1 /* $NetBSD: isakmp_xauth.c,v 1.13 2007/08/07 04:35:01 manu Exp $ */ 2 3 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */ 4 5 /* 6 * Copyright (C) 2004-2005 Emmanuel Dreyfus 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "config.h" 35 36 #include <sys/types.h> 37 #include <sys/param.h> 38 #include <sys/socket.h> 39 #include <sys/queue.h> 40 41 #include <netinet/in.h> 42 43 #include <stdlib.h> 44 #include <stdio.h> 45 #include <string.h> 46 #include <errno.h> 47 #include <pwd.h> 48 #include <grp.h> 49 #if TIME_WITH_SYS_TIME 50 # include <sys/time.h> 51 # include <time.h> 52 #else 53 # if HAVE_SYS_TIME_H 54 # include <sys/time.h> 55 # else 56 # include <time.h> 57 # endif 58 #endif 59 #include <netdb.h> 60 #ifdef HAVE_UNISTD_H 61 #include <unistd.h> 62 #endif 63 #include <ctype.h> 64 #include <resolv.h> 65 66 #ifdef HAVE_SHADOW_H 67 #include <shadow.h> 68 #endif 69 70 #include "var.h" 71 #include "misc.h" 72 #include "vmbuf.h" 73 #include "plog.h" 74 #include "sockmisc.h" 75 #include "schedule.h" 76 #include "debug.h" 77 78 #include "crypto_openssl.h" 79 #include "isakmp_var.h" 80 #include "isakmp.h" 81 #include "admin.h" 82 #include "privsep.h" 83 #include "evt.h" 84 #include "handler.h" 85 #include "throttle.h" 86 #include "remoteconf.h" 87 #include "isakmp_inf.h" 88 #include "isakmp_xauth.h" 89 #include "isakmp_unity.h" 90 #include "isakmp_cfg.h" 91 #include "strnames.h" 92 #include "ipsec_doi.h" 93 #include "remoteconf.h" 94 #include "localconf.h" 95 96 #ifdef HAVE_LIBRADIUS 97 #include <radlib.h> 98 99 struct rad_handle *radius_auth_state = NULL; 100 struct rad_handle *radius_acct_state = NULL; 101 #endif 102 103 #ifdef HAVE_LIBPAM 104 #include <security/pam_appl.h> 105 106 static char *PAM_usr = NULL; 107 static char *PAM_pwd = NULL; 108 static int PAM_conv(int, const struct pam_message **, 109 struct pam_response **, void *); 110 static struct pam_conv PAM_chat = { &PAM_conv, NULL }; 111 #endif 112 113 #ifdef HAVE_LIBLDAP 114 #include "ldap.h" 115 #include <arpa/inet.h> 116 struct xauth_ldap_config xauth_ldap_config; 117 #endif 118 119 void 120 xauth_sendreq(iph1) 121 struct ph1handle *iph1; 122 { 123 vchar_t *buffer; 124 struct isakmp_pl_attr *attr; 125 struct isakmp_data *typeattr; 126 struct isakmp_data *usrattr; 127 struct isakmp_data *pwdattr; 128 struct xauth_state *xst = &iph1->mode_cfg->xauth; 129 size_t tlen; 130 131 /* Status checks */ 132 if (iph1->status != PHASE1ST_ESTABLISHED) { 133 plog(LLV_ERROR, LOCATION, NULL, 134 "Xauth request while phase 1 is not completed\n"); 135 return; 136 } 137 138 if (xst->status != XAUTHST_NOTYET) { 139 plog(LLV_ERROR, LOCATION, NULL, 140 "Xauth request whith Xauth state %d\n", xst->status); 141 return; 142 } 143 144 plog(LLV_INFO, LOCATION, NULL, "Sending Xauth request\n"); 145 146 tlen = sizeof(*attr) + 147 + sizeof(*typeattr) + 148 + sizeof(*usrattr) + 149 + sizeof(*pwdattr); 150 151 if ((buffer = vmalloc(tlen)) == NULL) { 152 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n"); 153 return; 154 } 155 156 attr = (struct isakmp_pl_attr *)buffer->v; 157 memset(attr, 0, tlen); 158 159 attr->h.len = htons(tlen); 160 attr->type = ISAKMP_CFG_REQUEST; 161 attr->id = htons(eay_random()); 162 163 typeattr = (struct isakmp_data *)(attr + 1); 164 typeattr->type = htons(XAUTH_TYPE | ISAKMP_GEN_TV); 165 typeattr->lorv = htons(XAUTH_TYPE_GENERIC); 166 167 usrattr = (struct isakmp_data *)(typeattr + 1); 168 usrattr->type = htons(XAUTH_USER_NAME | ISAKMP_GEN_TLV); 169 usrattr->lorv = htons(0); 170 171 pwdattr = (struct isakmp_data *)(usrattr + 1); 172 pwdattr->type = htons(XAUTH_USER_PASSWORD | ISAKMP_GEN_TLV); 173 pwdattr->lorv = htons(0); 174 175 isakmp_cfg_send(iph1, buffer, 176 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1); 177 178 vfree(buffer); 179 180 xst->status = XAUTHST_REQSENT; 181 182 return; 183 } 184 185 int 186 xauth_attr_reply(iph1, attr, id) 187 struct ph1handle *iph1; 188 struct isakmp_data *attr; 189 int id; 190 { 191 char **outlet = NULL; 192 size_t alen = 0; 193 int type; 194 struct xauth_state *xst = &iph1->mode_cfg->xauth; 195 196 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 197 plog(LLV_ERROR, LOCATION, NULL, 198 "Xauth reply but peer did not declare " 199 "itself as Xauth capable\n"); 200 return -1; 201 } 202 203 if (xst->status != XAUTHST_REQSENT) { 204 plog(LLV_ERROR, LOCATION, NULL, 205 "Xauth reply while Xauth state is %d\n", xst->status); 206 return -1; 207 } 208 209 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK; 210 switch (type) { 211 case XAUTH_TYPE: 212 switch (ntohs(attr->lorv)) { 213 case XAUTH_TYPE_GENERIC: 214 xst->authtype = XAUTH_TYPE_GENERIC; 215 break; 216 default: 217 plog(LLV_WARNING, LOCATION, NULL, 218 "Unexpected authentication type %d\n", 219 ntohs(type)); 220 return -1; 221 } 222 break; 223 224 case XAUTH_USER_NAME: 225 outlet = &xst->authdata.generic.usr; 226 break; 227 228 case XAUTH_USER_PASSWORD: 229 outlet = &xst->authdata.generic.pwd; 230 break; 231 232 default: 233 plog(LLV_WARNING, LOCATION, NULL, 234 "ignored Xauth attribute %d\n", type); 235 break; 236 } 237 238 if (outlet != NULL) { 239 alen = ntohs(attr->lorv); 240 241 if ((*outlet = racoon_malloc(alen + 1)) == NULL) { 242 plog(LLV_ERROR, LOCATION, NULL, 243 "Cannot allocate memory for Xauth Data\n"); 244 return -1; 245 } 246 247 memcpy(*outlet, attr + 1, alen); 