1 /* $NetBSD: isakmp_xauth.c,v 1.34 2021/12/05 02:59:50 msaitoh Exp $ */ 2 3 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */ 4 5 /* 6 * Copyright (C) 2004-2005 Emmanuel Dreyfus 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "config.h" 35 36 #include <sys/types.h> 37 #include <sys/param.h> 38 #include <sys/socket.h> 39 #include <sys/queue.h> 40 41 #include <netinet/in.h> 42 43 #include <assert.h> 44 #include <stdlib.h> 45 #include <stdio.h> 46 #include <string.h> 47 #include <errno.h> 48 #include <pwd.h> 49 #include <grp.h> 50 #if TIME_WITH_SYS_TIME 51 # include <sys/time.h> 52 # include <time.h> 53 #else 54 # if HAVE_SYS_TIME_H 55 # include <sys/time.h> 56 # else 57 # include <time.h> 58 # endif 59 #endif 60 #include <netdb.h> 61 #ifdef HAVE_UNISTD_H 62 #include <unistd.h> 63 #endif 64 #include <ctype.h> 65 #include <resolv.h> 66 67 #ifdef HAVE_SHADOW_H 68 #include <shadow.h> 69 #endif 70 71 #include "var.h" 72 #include "misc.h" 73 #include "vmbuf.h" 74 #include "plog.h" 75 #include "sockmisc.h" 76 #include "schedule.h" 77 #include "debug.h" 78 79 #include "crypto_openssl.h" 80 #include "isakmp_var.h" 81 #include "isakmp.h" 82 #include "admin.h" 83 #include "privsep.h" 84 #include "evt.h" 85 #include "handler.h" 86 #include "throttle.h" 87 #include "remoteconf.h" 88 #include "isakmp_inf.h" 89 #include "isakmp_xauth.h" 90 #include "isakmp_unity.h" 91 #include "isakmp_cfg.h" 92 #include "strnames.h" 93 #include "ipsec_doi.h" 94 #include "remoteconf.h" 95 #include "localconf.h" 96 97 #ifdef HAVE_LIBRADIUS 98 #include <radlib.h> 99 struct rad_handle *radius_auth_state = NULL; 100 struct rad_handle *radius_acct_state = NULL; 101 struct xauth_rad_config xauth_rad_config; 102 #endif 103 104 #ifdef HAVE_LIBPAM 105 #include <security/pam_appl.h> 106 107 static char *PAM_usr = NULL; 108 static char *PAM_pwd = NULL; 109 static int PAM_conv(int, const struct pam_message **, 110 struct pam_response **, void *); 111 static struct pam_conv PAM_chat = { &PAM_conv, NULL }; 112 #endif 113 114 #ifdef HAVE_LIBLDAP 115 #include "ldap.h" 116 #include <arpa/inet.h> 117 struct xauth_ldap_config xauth_ldap_config; 118 #endif 119 120 void 121 xauth_sendreq(iph1) 122 struct ph1handle *iph1; 123 { 124 vchar_t *buffer; 125 struct isakmp_pl_attr *attr; 126 struct isakmp_data *typeattr; 127 struct isakmp_data *usrattr; 128 struct isakmp_data *pwdattr; 129 struct xauth_state *xst = &iph1->mode_cfg->xauth; 130 size_t tlen; 131 132 /* Status checks */ 133 if (iph1->status < PHASE1ST_ESTABLISHED) { 134 plog(LLV_ERROR, LOCATION, NULL, 135 "Xauth request while phase 1 is not completed\n"); 136 return; 137 } 138 139 if (xst->status != XAUTHST_NOTYET) { 140 plog(LLV_ERROR, LOCATION, NULL, 141 "Xauth request whith Xauth state %d\n", xst->status); 142 return; 143 } 144 145 plog(LLV_INFO, LOCATION, NULL, "Sending Xauth request\n"); 146 147 tlen = sizeof(*attr) + 148 + sizeof(*typeattr) + 149 + sizeof(*usrattr) + 