1 /*        $NetBSD: isakmp_xauth.c,v 1.35 2025/03/07 15:55:29 christos Exp $     */
2 
3 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
4 
5 /*
6  * Copyright (C) 2004-2005 Emmanuel Dreyfus
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  * 3. Neither the name of the project nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include "config.h"
35 
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39 #include <sys/queue.h>
40 
41 #include <netinet/in.h>
42 
43 #include <assert.h>
44 #include <stdlib.h>
45 #include <stdio.h>
46 #include <string.h>
47 #include <errno.h>
48 #include <pwd.h>
49 #include <grp.h>
50 #if TIME_WITH_SYS_TIME
51 # include <sys/time.h>
52 # include <time.h>
53 #else
54 # if HAVE_SYS_TIME_H
55 #  include <sys/time.h>
56 # else
57 #  include <time.h>
58 # endif
59 #endif
60 #include <netdb.h>
61 #ifdef HAVE_UNISTD_H
62 #include <unistd.h>
63 #endif
64 #include <ctype.h>
65 #include <resolv.h>
66 
67 #ifdef HAVE_SHADOW_H
68 #include <shadow.h>
69 #endif
70 
71 #include "var.h"
72 #include "misc.h"
73 #include "vmbuf.h"
74 #include "plog.h"
75 #include "sockmisc.h"
76 #include "schedule.h"
77 #include "debug.h"
78 
79 #include "crypto_openssl.h"
80 #include "isakmp_var.h"
81 #include "isakmp.h"
82 #include "admin.h"
83 #include "privsep.h"
84 #include "evt.h"
85 #include "handler.h"
86 #include "throttle.h"
87 #include "remoteconf.h"
88 #include "isakmp_inf.h"
89 #include "isakmp_xauth.h"
90 #include "isakmp_unity.h"
91 #include "isakmp_cfg.h"
92 #include "strnames.h"
93 #include "ipsec_doi.h"
94 #include "remoteconf.h"
95 #include "localconf.h"
96 
97 #ifdef HAVE_LIBRADIUS
98 #include <radlib.h>
99 static struct rad_handle *radius_auth_state = NULL;
100 struct rad_handle *radius_acct_state = NULL;
101 struct xauth_rad_config xauth_rad_config;
102 #endif
103 
104 #ifdef HAVE_LIBPAM
105 #include <security/pam_appl.h>
106 
107 static char *PAM_usr = NULL;
108 static char *PAM_pwd = NULL;
109 static int PAM_conv(int, const struct pam_message **,
110     struct pam_response **, void *);
111 static struct pam_conv PAM_chat = { &PAM_conv, NULL };
112 #endif
113 
114 #ifdef HAVE_LIBLDAP
115 #include "ldap.h"
116 #include <arpa/inet.h>
117 struct xauth_ldap_config xauth_ldap_config;
118 #endif
119 
120 void
xauth_sendreq(struct ph1handle * iph1)121 xauth_sendreq(struct ph1handle *iph1)
122 {
123           vchar_t *buffer;
124           struct isakmp_pl_attr *attr;
125           struct isakmp_data *typeattr;
126           struct isakmp_data *usrattr;
127           struct isakmp_data *pwdattr;
128           struct xauth_state *xst = &iph1->mode_cfg->xauth;
129           size_t tlen;
130 
131           /* Status checks */
132           if (iph1->status < PHASE1ST_ESTABLISHED) {
133                     plog(LLV_ERROR, LOCATION, NULL,
134                         "Xauth request while phase 1 is not completed\n");
135                     return;
136           }
137 
138           if (xst->status != XAUTHST_NOTYET) {
139                     plog(LLV_ERROR, LOCATION, NULL,
140                         "Xauth request whith Xauth state %d\n", xst->status);
141                     return;
142           }
143 
144           plog(LLV_INFO, LOCATION, NULL, "Sending Xauth request\n");
145 
146           tlen = sizeof(*attr) +
147                  + sizeof(*typeattr) +
148                  + sizeof(*usrattr) +
149                  + sizeof(*pwdattr);
150 
151           if ((buffer = vmalloc(tlen)) == NULL) {
152                     plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n");
153                     return;
154           }
155 
156           attr = (struct isakmp_pl_attr *)buffer->v;
157           memset(attr, 0, tlen);
158 
159           attr->h.len = htons(tlen);
160           attr->type = ISAKMP_CFG_REQUEST;
161           attr->id = htons(eay_random());
162 
163           typeattr = (struct isakmp_data *)(attr + 1);
164           typeattr->type = htons(XAUTH_TYPE | ISAKMP_GEN_TV);
165           typeattr->lorv = htons(XAUTH_TYPE_GENERIC);
166 
167           usrattr = (struct isakmp_data *)(typeattr + 1);
168           usrattr->type = htons(XAUTH_USER_NAME | ISAKMP_GEN_TLV);
169           usrattr->lorv = htons(0);
170 
171           pwdattr = (struct isakmp_data *)(usrattr + 1);
172           pwdattr->type = htons(XAUTH_USER_PASSWORD | ISAKMP_GEN_TLV);
173           pwdattr->lorv = htons(0);
174 
175           isakmp_cfg_send(iph1, buffer,
176               ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1);
177 
178           vfree(buffer);
179 
180           xst->status = XAUTHST_REQSENT;
181 
182           return;
183 }
184 
185 int
xauth_attr_reply(struct ph1handle * iph1,struct isakmp_data * attr,int id)186 xauth_attr_reply(struct ph1handle *iph1, struct isakmp_data *attr, int id)
187 {
188           char **outlet = NULL;
189           size_t alen = 0;
190           int type;
191           struct xauth_state *xst = &iph1->mode_cfg->xauth;
192 
193           if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
194                     plog(LLV_ERROR, LOCATION, NULL,
195                         "Xauth reply but peer did not declare "
196                         "itself as Xauth capable\n");
197                     return -1;
198           }
199 
200           if (xst->status != XAUTHST_REQSENT) {
201                     plog(LLV_ERROR, LOCATION, NULL,
202                         "Xauth reply while Xauth state is %d\n", xst->status);
203                     return -1;
204           }
205 
206           type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
207           switch (type) {
208           case XAUTH_TYPE:
209                     switch (ntohs(attr->lorv)) {
210                     case XAUTH_TYPE_GENERIC:
211                               xst->authtype = XAUTH_TYPE_GENERIC;
212                               break;
213                     default:
214                               plog(LLV_WARNING, LOCATION, NULL,
215                                   "Unexpected authentication type %d\n",
216                                   ntohs(type));
217                               return -1;
218                     }
219                     break;
220 
221           case XAUTH_USER_NAME:
222                     outlet = &xst->authdata.generic.usr;
223                     break;
224 
225           case XAUTH_USER_PASSWORD:
226                     outlet = &xst->authdata.generic.pwd;
227                     break;
228 
229           default:
230                     plog(LLV_WARNING, LOCATION, NULL,
231                         "ignored Xauth attribute %d\n", type);
232                     break;
233           }
234 
235           if (outlet != NULL) {
236                     alen = ntohs(attr->lorv);
237 
238                     if ((*outlet = racoon_malloc(alen + 1)) == NULL) {
239                               plog(LLV_ERROR, LOCATION, NULL,
240                                   "Cannot allocate memory for Xauth Data\n");
241                               return -1;
242                     }
243 
244                     memcpy(*outlet, attr + 1, alen);
245                     (*outlet)[alen] = '\0';
246                     outlet = NULL;
247           }
248 
249 
250           if ((xst->authdata.generic.usr != NULL) &&
251              (xst->authdata.generic.pwd != NULL)) {
252                     int port;
253                     int res;
254                     char *usr = xst->authdata.generic.usr;
255                     char *pwd = xst->authdata.generic.pwd;
256                     time_t throttle_delay = 0;
257 
258 #if 0     /* Real debug, don't do that at home */
259                     plog(LLV_DEBUG, LOCATION, NULL,
260                         "Got username \"%s\", password \"%s\"\n", usr, pwd);
261 #endif
262                     strncpy(iph1->mode_cfg->login, usr, LOGINLEN);
263                     iph1->mode_cfg->login[LOGINLEN] = '\0';
264 
265                     res = -1;
266                     if ((port = isakmp_cfg_getport(iph1)) == -1) {
267                               plog(LLV_ERROR, LOCATION, NULL,
268                                   "Port pool depleted\n");
269                               goto skip_auth;
270                     }
271 
272                     switch (isakmp_cfg_config.authsource) {
273                     case ISAKMP_CFG_AUTH_SYSTEM:
274                               res = privsep_xauth_login_system(usr, pwd);
275                               break;
276 #ifdef HAVE_LIBRADIUS
277                     case ISAKMP_CFG_AUTH_RADIUS:
278                               res = xauth_login_radius(iph1, usr, pwd);
279                               break;
280 #endif
281 #ifdef HAVE_LIBPAM
282                     case ISAKMP_CFG_AUTH_PAM:
283                               res = privsep_xauth_login_pam(iph1->mode_cfg->port,
284                                   iph1->remote, usr, pwd);
285                               break;
286 #endif
287 #ifdef HAVE_LIBLDAP
288                     case ISAKMP_CFG_AUTH_LDAP:
289                               res = xauth_login_ldap(iph1, usr, pwd);
290                               break;
291 #endif
292                     default:
293                               plog(LLV_ERROR, LOCATION, NULL,
294                                   "Unexpected authentication source\n");
295                               res = -1;
296                               break;
297                     }
298 
299                     /*
300                      * Optional group authentication
301                      */
302                     if (!res && (isakmp_cfg_config.groupcount))
303                               res = group_check(iph1,
304                                         isakmp_cfg_config.grouplist,
305                                         isakmp_cfg_config.groupcount);
306 
307                     /*
308                      * On failure, throttle the connexion for the remote host
309                      * in order to make password attacks more difficult.