248 (*outlet)[alen] = '\0'; 249 outlet = NULL; 250 } 251 252 253 if ((xst->authdata.generic.usr != NULL) && 254 (xst->authdata.generic.pwd != NULL)) { 255 int port; 256 int res; 257 char *usr = xst->authdata.generic.usr; 258 char *pwd = xst->authdata.generic.pwd; 259 time_t throttle_delay = 0; 260 261 #if 0 /* Real debug, don't do that at home */ 262 plog(LLV_DEBUG, LOCATION, NULL, 263 "Got username \"%s\", password \"%s\"\n", usr, pwd); 264 #endif 265 strncpy(iph1->mode_cfg->login, usr, LOGINLEN); 266 iph1->mode_cfg->login[LOGINLEN] = '\0'; 267 268 res = -1; 269 if ((port = isakmp_cfg_getport(iph1)) == -1) { 270 plog(LLV_ERROR, LOCATION, NULL, 271 "Port pool depleted\n"); 272 goto skip_auth; 273 } 274 275 switch (isakmp_cfg_config.authsource) { 276 case ISAKMP_CFG_AUTH_SYSTEM: 277 res = privsep_xauth_login_system(usr, pwd); 278 break; 279 #ifdef HAVE_LIBRADIUS 280 case ISAKMP_CFG_AUTH_RADIUS: 281 res = xauth_login_radius(iph1, usr, pwd); 282 break; 283 #endif 284 #ifdef HAVE_LIBPAM 285 case ISAKMP_CFG_AUTH_PAM: 286 res = privsep_xauth_login_pam(iph1->mode_cfg->port, 287 iph1->remote, usr, pwd); 288 break; 289 #endif 290 #ifdef HAVE_LIBLDAP 291 case ISAKMP_CFG_AUTH_LDAP: 292 res = xauth_login_ldap(iph1, usr, pwd); 293 break; 294 #endif 295 default: 296 plog(LLV_ERROR, LOCATION, NULL, 297 "Unexpected authentication source\n"); 298 res = -1; 299 break; 300 } 301 302 /* 303 * Optional group authentication 304 */ 305 if (!res && (isakmp_cfg_config.groupcount)) 306 res = group_check(iph1, 307 isakmp_cfg_config.grouplist, 308 isakmp_cfg_config.groupcount); 309 310 /* 311 * On failure, throttle the connexion for the remote host 312 * in order to make password attacks more difficult. 313 */ 314 throttle_delay = throttle_host(iph1->remote, res) - time(NULL); 315 if (throttle_delay > 0) { 316 char *str; 317 318 str = saddrwop2str(iph1->remote); 319 320 plog(LLV_ERROR, LOCATION, NULL, 321 "Throttling in action for %s: delay %lds\n", 322 str, (unsigned long)throttle_delay); 323 res = -1; 324 } else { 325 throttle_delay = 0; 326 } 327 328 skip_auth: 329 if (throttle_delay != 0) { 330 struct xauth_reply_arg *xra; 331 332 if ((xra = racoon_malloc(sizeof(*xra))) == NULL) { 333 plog(LLV_ERROR, LOCATION, NULL, 334 "malloc failed, bypass throttling\n"); 335 return xauth_reply(iph1, port, id, res); 336 } 337 338 /* 339 * We need to store the ph1, but it might have 340 * disapeared when xauth_reply is called, so 341 * store the index instead. 342 */ 343 xra->index = iph1->index; 344 xra->port = port; 345 xra->id = id; 346 xra->res = res; 347 sched_new(throttle_delay, xauth_reply_stub, xra); 348 } else { 349 return xauth_reply(iph1, port, id, res); 350 } 351 } 352 353 return 0; 354 } 355 356 void 357 xauth_reply_stub(args) 358 void *args; 359 { 360 struct xauth_reply_arg *xra = (struct xauth_reply_arg *)args; 361 struct ph1handle *iph1; 362 363 if ((iph1 = getph1byindex(&xra->index)) != NULL) 364 (void)xauth_reply(iph1, xra->port, xra->id, xra->res); 365 else 366 plog(LLV_ERROR, LOCATION, NULL, 367 "Delayed Xauth reply: phase 1 no longer exists.\n"); 368 369 racoon_free(xra); 370 return; 371 } 372 373 int 374 xauth_reply(iph1, port, id, res) 375 struct ph1handle *iph1; 376 int port; 377 int id; 378 { 379 struct xauth_state *xst = &iph1->mode_cfg->xauth; 380 char *usr = xst->authdata.generic.usr; 381 382 if (res != 0) { 383 if (port != -1) 384 isakmp_cfg_putport(iph1, port); 385 386 plog(LLV_INFO, LOCATION, NULL, 387 "login failed for user \"%s\"\n", usr); 388 389 xauth_sendstatus(iph1, XAUTH_STATUS_FAIL, id); 390 xst->status = XAUTHST_NOTYET; 391 392 /* Delete Phase 1 SA */ 393 if (iph1->status == PHASE1ST_ESTABLISHED) 394 isakmp_info_send_d1(iph1); 395 remph1(iph1); 396 delph1(iph1); 397 398 return -1; 399 } 400 401 xst->status = XAUTHST_OK; 402 plog(LLV_INFO, LOCATION, NULL, 403 "login succeeded for user \"%s\"\n", usr); 404 405 xauth_sendstatus(iph1, XAUTH_STATUS_OK, id); 406 407 return 0; 408 } 409 410 void 411 xauth_sendstatus(iph1, status, id) 412 struct ph1handle *iph1; 413 int status; 414 int id; 415 { 416 vchar_t *buffer; 417 struct isakmp_pl_attr *attr; 418 struct isakmp_data *stattr; 419 size_t tlen; 420 421 tlen = sizeof(*attr) + 422 + sizeof(*stattr); 423 424 if ((buffer = vmalloc(tlen)) == NULL) { 425 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n"); 426 return; 427 } 428 429 attr = (struct isakmp_pl_attr *)buffer->v; 430 memset(attr, 0, tlen); 431 432 attr->h.len = htons(tlen); 433 attr->type = ISAKMP_CFG_SET; 434 attr->id = htons(id); 435 436 stattr = (struct isakmp_data *)(attr + 1); 437 stattr->type = htons(XAUTH_STATUS | ISAKMP_GEN_TV); 438 stattr->lorv = htons(status); 439 440 isakmp_cfg_send(iph1, buffer, 441 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1); 442 443 vfree(buffer); 444 445 return; 446 } 447 448 #ifdef HAVE_LIBRADIUS 449 int 450 xauth_radius_init(void) 451 { 452 /* For first time use, initialize Radius */ 453 if ((isakmp_cfg_config.authsource == ISAKMP_CFG_AUTH_RADIUS) && 454 (radius_auth_state == NULL)) { 455 if ((radius_auth_state = rad_auth_open()) == NULL) { 456 plog(LLV_ERROR, LOCATION, NULL, 457 "Cannot init libradius\n"); 458 return -1; 459 } 460 461 if (rad_config(radius_auth_state, NULL) != 0) { 462 plog(LLV_ERROR, LOCATION, NULL, 463 "Cannot open librarius config file: %s\n", 464 rad_strerror(radius_auth_state)); 465 