xref: /netbsd-src/lib/libpam/modules/pam_radius/pam_radius.c (revision a97560b6443382e82fd5f94e9bc73592eafbcfea) 
1 /*	$NetBSD: pam_radius.c,v 1.8 2014/01/07 02:07:43 joerg Exp $	*/
2 
3 /*-
4  * Copyright 1998 Juniper Networks, Inc.
5  * All rights reserved.
6  * Copyright (c) 2001-2003 Networks Associates Technology, Inc.
7  * All rights reserved.
8  *
9  * Portions of this software were developed for the FreeBSD Project by
10  * ThinkSec AS and NAI Labs, the Security Research Division of Network
11  * Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
12  * ("CBOSS"), as part of the DARPA CHATS research program.
13  *
14  * Redistribution and use in source and binary forms, with or without
15  * modification, are permitted provided that the following conditions
16  * are met:
17  * 1. Redistributions of source code must retain the above copyright
18  *    notice, this list of conditions and the following disclaimer.
19  * 2. Redistributions in binary form must reproduce the above copyright
20  *    notice, this list of conditions and the following disclaimer in the
21  *    documentation and/or other materials provided with the distribution.
22  * 3. The name of the author may not be used to endorse or promote
23  *    products derived from this software without specific prior written
24  *    permission.
25  *
26  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
27  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
28  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
30  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
35  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36  * SUCH DAMAGE.
37  */
38 
39 #include <sys/cdefs.h>
40 #ifdef __FreeBSD__
41 __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_radius/pam_radius.c,v 1.22 2004/06/25 12:32:45 kan Exp $");
42 #else
43 __RCSID("$NetBSD: pam_radius.c,v 1.8 2014/01/07 02:07:43 joerg Exp $");
44 #endif
45 
46 #include <sys/param.h>
47 #include <sys/types.h>
48 #include <sys/socket.h>
49 #include <netdb.h>
50 #include <pwd.h>
51 #include <radlib.h>
52 #include <stdlib.h>
53 #include <string.h>
54 #include <syslog.h>
55 #include <unistd.h>
56 #include <stdarg.h>
57 
58 #define PAM_SM_AUTH
59 
60 #include <security/pam_appl.h>
61 #include <security/pam_modules.h>
62 #include <security/pam_mod_misc.h>
63 
64 #define PAM_OPT_CONF		"conf"
65 #define PAM_OPT_TEMPLATE_USER	"template_user"
66 #define PAM_OPT_NAS_ID		"nas_id"
67 #define PAM_OPT_NAS_IPADDR	"nas_ipaddr"
68 
69 #define	MAX_CHALLENGE_MSGS	10
70 #define	PASSWORD_PROMPT		"RADIUS Password:"
71 
72 static int	 build_access_request(struct rad_handle *, const char *,
73 		    const char *, const char *, const char *, const void *,
74 		    size_t);
75 static int	 do_accept(pam_handle_t *, struct rad_handle *);
76 static int	 do_challenge(pam_handle_t *, struct rad_handle *,
77 		    const char *);
78 
79 __printflike(2, 3)
80 static void
logit(int level,const char * fmt,...)81 logit(int level, const char *fmt, ...)
82 {
83 	va_list ap;
84 	struct syslog_data data = SYSLOG_DATA_INIT;
85 
86 	openlog_r("pam_radius", LOG_PID, LOG_AUTHPRIV, &data);
87 	va_start(ap, fmt);
88 	vsyslog_r(level, &data, fmt, ap);
89 	va_end(ap);
90 	closelog_r(&data);
91 }
92 
93 /*
94  * Construct an access request, but don't send it.  Returns 0 on success,
95  * -1 on failure.