310                      */
311                     throttle_delay = throttle_host(iph1->remote, res);
312                     if (throttle_delay > 0) {
313                               char *str;
314 
315                               str = saddrwop2str(iph1->remote);
316 
317                               plog(LLV_ERROR, LOCATION, NULL,
318                                   "Throttling in action for %s: delay %lds\n",
319                                   str, (unsigned long)throttle_delay);
320                               res = -1;
321                     } else {
322                               throttle_delay = 0;
323                     }
324 
325 skip_auth:
326                     if (throttle_delay != 0) {
327                               struct xauth_reply_arg *xra;
328 
329                               if ((xra = racoon_calloc(1, sizeof(*xra))) == NULL) {
330                                         plog(LLV_ERROR, LOCATION, NULL,
331                                             "malloc failed, bypass throttling\n");
332                                         return xauth_reply(iph1, port, id, res);
333                               }
334 
335                               /*
336                                * We need to store the ph1, but it might have
337                                * disapeared when xauth_reply is called, so
338                                * store the index instead.
339                                */
340                               xra->index = iph1->index;
341                               xra->port = port;
342                               xra->id = id;
343                               xra->res = res;
344                               sched_schedule(&xra->sc, throttle_delay,
345                                                xauth_reply_stub);
346                     } else {
347                               return xauth_reply(iph1, port, id, res);
348                     }
349           }
350 
351           return 0;
352 }
353 
354 void
xauth_reply_stub(struct sched * sc)355 xauth_reply_stub(struct sched *sc)
356 {
357           struct xauth_reply_arg *xra = container_of(sc, struct xauth_reply_arg, sc);
358           struct ph1handle *iph1;
359 
360           if ((iph1 = getph1byindex(&xra->index)) != NULL)
361                     (void)xauth_reply(iph1, xra->port, xra->id, xra->res);
362           else
363                     plog(LLV_ERROR, LOCATION, NULL,
364                         "Delayed Xauth reply: phase 1 no longer exists.\n");
365 
366           racoon_free(xra);
367 }
368 
369 int
xauth_reply(struct ph1handle * iph1,int port,int id,int res)370 xauth_reply(struct ph1handle *iph1, int port, int id, int res)
371 {
372           struct xauth_state *xst = &iph1->mode_cfg->xauth;
373           char *usr = xst->authdata.generic.usr;
374 
375           if (res != 0) {
376                     if (port != -1)
377                               isakmp_cfg_putport(iph1, port);
378 
379                     plog(LLV_INFO, LOCATION, NULL,
380                         "login failed for user \"%s\"\n", usr);
381 
382                     xauth_sendstatus(iph1, XAUTH_STATUS_FAIL, id);
383                     xst->status = XAUTHST_NOTYET;
384 
385                     /* Delete Phase 1 SA */
386                     if (iph1->status >= PHASE1ST_ESTABLISHED)
387                               isakmp_info_send_d1(iph1);
388                     remph1(iph1);
389                     delph1(iph1);
390 
391                     return -1;
392           }
393 
394           xst->status = XAUTHST_OK;
395           plog(LLV_INFO, LOCATION, NULL,
396               "login succeeded for user \"%s\"\n", usr);
397 
398           xauth_sendstatus(iph1, XAUTH_STATUS_OK, id);
399 
400           return 0;
401 }
402 
403 void
xauth_sendstatus(struct ph1handle * iph1,int status,int id)404 xauth_sendstatus(struct ph1handle *iph1, int status, int id)
405 {
406           vchar_t *buffer;
407           struct isakmp_pl_attr *attr;
408           struct isakmp_data *stattr;
409           size_t tlen;
410 
411           tlen = sizeof(*attr) +
412                  + sizeof(*stattr);
413 
414           if ((buffer = vmalloc(tlen)) == NULL) {
415                     plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n");
416                     return;
417           }
418 
419           attr = (struct isakmp_pl_attr *)buffer->v;
420           memset(attr, 0, tlen);
421 
422           attr->h.len = htons(tlen);
423           attr->type = ISAKMP_CFG_SET;
424           attr->id = htons(id);
425 
426           stattr = (struct isakmp_data *)(attr + 1);
427           stattr->type = htons(XAUTH_STATUS | ISAKMP_GEN_TV);
428           stattr->lorv = htons(status);
429 
430           isakmp_cfg_send(iph1, buffer,
431               ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1);
432 
433           vfree(buffer);
434 
435           return;
436 }
437 
438 #ifdef HAVE_LIBRADIUS
439 int
xauth_radius_init_conf(int free)440 xauth_radius_init_conf(int free)
441 {
442           /* free radius config resources */
443           if (free) {
444                     int i;
445                     for (i = 0; i < xauth_rad_config.auth_server_count; i++) {
446                               vfree(xauth_rad_config.auth_server_list[i].host);
447                               vfree(xauth_rad_config.auth_server_list[i].secret);
448                     }
449                     for (i = 0; i < xauth_rad_config.acct_server_count; i++) {
450                               vfree(xauth_rad_config.acct_server_list[i].host);
451                               vfree(xauth_rad_config.acct_server_list[i].secret);
452                     }
453                     if (radius_auth_state != NULL) {
454                               rad_close(radius_auth_state);
455                               radius_auth_state = NULL;
456                     }
457                     if (radius_acct_state != NULL) {
458                               rad_close(radius_acct_state);
459                               radius_acct_state = NULL;
460                     }
461           }
462 
463           /* initialize radius config */
464           memset(&xauth_rad_config, 0, sizeof(xauth_rad_config));
465           return 0;
466 }
467 
468 int
xauth_radius_init(void)469 xauth_radius_init(void)
470 {
471           /* For first time use, initialize Radius */
472           if ((isakmp_cfg_config.authsource == ISAKMP_CFG_AUTH_RADIUS) &&
473               (radius_auth_state == NULL)) {
474                     if ((radius_auth_state = rad_auth_open()) == NULL) {
475                               plog(LLV_ERROR, LOCATION, NULL,
476                                   "Cannot init libradius\n");
477                               return -1;
478                     }
479 
480                     int auth_count = xauth_rad_config.auth_server_count;
481                     int auth_added = 0;
482                     if (auth_count) {
483                               int i;
484                               for (i = 0; i < auth_count; i++) {
485                                         if(!rad_add_server(
486                                                   radius_auth_state,
487                                                   xauth_rad_config.auth_server_list[i].host->v,
488                                                   xauth_rad_config.auth_server_list[i].port,
489                                                   xauth_rad_config.auth_server_list[i].secret->v,
490                                                   xauth_rad_config.timeout,
491                                                   xauth_rad_config.retries ))
492                                                   auth_added++;
493                                         else
494                                                   plog(LLV_WARNING, LOCATION, NULL,
495                                                             "could not add radius auth server %s\n",
496                                                             xauth_rad_config.auth_server_list[i].host->v);
497                               }
498                     }
499 
500                     if (!auth_added) {
501                               if (rad_config(radius_auth_state, NULL) != 0) {
502                                         plog(LLV_ERROR, LOCATION, NULL,
503                                             "Cannot open libradius config file: %s\n",
504                                             rad_strerror(radius_auth_state));
505                                         rad_close(radius_auth_state);
506                                         radius_auth_state = NULL;
507                                         return -1;
508                               }
509                     }
510           }
511 
512           if ((isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS) &&
513               (radius_acct_state == NULL)) {
514                     if ((radius_acct_state = rad_acct_open()) == NULL) {
515                               plog(LLV_ERROR, LOCATION, NULL,
516                                   "Cannot init libradius\n");
517                               return -1;
518                     }
519 
520                     int acct_count = xauth_rad_config.acct_server_count;
521                     int acct_added = 0;