rad_close(radius_auth_state); 466 radius_auth_state = NULL; 467 return -1; 468 } 469 } 470 471 if ((isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS) && 472 (radius_acct_state == NULL)) { 473 if ((radius_acct_state = rad_acct_open()) == NULL) { 474 plog(LLV_ERROR, LOCATION, NULL, 475 "Cannot init libradius\n"); 476 return -1; 477 } 478 479 if (rad_config(radius_acct_state, NULL) != 0) { 480 plog(LLV_ERROR, LOCATION, NULL, 481 "Cannot open librarius config file: %s\n", 482 rad_strerror(radius_acct_state)); 483 rad_close(radius_acct_state); 484 radius_acct_state = NULL; 485 return -1; 486 } 487 } 488 489 return 0; 490 } 491 492 int 493 xauth_login_radius(iph1, usr, pwd) 494 struct ph1handle *iph1; 495 char *usr; 496 char *pwd; 497 { 498 int res; 499 const void *data; 500 size_t len; 501 int type; 502 503 if (rad_create_request(radius_auth_state, RAD_ACCESS_REQUEST) != 0) { 504 plog(LLV_ERROR, LOCATION, NULL, 505 "rad_create_request failed: %s\n", 506 rad_strerror(radius_auth_state)); 507 return -1; 508 } 509 510 if (rad_put_string(radius_auth_state, RAD_USER_NAME, usr) != 0) { 511 plog(LLV_ERROR, LOCATION, NULL, 512 "rad_put_string failed: %s\n", 513 rad_strerror(radius_auth_state)); 514 return -1; 515 } 516 517 if (rad_put_string(radius_auth_state, RAD_USER_PASSWORD, pwd) != 0) { 518 plog(LLV_ERROR, LOCATION, NULL, 519 "rad_put_string failed: %s\n", 520 rad_strerror(radius_auth_state)); 521 return -1; 522 } 523 524 if (isakmp_cfg_radius_common(radius_auth_state, iph1->mode_cfg->port) != 0) 525 return -1; 526 527 switch (res = rad_send_request(radius_auth_state)) { 528 case RAD_ACCESS_ACCEPT: 529 while ((type = rad_get_attr(radius_auth_state, &data, &len)) != 0) { 530 switch (type) { 531 case RAD_FRAMED_IP_ADDRESS: 532 iph1->mode_cfg->addr4 = rad_cvt_addr(data); 533 iph1->mode_cfg->flags 534 |= ISAKMP_CFG_ADDR4_EXTERN; 535 break; 536 537 case RAD_FRAMED_IP_NETMASK: 538 iph1->mode_cfg->mask4 = rad_cvt_addr(data); 539 iph1->mode_cfg->flags 540 |= ISAKMP_CFG_MASK4_EXTERN; 541 break; 542 543 default: 544 plog(LLV_INFO, LOCATION, NULL, 545 "Unexpected attribute: %d\n", type); 546 break; 547 } 548 } 549 550 return 0; 551 break; 552 553 case RAD_ACCESS_REJECT: 554 return -1; 555 break; 556 557 case -1: 558 plog(LLV_ERROR, LOCATION, NULL, 559 "rad_send_request failed: %s\n", 560 rad_strerror(radius_auth_state)); 561 return -1; 562 break; 563 default: 564 plog(LLV_ERROR, LOCATION, NULL, 565 "rad_send_request returned %d\n", res); 566 return -1; 567 break; 568 } 569 570 return -1; 571 } 572 #endif 573 574 #ifdef HAVE_LIBPAM 575 static int 576 PAM_conv(msg_count, msg, rsp, dontcare) 577 int msg_count; 578 const struct pam_message **msg; 579 struct pam_response **rsp; 580 void *dontcare; 581 { 582 int i; 583 int replies = 0; 584 struct pam_response *reply = NULL; 585 586 if ((reply = racoon_malloc(sizeof(*reply) * msg_count)) == NULL) 587 return PAM_CONV_ERR; 588 bzero(reply, sizeof(*reply) * msg_count); 589 590 for (i = 0; i < msg_count; i++) { 591 switch (msg[i]->msg_style) { 592 case PAM_PROMPT_ECHO_ON: 593 /* Send the username, libpam frees resp */ 594 reply[i].resp_retcode = PAM_SUCCESS; 595 if ((reply[i].resp = strdup(PAM_usr)) == NULL) { 596 plog(LLV_ERROR, LOCATION, 597 NULL, "strdup failed\n"); 598 exit(1); 599 } 600 break; 601 602 case PAM_PROMPT_ECHO_OFF: 603 /* Send the password, libpam frees resp */ 604 reply[i].resp_retcode = PAM_SUCCESS; 605 if ((reply[i].resp = strdup(PAM_pwd)) == NULL) { 606 plog(LLV_ERROR, LOCATION, 607 NULL, "strdup failed\n"); 608 exit(1); 609 } 610 break; 611 612 case PAM_TEXT_INFO: 613 case PAM_ERROR_MSG: 614 reply[i].resp_retcode = PAM_SUCCESS; 615 reply[i].resp = NULL; 616 break; 617 618 default: 619 if (reply != NULL) 620 racoon_free(reply); 621 return PAM_CONV_ERR; 622 break; 623 } 624 } 625 626 if (reply != NULL) 627 *rsp = reply; 628 629 return PAM_SUCCESS; 630 } 631 632 int 633 xauth_login_pam(port, raddr, usr, pwd) 634 int port; 635 struct sockaddr *raddr; 636 char *usr; 637 char *pwd; 638 { 639 int error; 640 int res; 641 const void *data; 642 size_t len; 643 int type; 644 char *remote = NULL; 645 pam_handle_t *pam = NULL; 646 647 if (isakmp_cfg_config.port_pool == NULL) { 648 plog(LLV_ERROR, LOCATION, NULL, 649 "isakmp_cfg_config.port_pool == NULL\n"); 650 return -1; 651 } 652 653 if ((error = pam_start("racoon", usr, 654 &PAM_chat, &isakmp_cfg_config.port_pool[port].pam)) != 0) { 655 if (isakmp_cfg_config.port_pool[port].pam == NULL) { 656 plog(LLV_ERROR, LOCATION, NULL, "pam_start failed\n"); 657 return -1; 658 } else { 659 plog(LLV_ERROR, LOCATION, NULL, 660 "pam_start failed: %s\n", 661 pam_strerror(isakmp_cfg_config.port_pool[port].pam, 662 error)); 663 goto out; 664 } 665 } 666 pam = isakmp_cfg_config.port_pool[port].pam; 667 668 if ((remote = strdup(saddrwop2str(raddr))) == NULL) { 669 plog(LLV_ERROR, LOCATION, NULL, 670 "cannot allocate memory: %s\n", strerror(errno)); 671 goto out; 672 } 673 674 if ((error = pam_set_item(pam, PAM_RHOST, remote)) != 0) { 675 plog(LLV_ERROR, LOCATION, NULL, 676 "pam_set_item failed: %s\n", 677 pam_strerror(pam, error)); 678 goto out; 679 } 680 681 if ((error = pam_set_item(pam, PAM_RUSER, usr)) != 0) { 682 plog(LLV_ERROR, LOCATION, NULL, 683 "pam_set_item failed: %s\n", 684 pam_strerror(pam, error)); 685 goto out; 686 } 687 688 PAM_usr = usr; 689 PAM_pwd = pwd; 690 error = pam_authenticate(pam, 0); 691 PAM_usr = NULL; 692 PAM_pwd = NULL; 693 if (error != 0) { 694 plog(LLV_ERROR, LOCATION, NULL, 695 "pam_authenticate failed: %s\n", 696 pam_strerror(pam, error)); 697 goto out; 698 } 699 700 if ((error = pam_acct_mgmt(pam, 0)) != 0) { 701 plog(LLV_ERROR, LOCATION, NULL, 702 "pam_acct_mgmt failed: %s\n", 703 pam_strerror(pam, error)); 704 goto out; 705 } 706 707 if ((error = pam_setcred(pam, 0)) != 0) { 708 plog(LLV_ERROR, LOCATION, NULL, 709 "pam_setcred failed: %s\n", 710 pam_strerror(pam, error)); 711 goto out; 712 } 713 714 if (remote != NULL) 715 free(remote); 716 717 return 0; 718 719 out: 720 pam_end(pam, error); 721 isakmp_cfg_config.port_pool[port].pam = NULL; 722 if (remote != NULL) 723 free(remote); 724 return -1; 725 } 726 #endif 727 728 #ifdef HAVE_LIBLDAP 729 int 730 xauth_ldap_init(void) 731 { 732 int tmplen; 733 int error = -1; 734 735 xauth_ldap_config.pver = 3; 736 xauth_ldap_config.host = NULL; 737 xauth_ldap_config.port = LDAP_PORT; 738 xauth_ldap_config.base = NULL; 739 xauth_ldap_config.subtree = 0; 740 xauth_ldap_config.bind_dn = NULL; 741 xauth_ldap_config.bind_pw = NULL; 742 xauth_ldap_config.auth_type = LDAP_AUTH_SIMPLE; 743 xauth_ldap_config.attr_user = NULL; 744 xauth_ldap_config.attr_addr = NULL; 745 xauth_ldap_config.attr_mask = NULL; 746 xauth_ldap_config.attr_group = NULL; 747 xauth_ldap_config.attr_member = NULL; 748 749 /* set default host */ 750 tmplen = strlen(LDAP_DFLT_HOST); 751 xauth_ldap_config.host = vmalloc(tmplen); 752 if (xauth_ldap_config.host == NULL) 753 goto out; 754 memcpy(xauth_ldap_config.host->v, LDAP_DFLT_HOST, tmplen); 755 756 /* set default user naming attribute */ 757 tmplen = strlen(LDAP_DFLT_USER); 758 xauth_ldap_config.attr_user = vmalloc(tmplen); 759 if (xauth_ldap_config.attr_user == NULL) 760 goto out; 761 memcpy(xauth_ldap_config.attr_user->v, LDAP_DFLT_USER, tmplen); 762 763 /* set default address attribute */ 764 tmplen = strlen(LDAP_DFLT_ADDR); 765 xauth_ldap_config.attr_addr = vmalloc(tmplen); 766 if (xauth_ldap_config.attr_addr == NULL) 767 goto out; 768 memcpy(xauth_ldap_config.attr_addr->v, LDAP_DFLT_ADDR, tmplen); 769 770 /* set default netmask attribute */ 771 tmplen = strlen(LDAP_DFLT_MASK); 772 xauth_ldap_config.attr_mask = vmalloc(tmplen); 773 if (xauth_ldap_config.attr_mask == NULL) 774 goto out; 775 memcpy(xauth_ldap_config.attr_mask->v, LDAP_DFLT_MASK, tmplen); 776 777 /* set default group naming attribute */ 778 tmplen = strlen(LDAP_DFLT_GROUP); 779 xauth_ldap_config.attr_group = vmalloc(tmplen); 780 if (xauth_ldap_config.attr_group == NULL) 781 goto out; 782 memcpy(xauth_ldap_config.attr_group->v, LDAP_DFLT_GROUP, tmplen); 783 784 /* set default member attribute */ 785 tmplen = strlen(LDAP_DFLT_MEMBER); 786 xauth_ldap_config.attr_member = vmalloc(tmplen); 787 if (xauth_ldap_config.attr_member == NULL) 788 goto out; 789 memcpy(xauth_ldap_config.attr_member->v, LDAP_DFLT_MEMBER, tmplen); 790 791 error = 0; 792 out: 793 if (error != 0) 794 plog(LLV_ERROR, LOCATION, NULL, "cannot allocate memory\n"); 795 796 return error; 797 } 798 799 int 800 xauth_login_ldap(iph1, usr, pwd) 801 struct ph1handle *iph1; 802 char *usr; 803 char *pwd; 804 { 805 int rtn = -1; 806 int res = -1; 807 LDAP *ld = NULL; 808 LDAPMessage *lr = NULL; 809 LDAPMessage *le = NULL; 810 struct berval cred; 811 struct berval **bv = NULL; 812 struct timeval timeout; 813 char *init = NULL; 814 char *filter = NULL; 815 char *atlist[3]; 816 char *basedn = NULL; 817 char *userdn = NULL; 818 int tmplen = 0; 819 int ecount = 0; 820 int scope = LDAP_SCOPE_ONE; 821 822 atlist[0] = NULL; 823 atlist[1] = NULL; 824 atlist[2] = NULL; 825 826 /* build our initialization url */ 827 tmplen = strlen("ldap://:") + 17; 828 tmplen += strlen(xauth_ldap_config.host->v); 829 init = racoon_malloc(tmplen); 830 if (init == NULL) { 831 plog(LLV_ERROR, LOCATION, NULL, 832 "unable to alloc ldap init url\n"); 833 goto ldap_end; 834 } 835 sprintf(init,"ldap://%s:%d", 836 xauth_ldap_config.host->v, 837 xauth_ldap_config.port ); 838 839 /* initialize the ldap handle */ 840 res = ldap_initialize(&ld, init); 841 if (res != LDAP_SUCCESS) { 842 plog(LLV_ERROR, LOCATION, NULL, 843 "ldap_initialize failed: %s\n", 844 ldap_err2string(res)); 845 goto ldap_end; 846 } 847 848 /* initialize the protocol version */ 849 ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, 850 &xauth_ldap_config.pver); 851 852 /* 853 * attempt to bind to the ldap server. 854 * default to anonymous bind unless a 855 * user dn and password has been 856 * specified in our configuration 857 */ 858 if ((xauth_ldap_config.bind_dn != NULL)&& 859 (xauth_ldap_config.bind_pw != NULL)) 860 { 861 cred.bv_val = xauth_ldap_config.bind_pw->v; 862 cred.bv_len = strlen( cred.bv_val ); 863 res = ldap_sasl_bind_s(ld, 864 xauth_ldap_config.bind_dn->v, NULL, &cred, 865 NULL, NULL, NULL); 866 } 867 else 868 { 869 res = ldap_sasl_bind_s(ld, 870 NULL, NULL, NULL, 871 NULL, NULL, NULL); 872 } 873 874 if (res!