230 /* attempt to locate the group dn */
1231 if (xauth_ldap_config.base != NULL)
1232 basedn = xauth_ldap_config.base->v;
1233 if (xauth_ldap_config.subtree)
1234 scope = LDAP_SCOPE_SUBTREE;
1235 timeout.tv_sec = 15;
1236 timeout.tv_usec = 0;
1237 res = ldap_search_ext_s(ld, basedn, scope,
1238 filter, NULL, 0, NULL, NULL,
1239 &timeout, 2, &lr);
1240 if (res != LDAP_SUCCESS) {
1241 plog(LLV_ERROR, LOCATION, NULL,
1242 "ldap_search_ext_s failed: %s\n",
1243 ldap_err2string(res));
1244 goto ldap_group_end;
1245 }
1246
1247 /* check the number of ldap entries returned */
1248 ecount = ldap_count_entries(ld, lr);
1249 if (ecount < 1) {
1250 plog(LLV_WARNING, LOCATION, NULL,
1251 "no ldap results for filter \'%s\'\n",
1252 filter);
1253 goto ldap_group_end;
1254 }
1255
1256 /* success */
1257 rtn = 0;
1258
1259 /* obtain the dn from the first result */
1260 le = ldap_first_entry(ld, lr);
1261 if (le == NULL) {
1262 plog(LLV_ERROR, LOCATION, NULL,
1263 "ldap_first_entry failed: invalid entry returned\n");
1264 goto ldap_group_end;
1265 }
1266 groupdn = ldap_get_dn(ld, le);
1267 if (groupdn == NULL) {
1268 plog(LLV_ERROR, LOCATION, NULL,
1269 "ldap_get_dn failed: invalid string returned\n");
1270 goto ldap_group_end;
1271 }
1272
1273 plog(LLV_INFO, LOCATION, NULL,
1274 "ldap membership group returned \'%s\'\n", groupdn);
1275 ldap_group_end:
1276
1277 /* free ldap resources */
1278 if (groupdn != NULL)
1279 ldap_memfree(groupdn);
1280 if (filter != NULL)
1281 racoon_free(filter);
1282 if (lr != NULL)
1283 ldap_msgfree(lr);
1284 if (init != NULL)
1285 racoon_free(init);
1286
1287 ldap_unbind_ext_s(ld, NULL, NULL);
1288
1289 return rtn;
1290 }
1291
1292 #endif
1293
1294 int
xauth_login_system(char * usr,char * pwd)1295 xauth_login_system(char *usr, char *pwd)
1296 {
1297 struct passwd *pw;
1298 char *cryptpwd;
1299 char *syscryptpwd;
1300 #ifdef HAVE_SHADOW_H
1301 struct spwd *spw;
1302
1303 if ((spw = getspnam(usr)) == NULL)
1304 return -1;
1305
1306 syscryptpwd = spw->sp_pwdp;
1307 #endif
1308
1309 if ((pw = getpwnam(usr)) == NULL)
1310 return -1;
1311
1312 #ifndef HAVE_SHADOW_H
1313 syscryptpwd = pw->pw_passwd;
1314 #endif
1315
1316 /* No root login. Ever. */
1317 if (pw->pw_uid == 0)
1318 return -1;
1319
1320 if ((cryptpwd = crypt(pwd, syscryptpwd)) == NULL)
1321 return -1;
1322
1323 if (strcmp(cryptpwd, syscryptpwd) == 0)
1324 return 0;
1325
1326 return -1;
1327 }
1328
1329 static int
xauth_group_system(char * usr,char * grp)1330 xauth_group_system(char *usr, char *grp)
1331 {
1332 struct group * gr;
1333 char * member;
1334 int index1 = 0;
1335
1336 gr = getgrnam(grp);
1337 if (gr == NULL) {
1338 plog(LLV_ERROR, LOCATION, NULL,
1339 "the system group name \'%s\' is unknown\n",
1340 grp);
1341 return -1;
1342 }
1343
1344 while ((member = gr->gr_mem[index1++])!=NULL) {
1345 if (!strcmp(member,usr)) {
1346 plog(LLV_INFO, LOCATION, NULL,
1347 "membership validated\n");
1348 return 0;
1349 }
1350 }
1351
1352 return -1;
1353 }
1354
1355 int
xauth_check(struct ph1handle * iph1)1356 xauth_check(struct ph1handle *iph1)
1357 {
1358 struct xauth_state *xst = &iph1->mode_cfg->xauth;
1359
1360 /*
1361 * Only the server side (edge device) really check for Xauth
1362 * status. It does it if the chose authmethod is using Xauth.