522                     if (acct_count) {
523                               int i;
524                               for (i = 0; i < acct_count; i++) {
525                                         if(!rad_add_server(
526                                                   radius_acct_state,
527                                                   xauth_rad_config.acct_server_list[i].host->v,
528                                                   xauth_rad_config.acct_server_list[i].port,
529                                                   xauth_rad_config.acct_server_list[i].secret->v,
530                                                   xauth_rad_config.timeout,
531                                                   xauth_rad_config.retries ))
532                                                   acct_added++;
533                                         else
534                                                   plog(LLV_WARNING, LOCATION, NULL,
535                                                             "could not add radius account server %s\n",
536                                                             xauth_rad_config.acct_server_list[i].host->v);
537                               }
538                     }
539 
540                     if (!acct_added) {
541                               if (rad_config(radius_acct_state, NULL) != 0) {
542                                         plog(LLV_ERROR, LOCATION, NULL,
543                                             "Cannot open libradius config file: %s\n",
544                                             rad_strerror(radius_acct_state));
545                                         rad_close(radius_acct_state);
546                                         radius_acct_state = NULL;
547                                         return -1;
548                               }
549                     }
550           }
551 
552           return 0;
553 }
554 
555 int
xauth_login_radius(struct ph1handle * iph1,char * usr,char * pwd)556 xauth_login_radius(struct ph1handle *iph1, char *usr, char *pwd)
557 {
558           int res;
559           const void *data;
560           size_t len;
561           int type;
562 
563           if (rad_create_request(radius_auth_state, RAD_ACCESS_REQUEST) != 0) {
564                     plog(LLV_ERROR, LOCATION, NULL,
565                         "rad_create_request failed: %s\n",
566                         rad_strerror(radius_auth_state));
567                     return -1;
568           }
569 
570           if (rad_put_string(radius_auth_state, RAD_USER_NAME, usr) != 0) {
571                     plog(LLV_ERROR, LOCATION, NULL,
572                         "rad_put_string failed: %s\n",
573                         rad_strerror(radius_auth_state));
574                     return -1;
575           }
576 
577           if (rad_put_string(radius_auth_state, RAD_USER_PASSWORD, pwd) != 0) {
578                     plog(LLV_ERROR, LOCATION, NULL,
579                         "rad_put_string failed: %s\n",
580                         rad_strerror(radius_auth_state));
581                     return -1;
582           }
583 
584           if (rad_put_string(radius_auth_state, RAD_CALLING_STATION_ID,
585                                  saddr2str(iph1->remote)) != 0)
586                     return -1;
587 
588           if (isakmp_cfg_radius_common(radius_auth_state, iph1->mode_cfg->port) != 0)
589                     return -1;
590 
591           switch (res = rad_send_request(radius_auth_state)) {
592           case RAD_ACCESS_ACCEPT:
593                     while ((type = rad_get_attr(radius_auth_state, &data, &len)) != 0) {
594                               switch (type) {
595                               case RAD_FRAMED_IP_ADDRESS:
596                                         iph1->mode_cfg->addr4 = rad_cvt_addr(data);
597                                         iph1->mode_cfg->flags
598                                             |= ISAKMP_CFG_ADDR4_EXTERN;
599                                         break;
600 
601                               case RAD_FRAMED_IP_NETMASK:
602                                         iph1->mode_cfg->mask4 = rad_cvt_addr(data);
603                                         iph1->mode_cfg->flags
604                                             |= ISAKMP_CFG_MASK4_EXTERN;
605                                         break;
606 
607                               default:
608                                         plog(LLV_INFO, LOCATION, NULL,
609                                             "Unexpected attribute: %d\n", type);
610                                         break;
611                               }
612                     }
613 
614                     return 0;
615 
616           case RAD_ACCESS_REJECT:
617                     return -1;
618 
619           case -1:
620                     plog(LLV_ERROR, LOCATION, NULL,
621                         "rad_send_request failed: %s\n",
622                         rad_strerror(radius_auth_state));
623                     return -1;
624           default:
625                     plog(LLV_ERROR, LOCATION, NULL,
626                         "rad_send_request returned %d\n", res);
627                     return -1;
628           }
629 
630 }
631 #endif
632 
633 #ifdef HAVE_LIBPAM
634 /*ARGSUSED*/
635 static int
PAM_conv(int msg_count,const struct pam_message ** msg,struct pam_response ** rsp,void * dontcare __unused)636 PAM_conv(int msg_count, const struct pam_message **msg,
637     struct pam_response **rsp, void *dontcare __unused)
638 {
639           int i;
640           struct pam_response *reply = NULL;
641 
642           if ((reply = racoon_malloc(sizeof(*reply) * msg_count)) == NULL)
643                     return PAM_CONV_ERR;
644           bzero(reply, sizeof(*reply) * msg_count);
645 
646           for (i = 0; i < msg_count; i++) {
647                     switch (msg[i]->msg_style) {
648                     case PAM_PROMPT_ECHO_ON:
649                               /* Send the username, libpam frees resp */
650                               reply[i].resp_retcode = PAM_SUCCESS;
651                               if ((reply[i].resp = strdup(PAM_usr)) == NULL) {
652                                         plog(LLV_ERROR, LOCATION,
653                                             NULL, "strdup failed\n");
654                                         exit(1);
655                               }
656                               break;
657 
658                     case PAM_PROMPT_ECHO_OFF:
659                               /* Send the password, libpam frees resp */
660                               reply[i].resp_retcode = PAM_SUCCESS;
661                               if ((reply[i].resp = strdup(PAM_pwd)) == NULL) {
662                                         plog(LLV_ERROR, LOCATION,
663                                             NULL, "strdup failed\n");
664                                         exit(1);
665                               }
666                               break;
667 
668                     case PAM_TEXT_INFO:
669                     case PAM_ERROR_MSG:
670                               reply[i].resp_retcode = PAM_SUCCESS;
671                               reply[i].resp = NULL;
672                               break;
673 
674                     default:
675                               if (reply != NULL)
676                                         racoon_free(reply);
677                               return PAM_CONV_ERR;
678                     }
679           }
680 
681           if (reply != NULL)
682                     *rsp = reply;
683 
684           return PAM_SUCCESS;
685 }
686 
687 int
xauth_login_pam(int port,struct sockaddr * raddr,char * usr,char * pwd)688 xauth_login_pam(int port, struct sockaddr *raddr, char *usr, char *pwd)
689 {
690           int error;
691           char *remote = NULL;
692           pam_handle_t *pam = NULL;
693 
694           if (isakmp_cfg_config.port_pool == NULL) {
695                     plog(LLV_ERROR, LOCATION, NULL,
696                         "isakmp_cfg_config.port_pool == NULL\n");
697                     return -1;
698           }
699 
700           if ((error = pam_start("racoon", usr,
701               &PAM_chat, &isakmp_cfg_config.port_pool[port].pam)) != 0) {
702                     if (isakmp_cfg_config.port_pool[port].pam == NULL) {
703                               plog(LLV_ERROR, LOCATION, NULL, "pam_start failed\n");
704                               return -1;
705                     } else {
706                               plog(LLV_ERROR, LOCATION, NULL,
707                                   "pam_start failed: %s\n",
708                                   pam_strerror(isakmp_cfg_config.port_pool[port].pam,
709                                   error));
710                               goto out;
711                     }
712           }
713           pam = isakmp_cfg_config.port_pool[port].pam;
714 
715           if ((remote = strdup(saddrwop2str(raddr))) == NULL) {
716                     plog(LLV_ERROR, LOCATION, NULL,
717                         "cannot allocate memory: %s\n", strerror(errno));
718                     goto out;
719           }
720 
721           if ((error = pam_set_item(pam, PAM_RHOST, remote)) != 0) {
722                     plog(LLV_ERROR, LOCATION, NULL,
723                         "pam_set_item failed: %s\n",