=LDAP_SUCCESS) { 875 plog(LLV_ERROR, LOCATION, NULL, 876 "ldap_sasl_bind_s (search) failed: %s\n", 877 ldap_err2string(res)); 878 goto ldap_end; 879 } 880 881 /* build an ldap user search filter */ 882 tmplen = strlen(xauth_ldap_config.attr_user->v); 883 tmplen += 1; 884 tmplen += strlen(usr); 885 tmplen += 1; 886 filter = racoon_malloc(tmplen); 887 if (filter == NULL) { 888 plog(LLV_ERROR, LOCATION, NULL, 889 "unable to alloc ldap search filter buffer\n"); 890 goto ldap_end; 891 } 892 sprintf(filter, "%s=%s", 893 xauth_ldap_config.attr_user->v, usr); 894 895 /* build our return attribute list */ 896 tmplen = strlen(xauth_ldap_config.attr_addr->v) + 1; 897 atlist[0] = racoon_malloc(tmplen); 898 tmplen = strlen(xauth_ldap_config.attr_mask->v) + 1; 899 atlist[1] = racoon_malloc(tmplen); 900 if ((atlist[0] == NULL)||(atlist[1] == NULL)) { 901 plog(LLV_ERROR, LOCATION, NULL, 902 "unable to alloc ldap attrib list buffer\n"); 903 goto ldap_end; 904 } 905 strcpy(atlist[0],xauth_ldap_config.attr_addr->v); 906 strcpy(atlist[1],xauth_ldap_config.attr_mask->v); 907 908 /* attempt to locate the user dn */ 909 if (xauth_ldap_config.base != NULL) 910 basedn = xauth_ldap_config.base->v; 911 if (xauth_ldap_config.subtree) 912 scope = LDAP_SCOPE_SUBTREE; 913 timeout.tv_sec = 15; 914 timeout.tv_usec = 0; 915 res = ldap_search_ext_s(ld, basedn, scope, 916 filter, atlist, 0, NULL, NULL, 917 &timeout, 2, &lr); 918 if (res != LDAP_SUCCESS) { 919 plog(LLV_ERROR, LOCATION, NULL, 920 "ldap_search_ext_s failed: %s\n", 921 ldap_err2string(res)); 922 goto ldap_end; 923 } 924 925 /* check the number of ldap entries returned */ 926 ecount = ldap_count_entries(ld, lr); 927 if (ecount < 1) { 928 plog(LLV_WARNING, LOCATION, NULL, 929 "no ldap results for filter \'%s\'\n", 930 filter); 931 goto ldap_end; 932 } 933 if (ecount > 1) { 934 plog(LLV_WARNING, LOCATION, NULL, 935 "multiple (%i) ldap results for filter \'%s\'\n", 936 ecount, filter); 937 } 938 939 /* obtain the dn from the first result */ 940 le = ldap_first_entry(ld, lr); 941 if (le == NULL) { 942 plog(LLV_ERROR, LOCATION, NULL, 943 "ldap_first_entry failed: invalid entry returned\n"); 944 goto ldap_end; 945 } 946 userdn = ldap_get_dn(ld, le); 947 if (userdn == NULL) { 948 plog(LLV_ERROR, LOCATION, NULL, 949 "ldap_get_dn failed: invalid string returned\n"); 950 goto ldap_end; 951 } 952 953 /* cache the user dn in the xauth state */ 954 iph1->mode_cfg->xauth.udn = racoon_malloc(strlen(userdn)+1); 955 strcpy(iph1->mode_cfg->xauth.udn,userdn); 956 957 /* retrieve modecfg address */ 958 bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_addr->v); 959 if (bv != NULL) { 960 char tmpaddr[16]; 961 /* sanity check for address value */ 962 if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) { 963 plog(LLV_DEBUG, LOCATION, NULL, 964 "ldap returned invalid modecfg address\n"); 965 ldap_value_free_len(bv); 966 goto ldap_end; 967 } 968 memcpy(tmpaddr,bv[0]->bv_val,bv[0]->bv_len); 969 tmpaddr[bv[0]->bv_len]=0; 970 iph1->mode_cfg->addr4.s_addr = inet_addr(tmpaddr); 971 iph1->mode_cfg->flags |= ISAKMP_CFG_ADDR4_EXTERN; 972 plog(LLV_INFO, LOCATION, NULL, 973 "ldap returned modecfg address %s\n", tmpaddr); 974 ldap_value_free_len(bv); 975 } 976 977 /* retrieve modecfg netmask */ 978 bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_mask->v); 979 if (bv != NULL) { 980 char tmpmask[16]; 981 /* sanity check for netmask value */ 982 if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) { 983 plog(LLV_DEBUG, LOCATION, NULL, 984 "ldap returned invalid modecfg netmask\n"); 985 ldap_value_free_len(bv); 986 goto ldap_end; 987 } 988 memcpy(tmpmask,bv[0]->bv_val,bv[0]->bv_len); 989 tmpmask[bv[0]->bv_len]=0; 990 iph1->mode_cfg->mask4.s_addr = inet_addr(tmpmask); 991 iph1->mode_cfg->flags |= ISAKMP_CFG_MASK4_EXTERN; 992 plog(LLV_INFO, LOCATION, NULL, 993 "ldap returned modecfg netmask %s\n", tmpmask); 994 ldap_value_free_len(bv); 995 } 996 997 /* 998 * finally, use the dn and the xauth 999 * password to check the users given 1000 * credentials by attempting to bind 1001 * to the ldap server 1002 */ 1003 plog(LLV_INFO, LOCATION, NULL, 1004 "attempting ldap bind for dn \'%s\'\n", userdn); 1005 cred.bv_val = pwd; 1006 cred.bv_len = strlen( cred.bv_val ); 1007 res = ldap_sasl_bind_s(ld, 1008 userdn, NULL, &cred, 1009 NULL, NULL, NULL); 1010 if(res==LDAP_SUCCESS) 1011 rtn = 0; 1012 1013 ldap_end: 1014 1015 /* free ldap resources */ 1016 if (userdn != NULL) 1017 ldap_memfree(userdn); 1018 if (atlist[0] != NULL) 1019 racoon_free(atlist[0]); 1020 if (atlist[1] != NULL) 1021 racoon_free(atlist[1]); 1022 if (filter != NULL) 1023 racoon_free(filter); 1024 if (lr != NULL) 1025 ldap_msgfree(lr); 1026 if (init != NULL) 1027 racoon_free(init); 1028 1029 ldap_unbind_ext_s(ld, NULL, NULL); 1030 1031 return rtn; 1032 } 1033 1034 int 1035 xauth_group_ldap(udn, grp) 1036 char * udn; 1037 char * grp; 1038 { 1039 int rtn = -1; 1040 int res = -1; 1041 LDAP *ld = NULL; 1042 LDAPMessage *lr = NULL; 1043 LDAPMessage *le = NULL; 1044 struct berval cred; 1045 struct timeval timeout; 1046 char *init = NULL; 1047 char *filter = NULL; 1048 char *basedn = NULL; 1049 char *groupdn = NULL; 1050 int tmplen = 0; 1051 int ecount = 0; 1052 int scope = LDAP_SCOPE_ONE; 1053 1054 /* build our initialization url */ 1055 tmplen = strlen("ldap://:") + 17; 1056 tmplen += strlen(xauth_ldap_config.host->v); 1057 init = racoon_malloc(tmplen); 1058 if (init == NULL) { 1059 plog(LLV_ERROR, LOCATION, NULL, 1060 "unable to alloc ldap init url\n"); 1061 goto ldap_group_end; 1062 } 1063 sprintf(init,"ldap://%s:%d", 1064 xauth_ldap_config.host->v, 1065 xauth_ldap_config.port ); 1066 1067 /* initialize the ldap handle */ 1068 res = ldap_initialize(&ld, init); 1069 if (res != LDAP_SUCCESS) { 1070 plog(LLV_ERROR, LOCATION, NULL, 1071 "ldap_initialize failed: %s\n", 1072 ldap_err2string(res)); 1073 goto ldap_group_end; 1074 } 1075 1076 /* initialize the protocol version */ 1077 ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, 1078 &xauth_ldap_config.pver); 1079 1080 /* 1081 * attempt to bind to the ldap server. 