150 + sizeof(*pwdattr); 151 152 if ((buffer = vmalloc(tlen)) == NULL) { 153 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n"); 154 return; 155 } 156 157 attr = (struct isakmp_pl_attr *)buffer->v; 158 memset(attr, 0, tlen); 159 160 attr->h.len = htons(tlen); 161 attr->type = ISAKMP_CFG_REQUEST; 162 attr->id = htons(eay_random()); 163 164 typeattr = (struct isakmp_data *)(attr + 1); 165 typeattr->type = htons(XAUTH_TYPE | ISAKMP_GEN_TV); 166 typeattr->lorv = htons(XAUTH_TYPE_GENERIC); 167 168 usrattr = (struct isakmp_data *)(typeattr + 1); 169 usrattr->type = htons(XAUTH_USER_NAME | ISAKMP_GEN_TLV); 170 usrattr->lorv = htons(0); 171 172 pwdattr = (struct isakmp_data *)(usrattr + 1); 173 pwdattr->type = htons(XAUTH_USER_PASSWORD | ISAKMP_GEN_TLV); 174 pwdattr->lorv = htons(0); 175 176 isakmp_cfg_send(iph1, buffer, 177 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1); 178 179 vfree(buffer); 180 181 xst->status = XAUTHST_REQSENT; 182 183 return; 184 } 185 186 int 187 xauth_attr_reply(iph1, attr, id) 188 struct ph1handle *iph1; 189 struct isakmp_data *attr; 190 int id; 191 { 192 char **outlet = NULL; 193 size_t alen = 0; 194 int type; 195 struct xauth_state *xst = &iph1->mode_cfg->xauth; 196 197 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 198 plog(LLV_ERROR, LOCATION, NULL, 199 "Xauth reply but peer did not declare " 200 "itself as Xauth capable\n"); 201 return -1; 202 } 203 204 if (xst->status != XAUTHST_REQSENT) { 205 plog(LLV_ERROR, LOCATION, NULL, 206 "Xauth reply while Xauth state is %d\n", xst->status); 207 return -1; 208 } 209 210 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK; 211 switch (type) { 212 case XAUTH_TYPE: 213 switch (ntohs(attr->lorv)) { 214 case XAUTH_TYPE_GENERIC: 215 xst->authtype = XAUTH_TYPE_GENERIC; 216 break; 217 default: 218 plog(LLV_WARNING, LOCATION, NULL, 219 "Unexpected authentication type %d\n", 220 ntohs(type)); 221 return -1; 222 } 223 break; 224 225 case XAUTH_USER_NAME: 226 outlet = &xst->authdata.generic.usr; 227 break; 228 229 case XAUTH_USER_PASSWORD: 230 outlet = &xst->authdata.generic.pwd; 231 break; 232 233 default: 234 plog(LLV_WARNING, LOCATION, NULL, 235 "ignored Xauth attribute %d\n", type); 236 break; 237 } 238 239 if (outlet != NULL) { 240 alen = ntohs(attr->lorv); 241 242 if ((*outlet = racoon_malloc(alen + 1)) == NULL) { 243 plog(LLV_ERROR, LOCATION, NULL, 244 "Cannot allocate memory for Xauth Data\n"); 245 return -1; 246 } 247 248 memcpy(*outlet, attr + 1, alen); 249 (*outlet)[alen] = '\0'; 250 outlet = NULL; 251 } 252 253 254 if ((xst->authdata.generic.usr != NULL) && 255 (xst->authdata.generic.pwd != NULL)) { 256 int port; 257 int res; 258 char *usr = xst->authdata.generic.usr; 259 char *pwd = xst->authdata.generic.pwd; 260 time_t throttle_delay = 0; 261 262 #if 0 /* Real debug, don't do that at home */ 263 plog(LLV_DEBUG, LOCATION, NULL, 264 "Got username \"%s\", password \"%s\"\n", usr, pwd); 