96  */
97 static int
build_access_request(struct rad_handle * radh,const char * user,const char * pass,const char * nas_id,const char * nas_ipaddr,const void * state,size_t state_len)98 build_access_request(struct rad_handle *radh, const char *user,
99     const char *pass, const char *nas_id, const char *nas_ipaddr,
100     const void *state, size_t state_len)
101 {
102 	int error;
103 	char host[MAXHOSTNAMELEN];
104 	struct sockaddr_in *haddr;
105 	struct addrinfo hints;
106 	struct addrinfo *res;
107 
108 	if (rad_create_request(radh, RAD_ACCESS_REQUEST) == -1) {
109 		logit(LOG_CRIT, "rad_create_request: %s", rad_strerror(radh));
110 		return (-1);
111 	}
112 	if (nas_id == NULL ||
113 	    (nas_ipaddr != NULL && strlen(nas_ipaddr) == 0)) {
114 		if (gethostname(host, sizeof host) != -1) {
115 			if (nas_id == NULL)
116 				nas_id = host;
117 			if (nas_ipaddr != NULL && strlen(nas_ipaddr) == 0)
118 				nas_ipaddr = host;
119 		}
120 	}
121 	if ((user != NULL &&
122 	    rad_put_string(radh, RAD_USER_NAME, user) == -1) ||
123 	    (pass != NULL &&
124 	    rad_put_string(radh, RAD_USER_PASSWORD, pass) == -1) ||
125 	    (nas_id != NULL &&
126 	    rad_put_string(radh, RAD_NAS_IDENTIFIER, nas_id) == -1)) {
127 		logit(LOG_CRIT, "rad_put_string: %s", rad_strerror(radh));
128 		return (-1);
129 	}
130 	if (nas_ipaddr != NULL) {
131 		memset(&hints, 0, sizeof(hints));
132 		hints.ai_family = PF_INET;
133 		if (getaddrinfo(nas_ipaddr, NULL, &hints, &res) == 0 &&
134 		    res != NULL) {
135 			haddr = (struct sockaddr_in *)res->ai_addr;
136 			error = rad_put_addr(radh, RAD_NAS_IP_ADDRESS,
137 			    haddr->sin_addr);
138 			freeaddrinfo(res);
139 			if (error == -1) {
140 				logit(LOG_CRIT, "rad_put_addr: %s",
141 				    rad_strerror(radh));
142 				return (-1);
143 			}
144 		}
145 	}
146 	if (state != NULL && rad_put_attr(radh, RAD_STATE, state,
147 	    state_len) == -1) {
148 		logit(LOG_CRIT, "rad_put_attr: %s", rad_strerror(radh));
149 		return (-1);
150 	}
151 	if (rad_put_int(radh, RAD_SERVICE_TYPE, RAD_AUTHENTICATE_ONLY) == -1) {
152 		logit(LOG_CRIT, "rad_put_int: %s", rad_strerror(radh));
153 		return (-1);
154 	}
155 	return (0);
156 }
157 
158 static int
do_accept(pam_handle_t * pamh,struct rad_handle * radh)159 do_accept(pam_handle_t *pamh, struct rad_handle *radh)
160 {
161 	int attrtype;
162 	const void *attrval;
163 	size_t attrlen;
164 	char *s;
165 
166 	while ((attrtype = rad_get_attr(radh, &attrval, &attrlen)) > 0) {
167 		if (attrtype == RAD_USER_NAME) {
168 			s = rad_cvt_string(attrval, attrlen);
169 			if (s == NULL) {
170 				logit(LOG_CRIT,
171 				    "rad_cvt_string: out of memory");
172 				return (-1);
173 			}
174 			pam_set_item(pamh, PAM_USER, s);
175 			free(s);
176 		}
177 	}
178 	if (attrtype == -1) {
179 		logit(LOG_CRIT, "rad_get_attr: %s", rad_strerror(radh));
180 		return (-1);
181 	}
182 	return (0);
183 }
184 
185 static int
do_challenge(pam_handle_t * pamh,struct rad_handle * radh,const char * user)186 do_challenge(pam_handle_t *pamh, struct rad_handle *radh, const char *user)