1082 * default to anonymous bind unless a 1083 * user dn and password has been 1084 * specified in our configuration 1085 */ 1086 if ((xauth_ldap_config.bind_dn != NULL)&& 1087 (xauth_ldap_config.bind_pw != NULL)) 1088 { 1089 cred.bv_val = xauth_ldap_config.bind_pw->v; 1090 cred.bv_len = strlen( cred.bv_val ); 1091 res = ldap_sasl_bind_s(ld, 1092 xauth_ldap_config.bind_dn->v, NULL, &cred, 1093 NULL, NULL, NULL); 1094 } 1095 else 1096 { 1097 res = ldap_sasl_bind_s(ld, 1098 NULL, NULL, NULL, 1099 NULL, NULL, NULL); 1100 } 1101 1102 if (res!=LDAP_SUCCESS) { 1103 plog(LLV_ERROR, LOCATION, NULL, 1104 "ldap_sasl_bind_s (search) failed: %s\n", 1105 ldap_err2string(res)); 1106 goto ldap_group_end; 1107 } 1108 1109 /* build an ldap group search filter */ 1110 tmplen = strlen("(&(=)(=))") + 1; 1111 tmplen += strlen(xauth_ldap_config.attr_group->v); 1112 tmplen += strlen(grp); 1113 tmplen += strlen(xauth_ldap_config.attr_member->v); 1114 tmplen += strlen(udn); 1115 filter = racoon_malloc(tmplen); 1116 if (filter == NULL) { 1117 plog(LLV_ERROR, LOCATION, NULL, 1118 "unable to alloc ldap search filter buffer\n"); 1119 goto ldap_group_end; 1120 } 1121 sprintf(filter, "(&(%s=%s)(%s=%s))", 1122 xauth_ldap_config.attr_group->v, grp, 1123 xauth_ldap_config.attr_member->v, udn); 1124 1125 /* attempt to locate the group dn */ 1126 if (xauth_ldap_config.base != NULL) 1127 basedn = xauth_ldap_config.base->v; 1128 if (xauth_ldap_config.subtree) 1129 scope = LDAP_SCOPE_SUBTREE; 1130 timeout.tv_sec = 15; 1131 timeout.tv_usec = 0; 1132 res = ldap_search_ext_s(ld, basedn, scope, 1133 filter, NULL, 0, NULL, NULL, 1134 &timeout, 2, &lr); 1135 if (res != LDAP_SUCCESS) { 1136 plog(LLV_ERROR, LOCATION, NULL, 1137 "ldap_search_ext_s failed: %s\n", 1138 ldap_err2string(res)); 1139 goto ldap_group_end; 1140 } 1141 1142 /* check the number of ldap entries returned */ 1143 ecount = ldap_count_entries(ld, lr); 1144 if (ecount < 1) { 1145 plog(LLV_WARNING, LOCATION, NULL, 1146 "no ldap results for filter \'%s\'\n", 1147 filter); 1148 goto ldap_group_end; 1149 } 1150 1151 /* success */ 1152 rtn = 0; 1153 1154 /* obtain the dn from the first result */ 1155 le = ldap_first_entry(ld, lr); 1156 if (le == NULL) { 1157 plog(LLV_ERROR, LOCATION, NULL, 1158 "ldap_first_entry failed: invalid entry returned\n"); 1159 goto ldap_group_end; 1160 } 1161 groupdn = ldap_get_dn(ld, le); 1162 if (groupdn == NULL) { 1163 plog(LLV_ERROR, LOCATION, NULL, 1164 "ldap_get_dn failed: invalid string returned\n"); 1165 goto ldap_group_end; 1166 } 1167 1168 plog(LLV_INFO, LOCATION, NULL, 1169 "ldap membership group returned \'%s\'\n", groupdn); 1170 ldap_group_end: 1171 1172 /* free ldap resources */ 1173 if (groupdn != NULL) 1174 ldap_memfree(groupdn); 1175 if (filter != NULL) 1176 racoon_free(filter); 1177 if (lr != NULL) 1178 ldap_msgfree(lr); 1179 if (init != NULL) 1180 racoon_free(init); 1181 1182 ldap_unbind_ext_s(ld, NULL, NULL); 1183 1184 return rtn; 1185 } 1186 1187 #endif 1188 1189 int 1190 xauth_login_system(usr, pwd) 1191 char *usr; 1192 char *pwd; 1193 { 1194 struct passwd *pw; 1195 char *cryptpwd; 1196 char *syscryptpwd; 1197 #ifdef HAVE_SHADOW_H 1198 struct spwd *spw; 1199 1200 if ((spw = getspnam(usr)) == NULL) 1201 return -1; 1202 1203 syscryptpwd = spw->sp_pwdp; 1204 #endif 1205 1206 if ((pw = getpwnam(usr)) == NULL) 1207 return -1; 1208 1209 #ifndef HAVE_SHADOW_H 1210 syscryptpwd = pw->pw_passwd; 1211 #endif 1212 1213 /* No root login. Ever. */ 1214 if (pw->pw_uid == 0) 1215 return -1; 1216 1217 if ((cryptpwd = crypt(pwd, syscryptpwd)) == NULL) 1218 return -1; 1219 1220 if (strcmp(cryptpwd, syscryptpwd) == 0) 1221 return 0; 1222 1223 return -1; 1224 } 1225 1226 int 1227 xauth_group_system(usr, grp) 1228 char * usr; 1229 char * grp; 1230 { 1231 struct group * gr; 1232 char * member; 1233 int index = 0; 1234 1235 gr = getgrnam(grp); 1236 if (gr == NULL) { 1237 plog(LLV_ERROR, LOCATION, NULL, 1238 "the system group name \'%s\' is unknown\n", 1239 grp); 1240 return -1; 1241 } 1242 1243 while ((member = gr->gr_mem[index++])!=NULL) { 1244 if (!strcmp(member,usr)) { 1245 plog(LLV_INFO, LOCATION, NULL, 1246 "membership validated\n"); 1247 return 0; 1248 } 1249 } 1250 1251 return -1; 1252 } 1253 1254 int 1255 xauth_check(iph1) 1256 struct ph1handle *iph1; 1257 { 1258 struct xauth_state *xst = &iph1->mode_cfg->xauth; 1259 1260 /* 1261 * Only the server side (edge device) really check for Xauth 1262 * status. It does it if the chose authmethod is using Xauth. 1263 * On the client side (roadwarrior), we don't check anything. 