724                         pam_strerror(pam, error));
725                     goto out;
726           }
727 
728           if ((error = pam_set_item(pam, PAM_RUSER, usr)) != 0) {
729                     plog(LLV_ERROR, LOCATION, NULL,
730                         "pam_set_item failed: %s\n",
731                         pam_strerror(pam, error));
732                     goto out;
733           }
734 
735           PAM_usr = usr;
736           PAM_pwd = pwd;
737           error = pam_authenticate(pam, 0);
738           PAM_usr = NULL;
739           PAM_pwd = NULL;
740           if (error != 0) {
741                     plog(LLV_ERROR, LOCATION, NULL,
742                         "pam_authenticate failed: %s\n",
743                         pam_strerror(pam, error));
744                     goto out;
745           }
746 
747           if ((error = pam_acct_mgmt(pam, 0)) != 0) {
748                     plog(LLV_ERROR, LOCATION, NULL,
749                         "pam_acct_mgmt failed: %s\n",
750                         pam_strerror(pam, error));
751                     goto out;
752           }
753 
754           if ((error = pam_setcred(pam, 0)) != 0) {
755                     plog(LLV_ERROR, LOCATION, NULL,
756                         "pam_setcred failed: %s\n",
757                         pam_strerror(pam, error));
758                     goto out;
759           }
760 
761           if (remote != NULL)
762                     free(remote);
763 
764           return 0;
765 
766 out:
767           pam_end(pam, error);
768           isakmp_cfg_config.port_pool[port].pam = NULL;
769           if (remote != NULL)
770                     free(remote);
771           return -1;
772 }
773 #endif
774 
775 #ifdef HAVE_LIBLDAP
776 int
xauth_ldap_init_conf(void)777 xauth_ldap_init_conf(void)
778 {
779           size_t tmplen;
780           int error = -1;
781 
782           xauth_ldap_config.pver = 3;
783           xauth_ldap_config.debug = 0;
784           xauth_ldap_config.timeout = -1;
785           xauth_ldap_config.uri = NULL;
786           xauth_ldap_config.host = NULL;
787           xauth_ldap_config.port = LDAP_PORT;
788           xauth_ldap_config.tls = 0;
789           xauth_ldap_config.base = NULL;
790           xauth_ldap_config.subtree = 0;
791           xauth_ldap_config.bind_dn = NULL;
792           xauth_ldap_config.bind_pw = NULL;
793           xauth_ldap_config.auth_type = LDAP_AUTH_SIMPLE;
794           xauth_ldap_config.attr_user = NULL;
795           xauth_ldap_config.attr_addr = NULL;
796           xauth_ldap_config.attr_mask = NULL;
797           xauth_ldap_config.attr_group = NULL;
798           xauth_ldap_config.attr_member = NULL;
799 
800           /* set default host */
801           tmplen = strlen(LDAP_DFLT_HOST);
802           xauth_ldap_config.host = vmalloc(tmplen);
803           if (xauth_ldap_config.host == NULL)
804                     goto out;
805           memcpy(xauth_ldap_config.host->v, LDAP_DFLT_HOST, tmplen);
806 
807           /* set default user naming attribute */
808           tmplen = strlen(LDAP_DFLT_USER);
809           xauth_ldap_config.attr_user = vmalloc(tmplen);
810           if (xauth_ldap_config.attr_user == NULL)
811                     goto out;
812           memcpy(xauth_ldap_config.attr_user->v, LDAP_DFLT_USER, tmplen);
813 
814           /* set default address attribute */
815           tmplen = strlen(LDAP_DFLT_ADDR);
816           xauth_ldap_config.attr_addr = vmalloc(tmplen);
817           if (xauth_ldap_config.attr_addr == NULL)
818                     goto out;
819           memcpy(xauth_ldap_config.attr_addr->v, LDAP_DFLT_ADDR, tmplen);
820 
821           /* set default netmask attribute */
822           tmplen = strlen(LDAP_DFLT_MASK);
823           xauth_ldap_config.attr_mask = vmalloc(tmplen);
824           if (xauth_ldap_config.attr_mask == NULL)
825                     goto out;
826           memcpy(xauth_ldap_config.attr_mask->v, LDAP_DFLT_MASK, tmplen);
827 
828           /* set default group naming attribute */
829           tmplen = strlen(LDAP_DFLT_GROUP);
830           xauth_ldap_config.attr_group = vmalloc(tmplen);
831           if (xauth_ldap_config.attr_group == NULL)
832                     goto out;
833           memcpy(xauth_ldap_config.attr_group->v, LDAP_DFLT_GROUP, tmplen);
834 
835           /* set default member attribute */
836           tmplen = strlen(LDAP_DFLT_MEMBER);
837           xauth_ldap_config.attr_member = vmalloc(tmplen);
838           if (xauth_ldap_config.attr_member == NULL)
839                     goto out;
840           memcpy(xauth_ldap_config.attr_member->v, LDAP_DFLT_MEMBER, tmplen);
841 
842           error = 0;
843 out:
844           if (error != 0)
845                     plog(LLV_ERROR, LOCATION, NULL, "cannot allocate memory\n");
846 
847           return error;
848 }
849 
850 int
xauth_login_ldap(struct ph1handle * iph1,char * usr,char * pwd)851 xauth_login_ldap(struct ph1handle *iph1, char *usr, char *pwd)
852 {
853           int rtn = -1;
854           int res = -1;
855           LDAP *ld = NULL;
856           LDAPMessage *lr = NULL;
857           LDAPMessage *le = NULL;
858           struct berval cred;
859           struct berval **bv = NULL;
860           struct timeval timeout;
861           char *init = NULL;
862           char *filter = NULL;
863           char *atlist[3];
864           char *basedn = NULL;
865           char *userdn = NULL;
866           size_t tmplen = 0;
867           int ecount = 0;
868           int scope = LDAP_SCOPE_ONE;
869 
870           atlist[0] = NULL;
871           atlist[1] = NULL;
872           atlist[2] = NULL;
873 
874           if (xauth_ldap_config.uri != NULL) {
875                     tmplen = strlen(xauth_ldap_config.uri->v);
876                     init = racoon_malloc(tmplen);
877                     if (init == NULL) {
878                               plog(LLV_ERROR, LOCATION, NULL,
879                                         "unable to alloc ldap init url\n");
880                               goto ldap_end;
881                     }
882                     sprintf(init,"%s", xauth_ldap_config.uri->v);
883           } else {
884                     /* build our initialization url */
885                     tmplen = strlen("ldap://:") + 17;
886                     tmplen += strlen(xauth_ldap_config.host->v);
887                     init = racoon_malloc(tmplen);
888                     if (init == NULL) {
889                               plog(LLV_ERROR, LOCATION, NULL,
890                                         "unable to alloc ldap init url\n");
891                               goto ldap_end;
892                     }
893                     sprintf(init,"ldap://%s:%d",
894                               xauth_ldap_config.host->v,
895                               xauth_ldap_config.port );
896           }
897           /* initialize the debug level */
898           ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &xauth_ldap_config.debug);
899           ber_set_option(NULL, LBER_OPT_DEBUG_LEVEL, &xauth_ldap_config.debug);
900 
901           plog(LLV_DEBUG, LOCATION, NULL, "ldap URI: %s\n", init);
902           /* initialize the ldap handle */
903           res = ldap_initialize(&ld, init);
904           if (res != LDAP_SUCCESS) {
905                     plog(LLV_ERROR, LOCATION, NULL,
906                               "ldap_initialize failed: %s\n",
907                               ldap_err2string(res));
908                     goto ldap_end;
909           }
910 
911           /* initialize the protocol version */
912           if ((res = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
913                     &xauth_ldap_config.pver)) != LDAP_OPT_SUCCESS) {
914                     plog(LLV_ERROR, LOCATION, NULL,
915                               "LDAP_OPT_PROTOCOL_VERSION %d failed: %s\n",
916                               xauth_ldap_config.pver,
917                               ldap_err2string(res));
918                     goto ldap_end;
919           }
920 
921           if (xauth_ldap_config.timeout > 0) {
922                     static struct timeval timeout1;
923                     timeout1.tv_sec = xauth_ldap_config.timeout;
924                     timeout1.tv_usec = 0;
925                     if ((res = ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT,
926                               (void *)&timeout1)) != LDAP_OPT_SUCCESS) {
927                               plog(LLV_ERROR, LOCATION, NULL,
928                                         "LDAP_OPT_NETWORK_TIMEOUT %d failed: %s\n",
929                                         xauth_ldap_config.timeout,
930                                         ldap_err2string(res));
931                               goto ldap_end;
932                     }
933           }
934 
935           /* Enable TLS */
936           if (xauth_ldap_config.tls) {
937                     res = ldap_start_tls_s(ld, NULL, NULL);
938                     if (res != LDAP_SUCCESS) {
939                               plog(LLV_ERROR, LOCATION, NULL,
940                                    "ldap_start_tls_s failed: %s\n",
941                                    ldap_err2string(res));
942                               goto ldap_end;
943                     }
944           }
945 
946           /*
947            * attempt to bind to the ldap server.