187 {
188 	int retval;
189 	int attrtype;
190 	const void *attrval;
191 	size_t attrlen;
192 	const void *state;
193 	size_t statelen;
194 	struct pam_message msgs[MAX_CHALLENGE_MSGS];
195 	const struct pam_message *msg_ptrs[MAX_CHALLENGE_MSGS];
196 	struct pam_response *resp;
197 	int num_msgs;
198 	const void *item;
199 	const struct pam_conv *conv;
200 
201 	state = NULL;
202 	statelen = 0;
203 	num_msgs = 0;
204 	while ((attrtype = rad_get_attr(radh, &attrval, &attrlen)) > 0) {
205 		switch (attrtype) {
206 
207 		case RAD_STATE:
208 			state = attrval;
209 			statelen = attrlen;
210 			break;
211 
212 		case RAD_REPLY_MESSAGE:
213 			if (num_msgs >= MAX_CHALLENGE_MSGS) {
214 				logit(LOG_CRIT,
215 				    "Too many RADIUS challenge messages");
216 				return (PAM_SERVICE_ERR);
217 			}
218 			msgs[num_msgs].msg = rad_cvt_string(attrval, attrlen);
219 			if (msgs[num_msgs].msg == NULL) {
220 				logit(LOG_CRIT,
221 				    "rad_cvt_string: out of memory");
222 				return (PAM_SERVICE_ERR);
223 			}
224 			msgs[num_msgs].msg_style = PAM_TEXT_INFO;
225 			msg_ptrs[num_msgs] = &msgs[num_msgs];
226 			num_msgs++;
227 			break;
228 		}
229 	}
230 	if (attrtype == -1) {
231 		logit(LOG_CRIT, "rad_get_attr: %s", rad_strerror(radh));
232 		return (PAM_SERVICE_ERR);
233 	}
234 	if (num_msgs == 0) {
235 		msgs[num_msgs].msg = strdup("(null RADIUS challenge): ");
236 		if (msgs[num_msgs].msg == NULL) {
237 			logit(LOG_CRIT, "Out of memory");
238 			return (PAM_SERVICE_ERR);
239 		}
240 		msgs[num_msgs].msg_style = PAM_TEXT_INFO;
241 		msg_ptrs[num_msgs] = &msgs[num_msgs];
242 		num_msgs++;
243 	}
244 	msgs[num_msgs-1].msg_style = PAM_PROMPT_ECHO_ON;
245 	if ((retval = pam_get_item(pamh, PAM_CONV, &item)) != PAM_SUCCESS) {
246 		logit(LOG_CRIT, "do_challenge: cannot get PAM_CONV");
247 		return (retval);
248 	}
249 	conv = (const struct pam_conv *)item;
250 	if ((retval = conv->conv(num_msgs, msg_ptrs, &resp,
251 	    conv->appdata_ptr)) != PAM_SUCCESS)
252 		return (retval);
253 	if (build_access_request(radh, user, resp[num_msgs-1].resp, NULL,
254 	    NULL, state, statelen) == -1)
255 		return (PAM_SERVICE_ERR);
256 	memset(resp[num_msgs-1].resp, 0, strlen(resp[num_msgs-1].resp));
257 	free(resp[num_msgs-1].resp);
258 	free(resp);
259 	while (num_msgs > 0)
260 		free(msgs[--num_msgs].msg);
261 	return (PAM_SUCCESS);
262 }
263 
264 PAM_EXTERN int
pam_sm_authenticate(pam_handle_t * pamh,int flags __unused,int argc __unused,const char * argv[]__unused)265 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
266     int argc __unused, const char *argv[] __unused)
267 {
268 	struct rad_handle *radh;
269 	const char *user, *pass;
270 	const void *tmpuser;
271 	struct passwd *pwd, pwres;
272 	char pwbuf[1024];
273 	const char *conf_file, *template_user, *nas_id, *nas_ipaddr;
274 	int retval;
275 	int e;
276 
277 	conf_file = openpam_get_option(pamh, PAM_OPT_CONF);
278 	template_user = openpam_get_option(pamh, PAM_OPT_TEMPLATE_USER);