1363 * On the client side (roadwarrior), we don't check anything.
1364 */
1365 switch (iph1->approval->authmethod) {
1366 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1367 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1368 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1369 /* The following are not yet implemented */
1370 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1371 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1372 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1373 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1374 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
1375 plog(LLV_ERROR, LOCATION, NULL,
1376 "Hybrid auth negotiated but peer did not "
1377 "announced as Xauth capable\n");
1378 return -1;
1379 }
1380
1381 if (xst->status != XAUTHST_OK) {
1382 plog(LLV_ERROR, LOCATION, NULL,
1383 "Hybrid auth negotiated but peer did not "
1384 "succeed Xauth exchange\n");
1385 return -1;
1386 }
1387
1388 return 0;
1389 default:
1390 return 0;
1391 }
1392 }
1393
1394 int
group_check(struct ph1handle * iph1,char ** grp_list,int grp_count)1395 group_check(struct ph1handle *iph1, char **grp_list, int grp_count)
1396 {
1397 int res = -1;
1398 int grp_index = 0;
1399 char * usr = NULL;
1400
1401 /* check for presence of modecfg data */
1402
1403 if(iph1->mode_cfg == NULL) {
1404 plog(LLV_ERROR, LOCATION, NULL,
1405 "xauth group specified but modecfg not found\n");
1406 return res;
1407 }
1408
1409 /* loop through our group list */
1410
1411 for(; grp_index < grp_count; grp_index++) {
1412
1413 /* check for presence of xauth data */
1414
1415 usr = iph1->mode_cfg->xauth.authdata.generic.usr;
1416
1417 if(usr == NULL) {
1418 plog(LLV_ERROR, LOCATION, NULL,
1419 "xauth group specified but xauth not found\n");
1420 return res;
1421 }
1422
1423 /* call appropriate group validation function */
1424
1425 switch (isakmp_cfg_config.groupsource) {
1426
1427 case ISAKMP_CFG_GROUP_SYSTEM:
1428 res = xauth_group_system(
1429 usr,
1430 grp_list[grp_index]);
1431 break;
1432
1433 #ifdef HAVE_LIBLDAP
1434 case ISAKMP_CFG_GROUP_LDAP:
1435 res = xauth_group_ldap(
1436 iph1->mode_cfg->xauth.udn,
1437 grp_list[grp_index]);
1438 break;
1439 #endif
1440
1441 default:
1442 /* we should never get here */
1443 plog(LLV_ERROR, LOCATION, NULL,
1444 "Unknown group auth source\n");
1445 break;
1446 }
1447
1448 if( !res ) {
1449 plog(LLV_INFO, LOCATION, NULL,
1450 "user \"%s\" is a member of group \"%s\"\n",
1451 usr,
1452 grp_list[grp_index]);
1453 break;
1454 } else {
1455 plog(LLV_INFO, LOCATION, NULL,
1456 "user \"%s\" is not a member of group \"%s\"\n",
1457 usr,
1458 grp_list[grp_index]);
1459 }
1460 }
1461
1462 return res;
1463 }
1464
1465 vchar_t *
isakmp_xauth_req(struct ph1handle * iph1,struct isakmp_data * attr)1466 isakmp_xauth_req(struct ph1handle *iph1, struct isakmp_data *attr)
1467 {
1468 int type;
1469 size_t dlen = 0;
1470 int ashort = 0;
1471 int value = 0;
1472 vchar_t *buffer = NULL;
1473 char *mraw = NULL, *mdata;
1474 char *data;
1475 vchar_t *usr = NULL;