265 #endif 266 strncpy(iph1->mode_cfg->login, usr, LOGINLEN); 267 iph1->mode_cfg->login[LOGINLEN] = '\0'; 268 269 res = -1; 270 if ((port = isakmp_cfg_getport(iph1)) == -1) { 271 plog(LLV_ERROR, LOCATION, NULL, 272 "Port pool depleted\n"); 273 goto skip_auth; 274 } 275 276 switch (isakmp_cfg_config.authsource) { 277 case ISAKMP_CFG_AUTH_SYSTEM: 278 res = privsep_xauth_login_system(usr, pwd); 279 break; 280 #ifdef HAVE_LIBRADIUS 281 case ISAKMP_CFG_AUTH_RADIUS: 282 res = xauth_login_radius(iph1, usr, pwd); 283 break; 284 #endif 285 #ifdef HAVE_LIBPAM 286 case ISAKMP_CFG_AUTH_PAM: 287 res = privsep_xauth_login_pam(iph1->mode_cfg->port, 288 iph1->remote, usr, pwd); 289 break; 290 #endif 291 #ifdef HAVE_LIBLDAP 292 case ISAKMP_CFG_AUTH_LDAP: 293 res = xauth_login_ldap(iph1, usr, pwd); 294 break; 295 #endif 296 default: 297 plog(LLV_ERROR, LOCATION, NULL, 298 "Unexpected authentication source\n"); 299 res = -1; 300 break; 301 } 302 303 /* 304 * Optional group authentication 305 */ 306 if (!res && (isakmp_cfg_config.groupcount)) 307 res = group_check(iph1, 308 isakmp_cfg_config.grouplist, 309 isakmp_cfg_config.groupcount); 310 311 /* 312 * On failure, throttle the connexion for the remote host 313 * in order to make password attacks more difficult. 314 */ 315 throttle_delay = throttle_host(iph1->remote, res); 316 if (throttle_delay > 0) { 317 char *str; 318 319 str = saddrwop2str(iph1->remote); 320 321 plog(LLV_ERROR, LOCATION, NULL, 322 "Throttling in action for %s: delay %lds\n", 323 str, (unsigned long)throttle_delay); 324 res = -1; 325 } else { 326 throttle_delay = 0; 327 } 328 329 skip_auth: 330 if (throttle_delay != 0) { 331 struct xauth_reply_arg *xra; 332 333 if ((xra = racoon_calloc(1, sizeof(*xra))) == NULL) { 334 plog(LLV_ERROR, LOCATION, NULL, 335 "malloc failed, bypass throttling\n"); 336 return xauth_reply(iph1, port, id, res); 337 } 338 339 /* 340 * We need to store the ph1, but it might have 341 * disapeared when xauth_reply is called, so 342 * store the index instead. 343 */ 344 xra->index = iph1->index; 345 xra->port = port; 346 xra->id = id; 347 xra->res = res; 348 sched_schedule(&xra->sc, throttle_delay, 349 xauth_reply_stub); 350 } else { 351 return xauth_reply(iph1, port, id, res); 352 } 353 } 354 355 return 0; 356 } 357 358 void 359 xauth_reply_stub(sc) 360 struct sched *sc; 361 { 362 struct xauth_reply_arg *xra = container_of(sc, struct xauth_reply_arg, sc); 363 struct ph1handle *iph1; 364 365 if ((iph1 = getph1byindex(&xra->index)) != NULL) 366 (void)xauth_reply(iph1, xra->port, xra->id, xra->res); 367 else 368 plog(LLV_ERROR, LOCATION, NULL, 369 "Delayed Xauth reply: phase 1 no longer exists.