948          * default to anonymous bind unless a
949            * user dn and password has been
950            * specified in our configuration
951          */
952           if ((xauth_ldap_config.bind_dn != NULL)&&
953               (xauth_ldap_config.bind_pw != NULL))
954           {
955                     cred.bv_val = xauth_ldap_config.bind_pw->v;
956                     cred.bv_len = strlen( cred.bv_val );
957                     res = ldap_sasl_bind_s(ld,
958                               xauth_ldap_config.bind_dn->v, LDAP_SASL_SIMPLE, &cred,
959                               NULL, NULL, NULL);
960           }
961           else
962           {
963                     cred.bv_val = NULL;
964                     cred.bv_len = 0;
965                     res = ldap_sasl_bind_s(ld,
966                               NULL, LDAP_SASL_SIMPLE, &cred,
967                               NULL, NULL, NULL);
968           }
969 
970           if (res!=LDAP_SUCCESS) {
971                     plog(LLV_ERROR, LOCATION, NULL,
972                               "ldap_sasl_bind_s (search) failed: %s\n",
973                               ldap_err2string(res));
974                     goto ldap_end;
975           }
976 
977           /* build an ldap user search filter */
978           tmplen = strlen(xauth_ldap_config.attr_user->v);
979           tmplen += 1;
980           tmplen += strlen(usr);
981           tmplen += 1;
982           filter = racoon_malloc(tmplen);
983           if (filter == NULL) {
984                     plog(LLV_ERROR, LOCATION, NULL,
985                               "unable to alloc ldap search filter buffer\n");
986                     goto ldap_end;
987           }
988           sprintf(filter, "%s=%s",
989                     xauth_ldap_config.attr_user->v, usr);
990 
991           /* build our return attribute list */
992           tmplen = strlen(xauth_ldap_config.attr_addr->v) + 1;
993           atlist[0] = racoon_malloc(tmplen);
994           tmplen = strlen(xauth_ldap_config.attr_mask->v) + 1;
995           atlist[1] = racoon_malloc(tmplen);
996           if ((atlist[0] == NULL)||(atlist[1] == NULL)) {
997                     plog(LLV_ERROR, LOCATION, NULL,
998                               "unable to alloc ldap attrib list buffer\n");
999                     goto ldap_end;
1000           }
1001           strcpy(atlist[0],xauth_ldap_config.attr_addr->v);
1002           strcpy(atlist[1],xauth_ldap_config.attr_mask->v);
1003 
1004           /* attempt to locate the user dn */
1005           if (xauth_ldap_config.base != NULL)
1006                     basedn = xauth_ldap_config.base->v;
1007           if (xauth_ldap_config.subtree)
1008                     scope = LDAP_SCOPE_SUBTREE;
1009           timeout.tv_sec = 15;
1010           timeout.tv_usec = 0;
1011           res = ldap_search_ext_s(ld, basedn, scope,
1012                     filter, atlist, 0, NULL, NULL,
1013                     &timeout, 2, &lr);
1014           if (res != LDAP_SUCCESS) {
1015                     plog(LLV_ERROR, LOCATION, NULL,
1016                               "ldap_search_ext_s failed: %s\n",
1017                               ldap_err2string(res));
1018                     goto ldap_end;
1019           }
1020 
1021           /* check the number of ldap entries returned */
1022           ecount = ldap_count_entries(ld, lr);
1023           if (ecount < 1) {
1024                     plog(LLV_WARNING, LOCATION, NULL,
1025                               "no ldap results for filter \'%s\'\n",
1026                                filter);
1027                     goto ldap_end;
1028           }
1029           if (ecount > 1) {
1030                     plog(LLV_WARNING, LOCATION, NULL,
1031                               "multiple (%i) ldap results for filter \'%s\'\n",
1032                               ecount, filter);
1033           }
1034 
1035           /* obtain the dn from the first result */
1036           le = ldap_first_entry(ld, lr);
1037           if (le == NULL) {
1038                     plog(LLV_ERROR, LOCATION, NULL,
1039                               "ldap_first_entry failed: invalid entry returned\n");
1040                     goto ldap_end;
1041           }
1042           userdn = ldap_get_dn(ld, le);
1043           if (userdn == NULL) {
1044                     plog(LLV_ERROR, LOCATION, NULL,
1045                               "ldap_get_dn failed: invalid string returned\n");
1046                     goto ldap_end;
1047           }
1048 
1049           /* cache the user dn in the xauth state */
1050           iph1->mode_cfg->xauth.udn = racoon_malloc(strlen(userdn)+1);
1051           strcpy(iph1->mode_cfg->xauth.udn,userdn);
1052 
1053           /* retrieve modecfg address */
1054           bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_addr->v);
1055           if (bv != NULL)     {
1056                     char tmpaddr[16];
1057                     /* sanity check for address value */
1058                     if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) {
1059                               plog(LLV_DEBUG, LOCATION, NULL,
1060                                         "ldap returned invalid modecfg address\n");
1061                               ldap_value_free_len(bv);
1062                               goto ldap_end;
1063                     }
1064                     memcpy(tmpaddr,bv[0]->bv_val,bv[0]->bv_len);
1065                     tmpaddr[bv[0]->bv_len]=0;
1066                     iph1->mode_cfg->addr4.s_addr = inet_addr(tmpaddr);
1067                     iph1->mode_cfg->flags |= ISAKMP_CFG_ADDR4_EXTERN;
1068                     plog(LLV_INFO, LOCATION, NULL,
1069                               "ldap returned modecfg address %s\n", tmpaddr);
1070                     ldap_value_free_len(bv);
1071           }
1072 
1073           /* retrieve modecfg netmask */
1074           bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_mask->v);
1075           if (bv != NULL)     {
1076                     char tmpmask[16];
1077                     /* sanity check for netmask value */
1078                     if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) {
1079                               plog(LLV_DEBUG, LOCATION, NULL,
1080                                         "ldap returned invalid modecfg netmask\n");
1081                               ldap_value_free_len(bv);
1082                               goto ldap_end;
1083                     }
1084                     memcpy(tmpmask,bv[0]->bv_val,bv[0]->bv_len);
1085                     tmpmask[bv[0]->bv_len]=0;
1086                     iph1->mode_cfg->mask4.s_addr = inet_addr(tmpmask);
1087                     iph1->mode_cfg->flags |= ISAKMP_CFG_MASK4_EXTERN;
1088                     plog(LLV_INFO, LOCATION, NULL,
1089                               "ldap returned modecfg netmask %s\n", tmpmask);
1090                     ldap_value_free_len(bv);
1091           }
1092 
1093           /*
1094            * finally, use the dn and the xauth
1095            * password to check the users given
1096            * credentials by attempting to bind
1097            * to the ldap server
1098            */
1099           plog(LLV_INFO, LOCATION, NULL,
1100                     "attempting ldap bind for dn \'%s\'\n", userdn);
1101           cred.bv_val = pwd;
1102           cred.bv_len = strlen( cred.bv_val );
1103           res = ldap_sasl_bind_s(ld,
1104                     userdn, NULL, &cred,
1105                     NULL, NULL, NULL);
1106         if(res==LDAP_SUCCESS)
1107                     rtn = 0;
1108 
1109 ldap_end:
1110 
1111           /* free ldap resources */
1112           if (userdn != NULL)
1113                     ldap_memfree(userdn);
1114           if (atlist[0] != NULL)
1115                     racoon_free(atlist[0]);
1116           if (atlist[1] != NULL)
1117                     racoon_free(atlist[1]);
1118           if (filter != NULL)
1119                     racoon_free(filter);
1120           if (lr != NULL)
1121                     ldap_msgfree(lr);
1122           if (init != NULL)
1123                     racoon_free(init);
1124 
1125           ldap_unbind_ext_s(ld, NULL, NULL);
1126 
1127           return rtn;
1128 }
1129 
1130 static int
xauth_group_ldap(char * udn,char * grp)1131 xauth_group_ldap(char * udn, char * grp)
1132 {
1133           int rtn = -1;
1134           int res = -1;
1135           LDAP *ld = NULL;
1136           LDAPMessage *lr = NULL;
1137           LDAPMessage *le = NULL;
1138           struct berval cred;
1139           struct timeval timeout;
1140           char *init = NULL;
1141           char *filter = NULL;
1142           char *basedn = NULL;
1143           char *groupdn = NULL;
1144           size_t tmplen = 0;
1145           int ecount = 0;
1146           int scope = LDAP_SCOPE_ONE;
1147 
1148           /* build our initialization url */
1149           tmplen = strlen("ldap://:") + 17;
1150           tmplen += strlen(xauth_ldap_config.host->v);
1151           init = racoon_malloc(tmplen);
1152           if (init == NULL) {
1153                     plog(LLV_ERROR, LOCATION, NULL,
1154                               "unable to alloc ldap init url\n");
1155                     goto ldap_group_end;
1156           }
1157           sprintf(init,"ldap://%s:%d",
1158                     xauth_ldap_config.host->v,
1159                     xauth_ldap_config.port );
1160 
1161           /* initialize the ldap handle */
1162           res = ldap_initialize(&ld, init);
1163           if (res != LDAP_SUCCESS) {
1164                     plog(LLV_ERROR, LOCATION, NULL,
1165                               "ldap_initialize failed: %s\n",
1166                               ldap_err2string(res));
1167                     goto ldap_group_end;
1168           }
1169 
1170           /* initialize the protocol version */
1171           ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
1172                     &xauth_ldap_config.pver);
1173 
1174           /* Enable TLS */
1175           if (xauth_ldap_config.tls) {
1176                     res = ldap_start_tls_s(ld, NULL, NULL);
1177                     if (res != LDAP_SUCCESS) {
1178                               plog(LLV_ERROR, LOCATION, NULL,
1179                                    "ldap_start_tls_s failed: %s\n",
1180                                    ldap_err2string(res));
1181                               goto ldap_group_end;
1182                     }
1183           }
1184 
1185           /*
1186            * attempt to bind to the ldap server.