1476 vchar_t *pwd = NULL;
1477 size_t skip = 0;
1478 int freepwd = 0;
1479
1480 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
1481 plog(LLV_ERROR, LOCATION, NULL,
1482 "Xauth mode config request but peer "
1483 "did not declare itself as Xauth capable\n");
1484 return NULL;
1485 }
1486
1487 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
1488
1489 /* Sanity checks */
1490 switch(type) {
1491 case XAUTH_TYPE:
1492 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) {
1493 plog(LLV_ERROR, LOCATION, NULL,
1494 "Unexpected long XAUTH_TYPE attribute\n");
1495 return NULL;
1496 }
1497 if (ntohs(attr->lorv) != XAUTH_TYPE_GENERIC) {
1498 plog(LLV_ERROR, LOCATION, NULL,
1499 "Unsupported Xauth authentication %d\n",
1500 ntohs(attr->lorv));
1501 return NULL;
1502 }
1503 ashort = 1;
1504 dlen = 0;
1505 value = XAUTH_TYPE_GENERIC;
1506 break;
1507
1508 case XAUTH_USER_NAME:
1509 if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login) {
1510 plog(LLV_ERROR, LOCATION, NULL, "Xauth performed "
1511 "with no login supplied\n");
1512 return NULL;
1513 }
1514
1515 dlen = iph1->rmconf->xauth->login->l - 1;
1516 iph1->rmconf->xauth->state |= XAUTH_SENT_USERNAME;
1517 break;
1518
1519 case XAUTH_USER_PASSWORD:
1520 if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login)
1521 return NULL;
1522
1523 skip = sizeof(struct ipsecdoi_id_b);
1524 usr = vmalloc(iph1->rmconf->xauth->login->l - 1 + skip);
1525 if (usr == NULL) {
1526 plog(LLV_ERROR, LOCATION, NULL,
1527 "Cannot allocate memory\n");
1528 return NULL;
1529 }
1530 memset(usr->v, 0, skip);
1531 memcpy(usr->v + skip,
1532 iph1->rmconf->xauth->login->v,
1533 iph1->rmconf->xauth->login->l - 1);
1534
1535 if (iph1->rmconf->xauth->pass) {
1536 /* A key given through racoonctl */
1537 pwd = iph1->rmconf->xauth->pass;
1538 } else {
1539 if ((pwd = getpskbyname(usr)) == NULL) {
1540 plog(LLV_ERROR, LOCATION, NULL,
1541 "No password was found for login %s\n",
1542 iph1->rmconf->xauth->login->v);
1543 vfree(usr);
1544 return NULL;
1545 }
1546 /* We have to free it before returning */
1547 freepwd = 1;
1548 }
1549 vfree(usr);
1550
1551 iph1->rmconf->xauth->state |= XAUTH_SENT_PASSWORD;
1552 dlen = pwd->l;
1553
1554 break;
1555 case XAUTH_MESSAGE:
1556 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) {
1557 dlen = ntohs(attr->lorv);
1558 if (dlen > 0) {
1559 mraw = (char*)(attr + 1);
1560 mdata = binsanitize(mraw, dlen);
1561 if (mdata == NULL) {
1562 plog(LLV_ERROR, LOCATION, iph1->remote,
1563 "Cannot allocate memory\n");
1564 return NULL;
1565 }
1566 plog(LLV_NOTIFY,LOCATION, iph1->remote,
1567 "XAUTH Message: '%s'.\n",
1568 mdata);
1569 racoon_free(mdata);
1570 }
1571 }
1572 return NULL;
1573 default:
1574 plog(LLV_WARNING, LOCATION, NULL,
1575 "Ignored attribute %s\n", s_isakmp_cfg_type(type));
1576 return NULL;
1577 }
1578
1579 if ((buffer = vmalloc(sizeof(*attr) + dlen)) == NULL) {
1580 plog(LLV_ERROR, LOCATION, NULL,
1581 "Cannot allocate memory\n");
1582 goto out;
1583 }
1584
1585 attr = (struct isakmp_data *)buffer->v;