1264 */ 1265 switch (AUTHMETHOD(iph1)) { 1266 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 1267 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 1268 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 1269 /* The following are not yet implemented */ 1270 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 1271 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 1272 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 1273 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 1274 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 1275 plog(LLV_ERROR, LOCATION, NULL, 1276 "Hybrid auth negotiated but peer did not " 1277 "announced as Xauth capable\n"); 1278 return -1; 1279 } 1280 1281 if (xst->status != XAUTHST_OK) { 1282 plog(LLV_ERROR, LOCATION, NULL, 1283 "Hybrid auth negotiated but peer did not " 1284 "succeed Xauth exchange\n"); 1285 return -1; 1286 } 1287 1288 return 0; 1289 break; 1290 default: 1291 return 0; 1292 break; 1293 } 1294 1295 return 0; 1296 } 1297 1298 int 1299 group_check(iph1, grp_list, grp_count) 1300 struct ph1handle *iph1; 1301 char **grp_list; 1302 int grp_count; 1303 { 1304 int res = -1; 1305 int grp_index = 0; 1306 char * usr = NULL; 1307 1308 /* check for presence of modecfg data */ 1309 1310 if(iph1->mode_cfg == NULL) { 1311 plog(LLV_ERROR, LOCATION, NULL, 1312 "xauth group specified but modecfg not found\n"); 1313 return res; 1314 } 1315 1316 /* loop through our group list */ 1317 1318 for(; grp_index < grp_count; grp_index++) { 1319 1320 /* check for presence of xauth data */ 1321 1322 usr = iph1->mode_cfg->xauth.authdata.generic.usr; 1323 1324 if(usr == NULL) { 1325 plog(LLV_ERROR, LOCATION, NULL, 1326 "xauth group specified but xauth not found\n"); 1327 return res; 1328 } 1329 1330 /* call appropriate group validation funtion */ 1331 1332 switch (isakmp_cfg_config.groupsource) { 1333 1334 case ISAKMP_CFG_GROUP_SYSTEM: 1335 res = xauth_group_system( 1336 usr, 1337 grp_list[grp_index]); 1338 break; 1339 1340 #ifdef HAVE_LIBLDAP 1341 case ISAKMP_CFG_GROUP_LDAP: 1342 res = xauth_group_ldap( 1343 iph1->mode_cfg->xauth.udn, 1344 grp_list[grp_index]); 1345 break; 1346 #endif 1347 1348 default: 1349 /* we should never get here */ 1350 plog(LLV_ERROR, LOCATION, NULL, 1351 "Unknown group auth source\n"); 1352 break; 1353 } 1354 1355 if( !res ) { 1356 plog(LLV_INFO, LOCATION, NULL, 1357 "user \"%s\" is a member of group \"%s\"\n", 1358 usr, 1359 grp_list[grp_index]); 1360 break; 1361 } else { 1362 plog(LLV_INFO, LOCATION, NULL, 1363 "user \"%s\" is not a member of group \"%s\"\n", 1364 usr, 1365 grp_list[grp_index]); 1366 } 1367 } 1368 1369 return res; 1370 } 1371 1372 vchar_t * 1373 isakmp_xauth_req(iph1, attr) 1374 struct ph1handle *iph1; 1375 struct isakmp_data *attr; 1376 { 1377 int type; 1378 size_t dlen = 0; 1379 int ashort = 0; 1380 int value = 0; 1381 vchar_t *buffer = NULL; 1382 char* mraw = NULL; 1383 vchar_t *mdata = NULL; 1384 char *data; 1385 vchar_t *usr = NULL; 1386 vchar_t *pwd = NULL; 1387 size_t skip = 0; 1388 int freepwd = 0; 1389 1390 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 1391 plog(LLV_ERROR, LOCATION, NULL, 1392 "Xauth mode config request but peer " 1393 "did not declare itself as Xauth capable\n"); 1394 return NULL; 1395 } 1396 1397 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK; 1398 1399 /* Sanity checks */ 1400 switch(type) { 1401 case XAUTH_TYPE: 1402 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) { 1403 plog(LLV_ERROR, LOCATION, NULL, 1404 "Unexpected long XAUTH_TYPE attribute\n"); 1405 return NULL; 1406 } 1407 if (ntohs(attr->lorv) != XAUTH_TYPE_GENERIC) { 1408 plog(LLV_ERROR, LOCATION, NULL, 1409 "Unsupported Xauth authentication %d\n", 1410 ntohs(attr->lorv)); 1411 return NULL; 1412 } 1413 ashort = 1; 1414 dlen = 0; 1415 value = XAUTH_TYPE_GENERIC; 1416 break; 1417 1418 case XAUTH_USER_NAME: 1419 if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login) { 1420 plog(LLV_ERROR, LOCATION, NULL, "Xauth performed " 1421 "with no login supplied\n"); 1422 return NULL; 1423 } 1424 1425 dlen = iph1->rmconf->xauth->login->l - 1; 1426 iph1->rmconf->xauth->state |= XAUTH_SENT_USERNAME; 1427 break; 1428 1429 case XAUTH_USER_PASSWORD: 1430 if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login) 1431 return NULL; 1432 1433 skip = sizeof(struct ipsecdoi_id_b); 1434 usr = vmalloc(iph1->rmconf->xauth->login->l - 1 + skip); 1435 if (usr == NULL) { 1436 plog(LLV_ERROR, LOCATION, NULL, 1437 "Cannot allocate memory\n"); 1438 return NULL; 1439 } 1440 memset(usr->v, 0, skip); 1441 memcpy(usr->v + skip, 1442 iph1->rmconf->xauth->login->v, 1443 iph1->rmconf->xauth->login->l - 1); 1444 1445 if (iph1->rmconf->xauth->pass) { 1446 /* A key given through racoonctl */ 1447 pwd = iph1->rmconf->xauth->pass; 1448 } else { 1449 if ((pwd = getpskbyname(usr)) == NULL) { 1450 plog(LLV_ERROR, LOCATION, NULL, 1451 "No password was found for login %s\n", 1452 iph1->rmconf->xauth->login->v); 1453 vfree(usr); 1454 return NULL; 1455 } 1456 /* We have to free it before returning */ 1457 freepwd = 1; 1458 } 1459 vfree(usr); 1460 1461 iph1->rmconf->xauth->state |= XAUTH_SENT_PASSWORD; 1462 dlen = pwd->l; 1463 1464 break; 1465 case XAUTH_MESSAGE: 1466 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) { 1467 dlen = ntohs(attr->lorv); 1468 if (dlen > 0) { 1469 mraw = (char*)(attr + 1); 1470 if ((mdata = vmalloc(dlen)) == NULL) { 1471 plog(LLV_ERROR, LOCATION, iph1->remote, 1472 "Cannot allocate memory\n"); 1473 return NULL; 1474 } 1475 memcpy(mdata->v, mraw, mdata->l); 1476 plog(LLV_NOTIFY,LOCATION, iph1->remote, 1477 "XAUTH Message: '%s'.