\n"); 370 371 racoon_free(xra); 372 } 373 374 int 375 xauth_reply(struct ph1handle *iph1, int port, int id, int res) 376 { 377 struct xauth_state *xst = &iph1->mode_cfg->xauth; 378 char *usr = xst->authdata.generic.usr; 379 380 if (res != 0) { 381 if (port != -1) 382 isakmp_cfg_putport(iph1, port); 383 384 plog(LLV_INFO, LOCATION, NULL, 385 "login failed for user \"%s\"\n", usr); 386 387 xauth_sendstatus(iph1, XAUTH_STATUS_FAIL, id); 388 xst->status = XAUTHST_NOTYET; 389 390 /* Delete Phase 1 SA */ 391 if (iph1->status >= PHASE1ST_ESTABLISHED) 392 isakmp_info_send_d1(iph1); 393 remph1(iph1); 394 delph1(iph1); 395 396 return -1; 397 } 398 399 xst->status = XAUTHST_OK; 400 plog(LLV_INFO, LOCATION, NULL, 401 "login succeeded for user \"%s\"\n", usr); 402 403 xauth_sendstatus(iph1, XAUTH_STATUS_OK, id); 404 405 return 0; 406 } 407 408 void 409 xauth_sendstatus(iph1, status, id) 410 struct ph1handle *iph1; 411 int status; 412 int id; 413 { 414 vchar_t *buffer; 415 struct isakmp_pl_attr *attr; 416 struct isakmp_data *stattr; 417 size_t tlen; 418 419 tlen = sizeof(*attr) + 420 + sizeof(*stattr); 421 422 if ((buffer = vmalloc(tlen)) == NULL) { 423 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n"); 424 return; 425 } 426 427 attr = (struct isakmp_pl_attr *)buffer->v; 428 memset(attr, 0, tlen); 429 430 attr->h.len = htons(tlen); 431 attr->type = ISAKMP_CFG_SET; 432 attr->id = htons(id); 433 434 stattr = (struct isakmp_data *)(attr + 1); 435 stattr->type = htons(XAUTH_STATUS | ISAKMP_GEN_TV); 436 stattr->lorv = htons(status); 437 438 isakmp_cfg_send(iph1, buffer, 439 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1); 440 441 vfree(buffer); 442 443 return; 444 } 445 446 #ifdef HAVE_LIBRADIUS 447 int 448 xauth_radius_init_conf(int free) 449 { 450 /* free radius config resources */ 451 if (free) { 452 int i; 453 for (i = 0; i < xauth_rad_config.auth_server_count; i++) { 454 vfree(xauth_rad_config.auth_server_list[i].host); 455 vfree(xauth_rad_config.auth_server_list[i].secret); 456 } 457 for (i = 0; i < xauth_rad_config.acct_server_count; i++) { 458 vfree(xauth_rad_config.acct_server_list[i].host); 459 vfree(xauth_rad_config.acct_server_list[i].secret); 460 } 461 if (radius_auth_state != NULL) { 462 rad_close(radius_auth_state); 463 radius_auth_state = NULL; 464 } 465 if (radius_acct_state != NULL) { 466 rad_close(radius_acct_state); 467 radius_acct_state = NULL; 468 } 469 } 470 471 /* initialize radius config */ 472 memset(&xauth_rad_config, 0, sizeof(xauth_rad_config)); 473 return 0; 474 } 475 476 int 477 xauth_radius_init(void) 478 { 479 /* For first time use, initialize Radius */ 480 if ((isakmp_cfg_config.authsource == ISAKMP_CFG_AUTH_RADIUS) && 481 (radius_auth_state == NULL)) { 482 if ((radius_auth_state = rad_auth_open()) == NULL) { 483 plog(LLV_ERROR, LOCATION, NULL, 484 "Cannot init libradius\n"); 485 return -1; 486 } 487 488 int auth_count = xauth_rad_config.auth_server_count; 489 int auth_added = 0; 490 if (auth_count) { 491 int i; 492 for (i = 0; i < auth_count; i++) { 493 if(!rad_add_server( 494 radius_auth_state, 495 xauth_rad_config.auth_server_list[i].host->v, 496 xauth_rad_config.auth_server_list[i].port, 497 