1586 if (ashort) {
1587 attr->type = htons(type | ISAKMP_GEN_TV);
1588 attr->lorv = htons(value);
1589 goto out;
1590 }
1591
1592 attr->type = htons(type | ISAKMP_GEN_TLV);
1593 attr->lorv = htons(dlen);
1594 data = (char *)(attr + 1);
1595
1596 switch(type) {
1597 case XAUTH_USER_NAME:
1598 /*
1599 * iph1->rmconf->xauth->login->v is valid,
1600 * we just checked it in the previous switch case
1601 */
1602 memcpy(data, iph1->rmconf->xauth->login->v, dlen);
1603 break;
1604 case XAUTH_USER_PASSWORD:
1605 memcpy(data, pwd->v, dlen);
1606 break;
1607 default:
1608 break;
1609 }
1610
1611 out:
1612 if (freepwd)
1613 vfree(pwd);
1614
1615 return buffer;
1616 }
1617
1618 vchar_t *
isakmp_xauth_set(struct ph1handle * iph1,struct isakmp_data * attr)1619 isakmp_xauth_set(struct ph1handle *iph1, struct isakmp_data *attr)
1620 {
1621 int type;
1622 vchar_t *buffer = NULL;
1623 size_t dlen = 0;
1624 char* mraw = NULL, *mdata;
1625
1626 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
1627 plog(LLV_ERROR, LOCATION, NULL,
1628 "Xauth mode config set but peer "
1629 "did not declare itself as Xauth capable\n");
1630 return NULL;
1631 }
1632
1633 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
1634
1635 switch(type) {
1636 case XAUTH_STATUS:
1637 /*
1638 * We should only receive ISAKMP mode_cfg SET XAUTH_STATUS
1639 * when running as a client (initiator).
1640 */
1641 switch (iph1->approval->authmethod) {
1642 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
1643 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
1644 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
1645 /* Not implemented ... */
1646 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
1647 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
1648 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
1649 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
1650 break;
1651 default:
1652 plog(LLV_ERROR, LOCATION, NULL,
1653 "Unexpected XAUTH_STATUS_OK\n");
1654 return NULL;
1655 }
1656
1657 /* If we got a failure, delete iph1 */
1658 if (ntohs(attr->lorv) != XAUTH_STATUS_OK) {
1659 plog(LLV_ERROR, LOCATION, NULL,
1660 "Xauth authentication failed\n");
1661
1662 evt_phase1(iph1, EVT_PHASE1_XAUTH_FAILED, NULL);
1663
1664 iph1->mode_cfg->flags |= ISAKMP_CFG_DELETE_PH1;
1665 } else {
1666 evt_phase1(iph1, EVT_PHASE1_XAUTH_SUCCESS, NULL);
1667 }
1668
1669
1670 /* We acknowledge it */
1671 break;
1672 case XAUTH_MESSAGE:
1673 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) {
1674 dlen = ntohs(attr->lorv);
1675 if (dlen > 0) {
1676 mraw = (char*)(attr + 1);
1677 mdata = binsanitize(mraw, dlen);
1678 if (mdata == NULL) {
1679 plog(LLV_ERROR, LOCATION, iph1->remote,
1680 "Cannot allocate memory\n");
1681 return NULL;
1682 }
1683 plog(LLV_NOTIFY,LOCATION, iph1->remote,
1684 "XAUTH Message: '%s'.\n",
1685 mdata);
1686 racoon_free(mdata);
1687 }
1688 }
1689 break;
1690
1691 default:
1692 plog(LLV_WARNING, LOCATION, NULL,
1693 "Ignored attribute %s\n", s_isakmp_cfg_type(type));
1694 return NULL;
1695 }
1696