\n", 1478 binsanitize(mdata->v, mdata->l)); 1479 vfree(mdata); 1480 } 1481 } 1482 return NULL; 1483 default: 1484 plog(LLV_WARNING, LOCATION, NULL, 1485 "Ignored attribute %s\n", s_isakmp_cfg_type(type)); 1486 return NULL; 1487 break; 1488 } 1489 1490 if ((buffer = vmalloc(sizeof(*attr) + dlen)) == NULL) { 1491 plog(LLV_ERROR, LOCATION, NULL, 1492 "Cannot allocate memory\n"); 1493 goto out; 1494 } 1495 1496 attr = (struct isakmp_data *)buffer->v; 1497 if (ashort) { 1498 attr->type = htons(type | ISAKMP_GEN_TV); 1499 attr->lorv = htons(value); 1500 goto out; 1501 } 1502 1503 attr->type = htons(type | ISAKMP_GEN_TLV); 1504 attr->lorv = htons(dlen); 1505 data = (char *)(attr + 1); 1506 1507 switch(type) { 1508 case XAUTH_USER_NAME: 1509 /* 1510 * iph1->rmconf->xauth->login->v is valid, 1511 * we just checked it in the previous switch case 1512 */ 1513 memcpy(data, iph1->rmconf->xauth->login->v, dlen); 1514 break; 1515 case XAUTH_USER_PASSWORD: 1516 memcpy(data, pwd->v, dlen); 1517 break; 1518 default: 1519 break; 1520 } 1521 1522 out: 1523 if (freepwd) 1524 vfree(pwd); 1525 1526 return buffer; 1527 } 1528 1529 vchar_t * 1530 isakmp_xauth_set(iph1, attr) 1531 struct ph1handle *iph1; 1532 struct isakmp_data *attr; 1533 { 1534 int type; 1535 vchar_t *buffer = NULL; 1536 char *data; 1537 struct xauth_state *xst; 1538 size_t dlen = 0; 1539 char* mraw = NULL; 1540 vchar_t *mdata = NULL; 1541 1542 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 1543 plog(LLV_ERROR, LOCATION, NULL, 1544 "Xauth mode config set but peer " 1545 "did not declare itself as Xauth capable\n"); 1546 return NULL; 1547 } 1548 1549 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK; 1550 1551 switch(type) { 1552 case XAUTH_STATUS: 1553 /* 1554 * We should only receive ISAKMP mode_cfg SET XAUTH_STATUS 1555 * when running as a client (initiator). 1556 */ 1557 xst = &iph1->mode_cfg->xauth; 1558 switch(AUTHMETHOD(iph1)) { 1559 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 1560 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: 1561 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 1562 /* Not implemented ... */ 1563 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 1564 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 1565 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 1566 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 1567 break; 1568 default: 1569 plog(LLV_ERROR, LOCATION, NULL, 1570 "Unexpected XAUTH_STATUS_OK\n"); 1571 return NULL; 1572 break; 1573 } 1574 1575 /* If we got a failure, delete iph1 */ 1576 if (ntohs(attr->lorv) != XAUTH_STATUS_OK) { 1577 plog(LLV_ERROR, LOCATION, NULL, 1578 "Xauth authentication failed\n"); 1579 1580 EVT_PUSH(iph1->local, iph1->remote, 1581 EVTT_XAUTH_FAILED, NULL); 1582 1583 iph1->mode_cfg->flags |= ISAKMP_CFG_DELETE_PH1; 1584 } else { 1585 EVT_PUSH(iph1->local, iph1->remote, 1586 EVTT_XAUTH_SUCCESS, NULL); 1587 } 1588 1589 1590 /* We acknowledge it */ 1591 break; 1592 case XAUTH_MESSAGE: 1593 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) { 1594 dlen = ntohs(attr->lorv); 1595 if (dlen > 0) { 1596 mraw = (char*)(attr + 1); 1597 if ((mdata = vmalloc(dlen)) == NULL) { 1598 plog(LLV_ERROR, LOCATION, iph1->remote, 1599 "Cannot allocate memory\n"); 1600 return NULL; 1601 } 1602 memcpy(mdata->v, mraw, mdata->l); 1603 plog(LLV_NOTIFY,LOCATION, iph1->remote, 1604 "XAUTH Message: '%s'.\n", 1605 binsanitize(mdata->v, mdata->l)); 1606 vfree(mdata); 1607 } 1608 } 1609 1610 default: 1611 plog(LLV_WARNING, LOCATION, NULL, 1612 "Ignored attribute %s\n", s_isakmp_cfg_type(type)); 1613 return NULL; 1614 break; 1615 } 1616 1617 if ((buffer = vmalloc(sizeof(*attr))) == NULL) { 1618 plog(LLV_ERROR, LOCATION, NULL, 1619 "Cannot allocate memory\n"); 1620 return NULL; 1621 } 1622 1623 attr = (struct isakmp_data *)buffer->v; 1624 attr->type = htons(type | ISAKMP_GEN_TV); 1625 attr->lorv = htons(0); 1626 1627 return buffer; 1628 } 1629 1630 1631 void 1632 xauth_rmstate(xst) 1633 struct xauth_state *xst; 1634 { 1635 switch (xst->authtype) { 1636 case XAUTH_TYPE_GENERIC: 1637 if (xst->authdata.generic.usr) 1638 racoon_free(xst->authdata.generic.usr); 1639 1640 if (xst->authdata.generic.pwd) 1641 racoon_free(xst->authdata.generic.pwd); 1642 1643 break; 1644 1645 case XAUTH_TYPE_CHAP: 1646 case XAUTH_TYPE_OTP: 1647 case XAUTH_TYPE_SKEY: 1648 plog(LLV_WARNING, LOCATION, NULL, 1649 "Unsupported authtype %d\n", xst->authtype); 1650 break; 1651 1652 default: 1653 plog(LLV_WARNING, LOCATION, NULL, 1654 "Unexpected authtype %d\n", xst->authtype); 1655 break; 1656 } 1657 1658 #ifdef HAVE_LIBLDAP 1659 if (xst->udn != NULL) 1660 racoon_free(xst->udn); 1661 #endif 1662 return; 1663 } 1664 1665 int 1666 xauth_rmconf_used(xauth_rmconf) 1667 struct xauth_rmconf **xauth_rmconf; 1668 { 1669 if (*xauth_rmconf == NULL) { 1670 *xauth_rmconf = racoon_malloc(sizeof(**xauth_rmconf)); 1671 if (*xauth_rmconf == NULL) { 1672 plog(LLV_ERROR, LOCATION, NULL, 1673 "xauth_rmconf_used: malloc failed\n"); 1674 return -1; 1675 } 1676 1677 (*xauth_rmconf)->login = NULL; 1678 (*xauth_rmconf)->pass = NULL; 1679 (*xauth_rmconf)->state = 0; 1680 } 1681 1682 return 0; 1683 } 1684 1685 void 1686 xauth_rmconf_delete(xauth_rmconf) 1687 struct xauth_rmconf **xauth_rmconf; 1688 { 1689 if (*xauth_rmconf != NULL) { 1690 if ((*xauth_rmconf)->login != NULL) 1691 vfree((*xauth_rmconf)->login); 1692 if ((*xauth_rmconf)->pass != NULL) 1693 vfree((*xauth_rmconf)->pass); 1694 1695 racoon_free(*xauth_rmconf); 1696 *xauth_rmconf = NULL; 1697 } 1698 1699 return; 1700 } 1701