1187          * default to anonymous bind unless a
1188            * user dn and password has been
1189            * specified in our configuration
1190          */
1191           if ((xauth_ldap_config.bind_dn != NULL)&&
1192               (xauth_ldap_config.bind_pw != NULL))
1193           {
1194                     cred.bv_val = xauth_ldap_config.bind_pw->v;
1195                     cred.bv_len = strlen( cred.bv_val );
1196                     res = ldap_sasl_bind_s(ld,
1197                               xauth_ldap_config.bind_dn->v, NULL, &cred,
1198                               NULL, NULL, NULL);
1199           }
1200           else
1201           {
1202                     res = ldap_sasl_bind_s(ld,
1203                               NULL, NULL, NULL,
1204                               NULL, NULL, NULL);
1205           }
1206 
1207           if (res!=LDAP_SUCCESS) {
1208                     plog(LLV_ERROR, LOCATION, NULL,
1209                               "ldap_sasl_bind_s (search) failed: %s\n",
1210                               ldap_err2string(res));
1211                     goto ldap_group_end;
1212           }
1213 
1214           /* build an ldap group search filter */
1215           tmplen = strlen("(&(=)(=))") + 1;
1216           tmplen += strlen(xauth_ldap_config.attr_group->v);
1217           tmplen += strlen(grp);
1218           tmplen += strlen(xauth_ldap_config.attr_member->v);
1219           tmplen += strlen(udn);
1220           filter = racoon_malloc(tmplen);
1221           if (filter == NULL) {
1222                     plog(LLV_ERROR, LOCATION, NULL,
1223                               "unable to alloc ldap search filter buffer\n");
1224                     goto ldap_group_end;
1225           }
1226           sprintf(filter, "(&(%s=%s)(%s=%s))",
1227                     xauth_ldap_config.attr_group->v, grp,
1228                     xauth_ldap_config.attr_member->v, udn);
1229 
1230           /* attempt to locate the group dn */
1231           if (xauth_ldap_config.base != NULL)
1232                     basedn = xauth_ldap_config.base->v;
1233           if (xauth_ldap_config.subtree)
1234                     scope = LDAP_SCOPE_SUBTREE;
1235           timeout.tv_sec = 15;
1236           timeout.tv_usec = 0;
1237           res = ldap_search_ext_s(ld, basedn, scope,
1238                     filter, NULL, 0, NULL, NULL,
1239                     &timeout, 2, &lr);
1240           if (res != LDAP_SUCCESS) {
1241                     plog(LLV_ERROR, LOCATION, NULL,
1242                               "ldap_search_ext_s failed: %s\n",
1243                               ldap_err2string(res));
1244                     goto ldap_group_end;
1245           }
1246 
1247           /* check the number of ldap entries returned */
1248           ecount = ldap_count_entries(ld, lr);
1249           if (ecount < 1) {
1250                     plog(LLV_WARNING, LOCATION, NULL,
1251                               "no ldap results for filter \'%s\'\n",
1252                                filter);
1253                     goto ldap_group_end;
1254           }
1255 
1256           /* success */
1257           rtn = 0;
1258 
1259           /* obtain the dn from the first result */
1260           le = ldap_first_entry(ld, lr);
1261           if (le == NULL) {
1262                     plog(LLV_ERROR, LOCATION, NULL,
1263                               "ldap_first_entry failed: invalid entry returned\n");
1264                     goto ldap_group_end;
1265           }
1266           groupdn = ldap_get_dn(ld, le);
1267           if (groupdn == NULL) {
1268                     plog(LLV_ERROR, LOCATION, NULL,
1269                               "ldap_get_dn failed: invalid string returned\n");
1270                     goto ldap_group_end;
1271           }
1272 
1273           plog(LLV_INFO, LOCATION, NULL,
1274                     "ldap membership group returned \'%s\'\n", groupdn);
1275 ldap_group_end:
1276 
1277           /* free ldap resources */
1278           if (groupdn != NULL)
1279                     ldap_memfree(groupdn);
1280           if (filter != NULL)
1281                     racoon_free(filter);
1282           if (lr != NULL)
1283                     ldap_msgfree(lr);
1284           if (init != NULL)
1285                     racoon_free(init);
1286 
1287           ldap_unbind_ext_s(ld, NULL, NULL);
1288 
1289           return rtn;
1290 }
1291 
1292 #endif
1293 
1294 int
xauth_login_system(char * usr,char * pwd)1295 xauth_login_system(char *usr, char *pwd)
1296 {
1297           struct passwd *pw;
1298           char *cryptpwd;
1299           char *syscryptpwd;
1300 #ifdef HAVE_SHADOW_H
1301           struct spwd *spw;
1302 
1303           if ((spw = getspnam(usr)) == NULL)
1304                     return -1;
1305 
1306           syscryptpwd = spw->sp_pwdp;
1307 #endif
1308 
1309           if ((pw = getpwnam(usr)) == NULL)
1310                     return -1;
1311 
1312 #ifndef HAVE_SHADOW_H
1313           syscryptpwd = pw->pw_passwd;
1314 #endif
1315 
1316           /* No root login. Ever. */
1317           if (pw->pw_uid == 0)
1318                     return -1;
1319 
1320           if ((cryptpwd = crypt(pwd, syscryptpwd)) == NULL)
1321                     return -1;
1322 
1323           if (strcmp(cryptpwd, syscryptpwd) == 0)
1324                     return 0;
1325 
1326           return -1;
1327 }
1328 
1329 static int
xauth_group_system(char * usr,char * grp)1330 xauth_group_system(char *usr, char *grp)
1331 {
1332           struct group * gr;
1333           char * member;
1334           int index1 = 0;
1335 
1336           gr = getgrnam(grp);
1337           if (gr == NULL) {
1338                     plog(LLV_ERROR, LOCATION, NULL,
1339                               "the system group name \'%s\' is unknown\n",
1340                               grp);
1341                     return -1;
1342           }
1343 
1344           while ((member = gr->gr_mem[index1++])!=NULL) {
1345                     if (!strcmp(member,usr)) {
1346                               plog(LLV_INFO, LOCATION, NULL,
1347                                     "membership validated\n");
1348                               return 0;
1349                     }
1350           }
1351 
1352           return -1;
1353 }
1354 
1355 int
xauth_check(struct ph1handle * iph1)1356 xauth_check(struct ph1handle *iph1)
1357 {
1358           struct xauth_state *xst = &iph1->mode_cfg->xauth;
1359 
1360           /*
1361            * Only the server side (edge device) really check for Xauth
1362            * status. It does it if the chose authmethod is using Xauth.