279 	nas_id = openpam_get_option(pamh, PAM_OPT_NAS_ID);
280 	nas_ipaddr = openpam_get_option(pamh, PAM_OPT_NAS_IPADDR);
281 
282 	retval = pam_get_user(pamh, &user, NULL);
283 	if (retval != PAM_SUCCESS)
284 		return (retval);
285 
286 	PAM_LOG("Got user: %s", user);
287 
288 	retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, PASSWORD_PROMPT);
289 	if (retval != PAM_SUCCESS)
290 		return (retval);
291 
292 	PAM_LOG("Got password");
293 
294 	radh = rad_open();
295 	if (radh == NULL) {
296 		logit(LOG_CRIT, "rad_open failed");
297 		return (PAM_SERVICE_ERR);
298 	}
299 
300 	PAM_LOG("Radius opened");
301 
302 	if (rad_config(radh, conf_file) == -1) {
303 		logit(LOG_ALERT, "rad_config: %s", rad_strerror(radh));
304 		rad_close(radh);
305 		return (PAM_SERVICE_ERR);
306 	}
307 
308 	PAM_LOG("Radius config file read");
309 
310 	if (build_access_request(radh, user, pass, nas_id, nas_ipaddr, NULL,
311 	    0) == -1) {
312 		rad_close(radh);
313 		return (PAM_SERVICE_ERR);
314 	}
315 
316 	PAM_LOG("Radius build access done");
317 
318 	for (;;) {
319 		switch (rad_send_request(radh)) {
320 
321 		case RAD_ACCESS_ACCEPT:
322 			e = do_accept(pamh, radh);
323 			rad_close(radh);
324 			if (e == -1)
325 				return (PAM_SERVICE_ERR);
326 			if (template_user != NULL) {
327 
328 				PAM_LOG("Trying template user: %s",
329 				    template_user);
330 
331 				/*
332 				 * If the given user name doesn't exist in
333 				 * the local password database, change it
334 				 * to the value given in the "template_user"
335 				 * option.
336 				 */
337 				retval = pam_get_item(pamh, PAM_USER, &tmpuser);
338 				if (retval != PAM_SUCCESS)
339 					return (retval);
340 				if (getpwnam_r(tmpuser, &pwres, pwbuf,
341 					       sizeof(pwbuf), &pwd) != 0 ||
342 				    pwd == NULL) {
343 					pam_set_item(pamh, PAM_USER,
344 					    template_user);
345 					PAM_LOG("Using template user");
346 				}
347 
348 			}
349 			return (PAM_SUCCESS);
350 
351 		case RAD_ACCESS_REJECT:
352 			rad_close(radh);
353 			PAM_VERBOSE_ERROR("Radius rejection");
354 			return (PAM_AUTH_ERR);
355 
356 		case RAD_ACCESS_CHALLENGE:
357 			retval = do_challenge(pamh, radh, user);
358 			if (retval != PAM_SUCCESS) {
359 				rad_close(radh);
360 				return (retval);
361 			}
362 			break;
363 
364 		case -1:
365 			logit(LOG_CRIT, "rad_send_request: %s",
366 			    rad_strerror(radh));
367 			rad_close(radh);
368 			PAM_VERBOSE_ERROR("Radius failure");
369 			return (PAM_AUTHINFO_UNAVAIL);
370 
371 		default:
372 			logit(LOG_CRIT,
373 			    "rad_send_request: unexpected return value");
374 			rad_close(radh);
375 			PAM_VERBOSE_ERROR("Radius error");
376 			return (PAM_SERVICE_ERR);
377 		}
378 	}
379 }
380 
381 PAM_EXTERN int
pam_sm_setcred(pam_handle_t * pamh __unused,int flags __unused,int argc __unused,const char * argv[]__unused)382 pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
383     int argc __unused, const char *argv[] __unused)
384 {
385 
386 	return (PAM_SUCCESS);
387 }
388 
389 PAM_MODULE_ENTRY("pam_radius");
390