1697 if ((buffer = vmalloc(sizeof(*attr))) == NULL) {
1698 plog(LLV_ERROR, LOCATION, NULL,
1699 "Cannot allocate memory\n");
1700 return NULL;
1701 }
1702
1703 attr = (struct isakmp_data *)buffer->v;
1704 attr->type = htons(type | ISAKMP_GEN_TV);
1705 attr->lorv = htons(0);
1706
1707 return buffer;
1708 }
1709
1710
1711 void
xauth_rmstate(struct xauth_state * xst)1712 xauth_rmstate(struct xauth_state *xst)
1713 {
1714 switch (xst->authtype) {
1715 case XAUTH_TYPE_GENERIC:
1716 if (xst->authdata.generic.usr)
1717 racoon_free(xst->authdata.generic.usr);
1718
1719 if (xst->authdata.generic.pwd)
1720 racoon_free(xst->authdata.generic.pwd);
1721
1722 break;
1723
1724 case XAUTH_TYPE_CHAP:
1725 case XAUTH_TYPE_OTP:
1726 case XAUTH_TYPE_SKEY:
1727 plog(LLV_WARNING, LOCATION, NULL,
1728 "Unsupported authtype %d\n", xst->authtype);
1729 break;
1730
1731 default:
1732 plog(LLV_WARNING, LOCATION, NULL,
1733 "Unexpected authtype %d\n", xst->authtype);
1734 break;
1735 }
1736
1737 #ifdef HAVE_LIBLDAP
1738 if (xst->udn != NULL)
1739 racoon_free(xst->udn);
1740 #endif
1741 return;
1742 }
1743
1744 int
xauth_rmconf_used(struct xauth_rmconf ** xauth_rmconf)1745 xauth_rmconf_used(struct xauth_rmconf **xauth_rmconf)
1746 {
1747 if (*xauth_rmconf == NULL) {
1748 *xauth_rmconf = racoon_malloc(sizeof(**xauth_rmconf));
1749 if (*xauth_rmconf == NULL) {
1750 plog(LLV_ERROR, LOCATION, NULL,
1751 "xauth_rmconf_used: malloc failed\n");
1752 return -1;
1753 }
1754
1755 (*xauth_rmconf)->login = NULL;
1756 (*xauth_rmconf)->pass = NULL;
1757 (*xauth_rmconf)->state = 0;
1758 }
1759
1760 return 0;
1761 }
1762
1763 void
xauth_rmconf_delete(struct xauth_rmconf ** xauth_rmconf)1764 xauth_rmconf_delete(struct xauth_rmconf **xauth_rmconf)
1765 {
1766 if (*xauth_rmconf != NULL) {
1767 if ((*xauth_rmconf)->login != NULL)
1768 vfree((*xauth_rmconf)->login);
1769 if ((*xauth_rmconf)->pass != NULL)
1770 vfree((*xauth_rmconf)->pass);
1771
1772 racoon_free(*xauth_rmconf);
1773 *xauth_rmconf = NULL;
1774 }
1775
1776 return;
1777 }
1778
1779 struct xauth_rmconf *
xauth_rmconf_dup(struct xauth_rmconf * xauth_rmconf)1780 xauth_rmconf_dup(struct xauth_rmconf *xauth_rmconf)
1781 {
1782 struct xauth_rmconf *new;
1783
1784 if (xauth_rmconf != NULL) {
1785 new = racoon_malloc(sizeof(*new));
1786 if (new == NULL) {
1787 plog(LLV_ERROR, LOCATION, NULL,
1788 "%s: malloc failed\n", __func__);
1789 return NULL;
1790 }
1791
1792 memcpy(new, xauth_rmconf, sizeof(*new));
1793
1794 if (xauth_rmconf->login != NULL) {
1795 new->login = vdup(xauth_rmconf->login);
1796 if (new->login == NULL) {
1797 plog(LLV_ERROR, LOCATION, NULL,
1798 "%s: malloc failed (login)\n", __func__);
1799 goto out;
1800 }
1801 }
1802 if (xauth_rmconf->pass != NULL) {
1803 new->pass = vdup(xauth_rmconf->pass);
1804 if (new->pass == NULL) {
1805 plog(LLV_ERROR, LOCATION, NULL,
1806 "%s: malloc failed (password)\n", __func__);
1807 goto out;
1808 }
1809 }
1810
1811 return new;
1812 }
1813
1814 return NULL;
1815 out:
1816 vfree(new->login);
1817 racoon_free(new);
1818 return NULL;
1819 }
1820