1363            * On the client side (roadwarrior), we don't check anything.
1364            */
1365           switch (iph1->approval->authmethod) {
1366           case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1367           case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1368           case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1369           /* The following are not yet implemented */
1370           case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1371           case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1372           case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1373           case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1374                     if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
1375                               plog(LLV_ERROR, LOCATION, NULL,
1376                                   "Hybrid auth negotiated but peer did not "
1377                                   "announced as Xauth capable\n");
1378                               return -1;
1379                     }
1380 
1381                     if (xst->status != XAUTHST_OK) {
1382                               plog(LLV_ERROR, LOCATION, NULL,
1383                                   "Hybrid auth negotiated but peer did not "
1384                                   "succeed Xauth exchange\n");
1385                               return -1;
1386                     }
1387 
1388                     return 0;
1389           default:
1390                     return 0;
1391           }
1392 }
1393 
1394 int
group_check(struct ph1handle * iph1,char ** grp_list,int grp_count)1395 group_check(struct ph1handle *iph1, char **grp_list, int grp_count)
1396 {
1397           int res = -1;
1398           int grp_index = 0;
1399           char * usr = NULL;
1400 
1401           /* check for presence of modecfg data */
1402 
1403           if(iph1->mode_cfg == NULL) {
1404                     plog(LLV_ERROR, LOCATION, NULL,
1405                               "xauth group specified but modecfg not found\n");
1406                     return res;
1407           }
1408 
1409           /* loop through our group list */
1410 
1411           for(; grp_index < grp_count; grp_index++) {
1412 
1413                     /* check for presence of xauth data */
1414 
1415                     usr = iph1->mode_cfg->xauth.authdata.generic.usr;
1416 
1417                     if(usr == NULL) {
1418                               plog(LLV_ERROR, LOCATION, NULL,
1419                                         "xauth group specified but xauth not found\n");
1420                               return res;
1421                     }
1422 
1423                     /* call appropriate group validation function */
1424 
1425                     switch (isakmp_cfg_config.groupsource) {
1426 
1427                               case ISAKMP_CFG_GROUP_SYSTEM:
1428                                         res = xauth_group_system(
1429                                                   usr,
1430                                                   grp_list[grp_index]);
1431                                         break;
1432 
1433 #ifdef HAVE_LIBLDAP
1434                               case ISAKMP_CFG_GROUP_LDAP:
1435                                         res = xauth_group_ldap(
1436                                                   iph1->mode_cfg->xauth.udn,
1437                                                   grp_list[grp_index]);
1438                                         break;
1439 #endif
1440 
1441                               default:
1442                                         /* we should never get here */
1443                                         plog(LLV_ERROR, LOCATION, NULL,
1444                                             "Unknown group auth source\n");
1445                                         break;
1446                     }
1447 
1448                     if( !res ) {
1449                               plog(LLV_INFO, LOCATION, NULL,
1450                                         "user \"%s\" is a member of group \"%s\"\n",
1451                                         usr,
1452                                         grp_list[grp_index]);
1453                               break;
1454                     } else {
1455                               plog(LLV_INFO, LOCATION, NULL,
1456                                         "user \"%s\" is not a member of group \"%s\"\n",
1457                                         usr,
1458                                         grp_list[grp_index]);
1459                     }
1460           }
1461 
1462           return res;
1463 }
1464 
1465 vchar_t *
isakmp_xauth_req(struct ph1handle * iph1,struct isakmp_data * attr)1466 isakmp_xauth_req(struct ph1handle *iph1, struct isakmp_data *attr)
1467 {
1468           int type;
1469           size_t dlen = 0;
1470           int ashort = 0;
1471           int value = 0;
1472           vchar_t *buffer = NULL;
1473           char *mraw = NULL, *mdata;
1474           char *data;
1475           vchar_t *usr = NULL;
1476           vchar_t *pwd = NULL;
1477           size_t skip = 0;
1478           int freepwd = 0;
1479 
1480           if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
1481                     plog(LLV_ERROR, LOCATION, NULL,
1482                         "Xauth mode config request but peer "
1483                         "did not declare itself as Xauth capable\n");
1484                     return NULL;
1485           }
1486 
1487           type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
1488 
1489           /* Sanity checks */
1490           switch(type) {
1491           case XAUTH_TYPE:
1492                     if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) {
1493                               plog(LLV_ERROR, LOCATION, NULL,
1494                                   "Unexpected long XAUTH_TYPE attribute\n");
1495                               return NULL;
1496                     }
1497                     if (ntohs(attr->lorv) != XAUTH_TYPE_GENERIC) {
1498                               plog(LLV_ERROR, LOCATION, NULL,
1499                                   "Unsupported Xauth authentication %d\n",
1500                                   ntohs(attr->lorv));
1501                               return NULL;
1502                     }
1503                     ashort = 1;
1504                     dlen = 0;
1505                     value = XAUTH_TYPE_GENERIC;
1506                     break;
1507 
1508           case XAUTH_USER_NAME:
1509                     if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login) {
1510                               plog(LLV_ERROR, LOCATION, NULL, "Xauth performed "
1511                                   "with no login supplied\n");
1512                               return NULL;
1513                     }
1514 
1515                     dlen = iph1->rmconf->xauth->login->l - 1;
1516                     iph1->rmconf->xauth->state |= XAUTH_SENT_USERNAME;
1517                     break;
1518 
1519           case XAUTH_USER_PASSWORD:
1520                     if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login)
1521                               return NULL;
1522 
1523                     skip = sizeof(struct ipsecdoi_id_b);
1524                     usr = vmalloc(iph1->rmconf->xauth->login->l - 1 + skip);
1525                     if (usr == NULL) {
1526                               plog(LLV_ERROR, LOCATION, NULL,
1527                                   "Cannot allocate memory\n");
1528                               return NULL;
1529                     }
1530                     memset(usr->v, 0, skip);
1531                     memcpy(usr->v + skip,
1532                         iph1->rmconf->xauth->login->v,
1533                         iph1->rmconf->xauth->login->l - 1);
1534 
1535                     if (iph1->rmconf->xauth->pass) {
1536                               /* A key given through racoonctl */
1537                               pwd = iph1->rmconf->xauth->pass;
1538                     } else {
1539                               if ((pwd = getpskbyname(usr)) == NULL) {
1540                                         plog(LLV_ERROR, LOCATION, NULL,
1541                                             "No password was found for login %s\n",
1542                                             iph1->rmconf->xauth->login->v);
1543                                         vfree(usr);
1544                                         return NULL;
1545                               }
1546                               /* We have to free it before returning */
1547                               freepwd = 1;
1548                     }
1549                     vfree(usr);
1550 
1551                     iph1->rmconf->xauth->state |= XAUTH_SENT_PASSWORD;
1552                     dlen = pwd->l;
1553 
1554                     break;
1555           case XAUTH_MESSAGE:
1556                     if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) {
1557                               dlen = ntohs(attr->lorv);
1558                               if (dlen > 0) {
1559                                         mraw = (char*)(attr + 1);
1560                                         mdata = binsanitize(mraw, dlen);
1561                                         if (mdata == NULL) {
1562                                                   plog(LLV_ERROR, LOCATION, iph1->remote,
1563                                                       "Cannot allocate memory\n");
1564                                                   return NULL;
1565                                         }
1566                                         plog(LLV_NOTIFY,LOCATION, iph1->remote,
1567                                                   "XAUTH Message: '%s'.\n",
1568                                                   mdata);
1569                                         racoon_free(mdata);
1570                               }
1571                     }
1572                     return NULL;
1573           default:
1574                     plog(LLV_WARNING, LOCATION, NULL,
1575                         "Ignored attribute %s\n", s_isakmp_cfg_type(type));
1576                     return NULL;
1577           }
1578 
1579           if ((buffer = vmalloc(sizeof(*attr) + dlen)) == NULL) {
1580                     plog(LLV_ERROR, LOCATION, NULL,
1581                         "Cannot allocate memory\n");
1582                     goto out;
1583           }
1584 
1585           attr = (struct isakmp_data *)buffer->v;
1586           if (ashort) {
1587                     attr->type = htons(type | ISAKMP_GEN_TV);
1588                     attr->lorv = htons(value);
1589                     goto out;
1590           }
1591 
1592           attr->type = htons(type | ISAKMP_GEN_TLV);
1593           attr->lorv = htons(dlen);
1594           data = (char *)(attr + 1);
1595 
1596           switch(type) {
1597           case XAUTH_USER_NAME:
1598                     /*
1599                      * iph1->rmconf->xauth->login->v is valid,
1600                      * we just checked it in the previous switch case
1601                      */
1602                     memcpy(data, iph1->rmconf->xauth->login->v, dlen);
1603                     break;
1604           case XAUTH_USER_PASSWORD:
1605                     memcpy(data, pwd->v, dlen);
1606                     break;
1607           default:
1608                     break;
1609           }
1610 
1611 out:
1612           if (freepwd)
1613                     vfree(pwd);
1614 
1615           return buffer;
1616 }
1617 
1618 vchar_t *
isakmp_xauth_set(struct ph1handle * iph1,struct isakmp_data * attr)1619 isakmp_xauth_set(struct ph1handle *iph1, struct isakmp_data *attr)
1620 {
1621           int type;
1622           vchar_t *buffer = NULL;
1623           size_t dlen = 0;
1624           char* mraw = NULL, *mdata;
1625 
1626           if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
1627                     plog(LLV_ERROR, LOCATION, NULL,
1628                         "Xauth mode config set but peer "
1629                         "did not declare itself as Xauth capable\n");
1630                     return NULL;
1631           }
1632 
1633           type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
1634 
1635           switch(type) {
1636           case XAUTH_STATUS:
1637                     /*
1638                      * We should only receive ISAKMP mode_cfg SET XAUTH_STATUS
1639                      * when running as a client (initiator).
1640                      */
1641                     switch (iph1->approval->authmethod) {
1642                     case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
1643                     case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
1644                     case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
1645                     /* Not implemented ... */
1646                     case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
1647                     case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
1648                     case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
1649                     case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
1650                               break;
1651                     default:
1652                               plog(LLV_ERROR, LOCATION, NULL,
1653                                   "Unexpected XAUTH_STATUS_OK\n");
1654                               return NULL;
1655                     }
1656 
1657                     /* If we got a failure, delete iph1 */
1658                     if (ntohs(attr->lorv) != XAUTH_STATUS_OK) {
1659                               plog(LLV_ERROR, LOCATION, NULL,
1660                                   "Xauth authentication failed\n");
1661 
1662                               evt_phase1(iph1, EVT_PHASE1_XAUTH_FAILED, NULL);
1663 
1664                               iph1->mode_cfg->flags |= ISAKMP_CFG_DELETE_PH1;
1665                     } else {
1666                               evt_phase1(iph1, EVT_PHASE1_XAUTH_SUCCESS, NULL);
1667                     }
1668 
1669 
1670                     /* We acknowledge it */
1671                     break;
1672           case XAUTH_MESSAGE:
1673                     if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) {
1674                               dlen = ntohs(attr->lorv);
1675                               if (dlen > 0) {
1676                                         mraw = (char*)(attr + 1);
1677                                         mdata = binsanitize(mraw, dlen);
1678                                         if (mdata == NULL) {
1679                                                   plog(LLV_ERROR, LOCATION, iph1->remote,
1680                                                       "Cannot allocate memory\n");
1681                                                   return NULL;
1682                                         }
1683                                         plog(LLV_NOTIFY,LOCATION, iph1->remote,
1684                                                   "XAUTH Message: '%s'.\n",
1685                                                   mdata);
1686                                         racoon_free(mdata);
1687                               }
1688                     }
1689                     break;
1690 
1691           default:
1692                     plog(LLV_WARNING, LOCATION, NULL,
1693                         "Ignored attribute %s\n", s_isakmp_cfg_type(type));
1694                     return NULL;
1695           }
1696 
1697           if ((buffer = vmalloc(sizeof(*attr))) == NULL) {
1698                     plog(LLV_ERROR, LOCATION, NULL,
1699                         "Cannot allocate memory\n");
1700                     return NULL;
1701           }
1702 
1703           attr = (struct isakmp_data *)buffer->v;
1704           attr->type = htons(type | ISAKMP_GEN_TV);
1705           attr->lorv = htons(0);
1706 
1707           return buffer;
1708 }
1709 
1710 
1711 void
xauth_rmstate(struct xauth_state * xst)1712 xauth_rmstate(struct xauth_state *xst)
1713 {
1714           switch (xst->authtype) {
1715           case XAUTH_TYPE_GENERIC:
1716                     if (xst->authdata.generic.usr)
1717                               racoon_free(xst->authdata.generic.usr);
1718 
1719                     if (xst->authdata.generic.pwd)
1720                               racoon_free(xst->authdata.generic.pwd);
1721 
1722                     break;
1723 
1724           case XAUTH_TYPE_CHAP:
1725           case XAUTH_TYPE_OTP:
1726           case XAUTH_TYPE_SKEY:
1727                     plog(LLV_WARNING, LOCATION, NULL,
1728                         "Unsupported authtype %d\n", xst->authtype);
1729                     break;
1730 
1731           default:
1732                     plog(LLV_WARNING, LOCATION, NULL,
1733                         "Unexpected authtype %d\n", xst->authtype);
1734                     break;
1735           }
1736 
1737 #ifdef HAVE_LIBLDAP
1738           if (xst->udn != NULL)
1739                     racoon_free(xst->udn);
1740 #endif
1741           return;
1742 }
1743 
1744 int
xauth_rmconf_used(struct xauth_rmconf ** xauth_rmconf)1745 xauth_rmconf_used(struct xauth_rmconf **xauth_rmconf)
1746 {
1747           if (*xauth_rmconf == NULL) {
1748                     *xauth_rmconf = racoon_malloc(sizeof(**xauth_rmconf));
1749                     if (*xauth_rmconf == NULL) {
1750                               plog(LLV_ERROR, LOCATION, NULL,
1751                                   "xauth_rmconf_used: malloc failed\n");
1752                               return -1;
1753                     }
1754 
1755                     (*xauth_rmconf)->login = NULL;
1756                     (*xauth_rmconf)->pass = NULL;
1757                     (*xauth_rmconf)->state = 0;
1758           }
1759 
1760           return 0;
1761 }
1762 
1763 void
xauth_rmconf_delete(struct xauth_rmconf ** xauth_rmconf)1764 xauth_rmconf_delete(struct xauth_rmconf **xauth_rmconf)
1765 {
1766           if (*xauth_rmconf != NULL) {
1767                     if ((*xauth_rmconf)->login != NULL)
1768                               vfree((*xauth_rmconf)->login);
1769                     if ((*xauth_rmconf)->pass != NULL)
1770                               vfree((*xauth_rmconf)->pass);
1771 
1772                     racoon_free(*xauth_rmconf);
1773                     *xauth_rmconf = NULL;
1774           }
1775 
1776           return;
1777 }
1778 
1779 struct xauth_rmconf *
xauth_rmconf_dup(struct xauth_rmconf * xauth_rmconf)1780 xauth_rmconf_dup(struct xauth_rmconf *xauth_rmconf)
1781 {
1782           struct xauth_rmconf *new;
1783 
1784           if (xauth_rmconf != NULL) {
1785                     new = racoon_malloc(sizeof(*new));
1786                     if (new == NULL) {
1787                               plog(LLV_ERROR, LOCATION, NULL,
1788                                   "%s: malloc failed\n", __func__);
1789                               return NULL;
1790                     }
1791 
1792                     memcpy(new, xauth_rmconf, sizeof(*new));
1793 
1794                     if (xauth_rmconf->login != NULL) {
1795                               new->login = vdup(xauth_rmconf->login);
1796                               if (new->login == NULL) {
1797                                         plog(LLV_ERROR, LOCATION, NULL,
1798                                             "%s: malloc failed (login)\n", __func__);
1799                                         goto out;
1800                               }
1801                     }
1802                     if (xauth_rmconf->pass != NULL) {
1803                               new->pass = vdup(xauth_rmconf->pass);
1804                               if (new->pass == NULL) {
1805                                         plog(LLV_ERROR, LOCATION, NULL,
1806                                             "%s: malloc failed (password)\n", __func__);
1807                                         goto out;
1808                               }
1809                     }
1810 
1811                     return new;
1812           }
1813 
1814           return NULL;
1815 out:
1816           vfree(new->login);
1817           racoon_free(new);
1818           return NULL;
1819 }
1820