xauth_rad_config.auth_server_list[i].secret->v, 498 xauth_rad_config.timeout, 499 xauth_rad_config.retries )) 500 auth_added++; 501 else 502 plog(LLV_WARNING, LOCATION, NULL, 503 "could not add radius auth server %s\n", 504 xauth_rad_config.auth_server_list[i].host->v); 505 } 506 } 507 508 if (!auth_added) { 509 if (rad_config(radius_auth_state, NULL) != 0) { 510 plog(LLV_ERROR, LOCATION, NULL, 511 "Cannot open libradius config file: %s\n", 512 rad_strerror(radius_auth_state)); 513 rad_close(radius_auth_state); 514 radius_auth_state = NULL; 515 return -1; 516 } 517 } 518 } 519 520 if ((isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS) && 521 (radius_acct_state == NULL)) { 522 if ((radius_acct_state = rad_acct_open()) == NULL) { 523 plog(LLV_ERROR, LOCATION, NULL, 524 "Cannot init libradius\n"); 525 return -1; 526 } 527 528 int acct_count = xauth_rad_config.acct_server_count; 529 int acct_added = 0; 530 if (acct_count) { 531 int i; 532 for (i = 0; i < acct_count; i++) { 533 if(!rad_add_server( 534 radius_acct_state, 535 xauth_rad_config.acct_server_list[i].host->v, 536 xauth_rad_config.acct_server_list[i].port, 537 xauth_rad_config.acct_server_list[i].secret->v, 538 xauth_rad_config.timeout, 539 xauth_rad_config.retries )) 540 acct_added++; 541 else 542 plog(LLV_WARNING, LOCATION, NULL, 543 "could not add radius account server %s\n", 544 xauth_rad_config.acct_server_list[i].host->v); 545 } 546 } 547 548 if (!acct_added) { 549 if (rad_config(radius_acct_state, NULL) != 0) { 550 plog(LLV_ERROR, LOCATION, NULL, 551 "Cannot open libradius config file: %s\n", 552 rad_strerror(radius_acct_state)); 553 rad_close(radius_acct_state); 554 radius_acct_state = NULL; 555 return -1; 556 } 557 } 558 } 559 560 return 0; 561 } 562 563 int 564 xauth_login_radius(iph1, usr, pwd) 565 struct ph1handle *iph1; 566 char *usr; 567 char *pwd; 568 { 569 int res; 570 const void *data; 571 size_t len; 572 int type; 573 574 if (rad_create_request(radius_auth_state, RAD_ACCESS_REQUEST) != 0) { 575 plog(LLV_ERROR, LOCATION, NULL, 576 "rad_create_request failed: %s\n", 577 rad_strerror(radius_auth_state)); 578 return -1; 579 } 580 581 if (rad_put_string(radius_auth_state, RAD_USER_NAME, usr) != 0) { 582 plog(LLV_ERROR, LOCATION, NULL, 583 "rad_put_string failed: %s\n", 584 rad_strerror(radius_auth_state)); 585 return -1; 586 } 587 588 if (rad_put_string(radius_auth_state, RAD_USER_PASSWORD, pwd) != 0) { 589 plog(LLV_ERROR, LOCATION, NULL, 590 "rad_put_string failed: %s\n", 591 rad_strerror(radius_auth_state)); 592 return -1; 593 } 594 595 if (rad_put_string(radius_auth_state, RAD_CALLING_STATION_ID, 596 saddr2str(iph1->remote)) != 0) 597 return -1; 598 599 if (isakmp_cfg_radius_common(radius_auth_state, iph1->mode_cfg->port) != 0) 600 return -1; 601 602 switch (res = rad_send_request(radius_auth_state)) { 603 case RAD_ACCESS_ACCEPT: 604 while ((type = rad_get_attr(radius_auth_state, &data, &len)) != 0) { 605 switch (type) { 606 case RAD_FRAMED_IP_ADDRESS: 607 iph1->mode_cfg->addr4 = rad_cvt_addr(data); 608 iph1->mode_cfg->flags 609 |= ISAKMP_CFG_ADDR4_EXTERN; 610 break; 611 612 case RAD_FRAMED_IP_NETMASK: 613 iph1->mode_cfg->mask4 = rad_cvt_addr(data); 614 iph1->mode_cfg->flags 615 |= ISAKMP_CFG_MASK4_EXTERN; 616 break; 617 618 default: 619 plog(LLV_INFO, LOCATION, NULL, 620 "Unexpected attribute: %d\n", type); 621 break; 622 } 623 } 624 625 return 0; 626 break; 627 628 case RAD_ACCESS_REJECT: 629 return -1; 630 break; 631 632 case -1: 633 plog(LLV_ERROR, LOCATION, NULL, 634 "rad_send_request failed: %s\n", 635 rad_strerror(radius_auth_state)); 636 return -1; 637 break; 638 default: 639 plog(LLV_ERROR, LOCATION, NULL, 640 "rad_send_request returned %d\n", res); 641 return -1; 642 break; 643 } 644 645 return -1; 646 } 647 #endif 648 649 #ifdef HAVE_LIBPAM 650 static int 651 PAM_conv(msg_count, msg, rsp, dontcare) 652 int msg_count; 653 const struct pam_message **msg; 654 struct pam_response **rsp; 655 void *dontcare; 656 { 657 int i; 658 struct pam_response *reply = NULL; 659 660 if ((reply = racoon_malloc(sizeof(*reply) * msg_count)) == NULL) 661 return PAM_CONV_ERR; 662 bzero(reply, sizeof(*reply) * msg_count); 663 664 for (i = 0; i < msg_count; i++) { 665 switch (msg[i]->msg_style) { 666 case PAM_PROMPT_ECHO_ON: 667 /* Send the username, libpam frees resp */ 668 reply[i].resp_retcode = PAM_SUCCESS; 669 if ((reply[i].resp = strdup(PAM_usr)) == NULL) { 670 plog(LLV_ERROR, LOCATION, 671 NULL, "strdup failed\n"); 672 exit(1); 673 } 674 break; 675 676 case PAM_PROMPT_ECHO_OFF: 677 /* Send the password, libpam frees resp */ 678 reply[i].resp_retcode = PAM_SUCCESS; 679 if ((reply[i].resp = strdup(PAM_pwd)) == NULL) { 680 plog(LLV_ERROR, LOCATION, 681 NULL, "strdup failed\n"); 682 exit(1); 683 } 684 break; 685 686 case PAM_TEXT_INFO: 687 case PAM_ERROR_MSG: 688 reply[i].resp_retcode = PAM_SUCCESS; 689 reply[i].resp = NULL; 690 break; 691 692 default: 693 if (reply != NULL) 694 racoon_free(reply); 695 return PAM_CONV_ERR; 696 break; 697 } 698 } 699 700 if (reply != NULL) 701 *rsp = reply; 702 703 return PAM_SUCCESS; 704 } 705 706 int 707 xauth_login_pam(port, raddr, usr, pwd) 708 int port; 709 struct sockaddr *raddr; 710 char *usr; 711 char *pwd; 712 { 713 int error; 714 char *remote = NULL; 715 pam_handle_t *pam = NULL; 716 717 if (isakmp_cfg_config.port_pool == NULL) { 718 plog(LLV_ERROR, LOCATION, NULL, 719 "isakmp_cfg_config.port_pool == NULL\n"); 720 return -1; 721 } 722 723 if ((error = pam_start("racoon", usr, 724 &PAM_chat, &isakmp_cfg_config.port_pool[port].pam)) != 0) { 725 if (isakmp_cfg_config.port_pool[port].pam == NULL) { 726 plog(LLV_ERROR, LOCATION, NULL, "pam_start failed\n"); 727 return -1; 728 } else { 729 plog(LLV_ERROR, LOCATION, NULL, 730 "pam_start failed: %s\n", 731 pam_strerror(isakmp_cfg_config.port_pool[port].pam, 732 error)); 733 goto out; 734 } 735 } 736 pam = isakmp_cfg_config.port_pool[port].pam; 737 738 if ((remote = strdup(saddrwop2str(raddr))) == NULL) { 739 plog(LLV_ERROR, LOCATION, NULL, 740 "cannot allocate memory: %s\n", strerror(errno)); 741 goto out; 742 } 743 744 if ((error = pam_set_item(pam, PAM_RHOST, remote)) != 0) { 745 plog(LLV_ERROR, LOCATION, NULL, 746 "pam_set_item failed: %s\n", 747 pam_strerror(pam, error)); 748 goto out; 749 } 750 751 if ((error = pam_set_item(pam, PAM_RUSER, usr)) != 0) { 752 plog(LLV_ERROR, LOCATION, NULL, 753 "pam_set_item failed: %s\n", 754 pam_strerror(pam, error)); 755 goto out; 756 } 757 758 PAM_usr = usr; 759 PAM_pwd = pwd; 760 error = pam_authenticate(pam, 0); 761 PAM_usr = NULL; 762 PAM_pwd = NULL; 763 if (error != 0) { 764 plog(LLV_ERROR, LOCATION, NULL, 765 "pam_authenticate failed: %s\n", 766 pam_strerror(pam, error)); 767 goto out; 768 } 769 770 if ((error = pam_acct_mgmt(pam, 0)) != 0) { 771 plog(LLV_ERROR, LOCATION, NULL, 772 "pam_acct_mgmt failed: %s\n", 773 pam_strerror(pam, error)); 774 goto out; 775 } 776 777 if ((error = pam_setcred(pam, 0)) != 0) { 778 plog(LLV_ERROR, LOCATION, NULL, 779 "pam_setcred failed: %s\n", 780 pam_strerror(pam, error)); 781 goto out; 782 } 783 784 if (remote != NULL) 785 free(remote); 786 787 return 0; 788 789 out: 790 pam_end(pam, error); 791 isakmp_cfg_config.port_pool[port].pam = NULL; 792 if (remote != NULL) 793 free(remote); 794 return -1; 795 } 796 #endif 797 798 #ifdef HAVE_LIBLDAP 799 int 800 xauth_ldap_init_conf(void) 801 { 802 int tmplen; 803 int error = -1; 804 805 xauth_ldap_config.pver = 3; 806 xauth_ldap_config.debug = 0; 807 xauth_ldap_config.timeout = -1; 808 xauth_ldap_config.uri = NULL; 809 xauth_ldap_config.host = NULL; 810 xauth_ldap_config.port = LDAP_PORT; 811 xauth_ldap_config.tls = 0; 812 xauth_ldap_config.base = NULL; 813 xauth_ldap_config.subtree = 0; 814 xauth_ldap_config.bind_dn = NULL; 815 xauth_ldap_config.bind_pw = NULL; 816 xauth_ldap_config.auth_type = LDAP_AUTH_SIMPLE; 817 xauth_ldap_config.attr_user = NULL; 818 xauth_ldap_config.attr_addr = NULL; 819 xauth_ldap_config.attr_mask = NULL; 820 xauth_ldap_config.attr_group = NULL; 821 xauth_ldap_config.attr_member = NULL; 822 823 /* set default host */ 824 tmplen = strlen(LDAP_DFLT_HOST); 825 xauth_ldap_config.host = vmalloc(tmplen); 826 if (xauth_ldap_config.host == NULL) 827 goto out; 828 memcpy(xauth_ldap_config.host->v, LDAP_DFLT_HOST, tmplen); 829 830 /* set default user naming attribute */ 831 tmplen = strlen(LDAP_DFLT_USER); 832 xauth_ldap_config.attr_user = vmalloc(tmplen); 833 if (xauth_ldap_config.attr_user == NULL) 834 goto out; 835 memcpy(xauth_ldap_config.attr_user->v, LDAP_DFLT_USER, tmplen); 836 837 /* set default address attribute */ 838 tmplen = strlen(LDAP_DFLT_ADDR); 839 xauth_ldap_config.attr_addr = vmalloc(tmplen); 840 if (xauth_ldap_config.attr_addr == NULL) 841 goto out; 842 memcpy(xauth_ldap_config.attr_addr->v, LDAP_DFLT_ADDR, tmplen); 843 844 /* set default netmask attribute */ 845 tmplen = strlen(LDAP_DFLT_MASK); 846 xauth_ldap_config.attr_mask = vmalloc(tmplen); 847 if (xauth_ldap_config.attr_mask == NULL) 848 goto out; 849 memcpy(xauth_ldap_config.attr_mask->v, LDAP_DFLT_MASK, tmplen); 850 851 /* set default group naming attribute */ 852 tmplen = strlen(LDAP_DFLT_GROUP); 853 xauth_ldap_config.attr_group = vmalloc(tmplen); 854 if (xauth_ldap_config.attr_group == NULL) 855 goto out; 856 memcpy(xauth_ldap_config.attr_group->v, LDAP_DFLT_GROUP, tmplen); 857 858 /* set default member attribute */ 859 tmplen = strlen(LDAP_DFLT_MEMBER); 860 xauth_ldap_config.attr_member = vmalloc(tmplen); 861 if (xauth_ldap_config.attr_member == NULL) 862 goto out; 863 memcpy(xauth_ldap_config.attr_member->v, LDAP_DFLT_MEMBER, tmplen); 864 865 error = 0; 866 out: 867 if (error != 0) 868 plog(LLV_ERROR, LOCATION, NULL, "cannot allocate memory\n"); 869 870 return error; 871 } 872 873 int 874 xauth_login_ldap(iph1, usr, pwd) 875 struct ph1handle *iph1; 876 char *usr; 877 char *pwd; 878 { 879 int rtn = -1; 880 int res = -1; 881 LDAP *ld = NULL; 882 LDAPMessage *lr = NULL; 883 LDAPMessage *le = NULL; 884 struct berval cred; 885 struct berval **bv = NULL; 886 struct timeval timeout; 887 char *init = NULL; 888 char *filter = NULL; 889 char *atlist[3]; 890 char *basedn = NULL; 891 char *userdn = NULL; 892 int tmplen = 0; 893 int ecount = 0; 894 int scope = LDAP_SCOPE_ONE; 895 896 atlist[0] = NULL; 897 atlist[1] = NULL; 898 atlist[2] = NULL; 899 900 if (xauth_ldap_config.uri != NULL) { 901 tmplen = strlen(xauth_ldap_config.uri->v); 902 init = racoon_malloc(tmplen); 903 if (init == NULL) { 904 plog(LLV_ERROR, LOCATION, NULL, 905 "unable to alloc ldap init url\n"); 906 goto ldap_end; 907 } 908 sprintf(init,"%s", xauth_ldap_config.uri->v); 909 } else { 910 /* build our initialization url */ 911 tmplen = strlen("ldap://:") + 17; 912 tmplen += strlen(xauth_ldap_config.host->v); 913 init = racoon_malloc(tmplen); 914 if (init == NULL) { 915 plog(LLV_ERROR, LOCATION, NULL, 916 "unable to alloc ldap init url\n"); 917 goto ldap_end; 918 } 919 sprintf(init,"ldap://%s:%d", 920 xauth_ldap_config.host->v, 921 xauth_ldap_config.port ); 922 } 923 /* initialize the debug level */ 924 ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &xauth_ldap_config.debug); 925 ber_set_option(NULL, LBER_OPT_DEBUG_LEVEL, &xauth_ldap_config.debug); 926 927 plog(LLV_DEBUG, LOCATION, NULL, "ldap URI: %s\n", init); 928 /* initialize the ldap handle */ 929 res = ldap_initialize(&ld, init); 930 if (res != LDAP_SUCCESS) { 931 plog(LLV_ERROR, LOCATION, NULL, 932 "ldap_initialize failed: %s\n", 933 ldap_err2string(res)); 934 goto ldap_end; 935 } 936 937 /* initialize the protocol version */ 938 if ((res = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, 939 &xauth_ldap_config.pver)) != LDAP_OPT_SUCCESS) { 940 plog(LLV_ERROR, LOCATION, NULL, 941 "LDAP_OPT_PROTOCOL_VERSION %d failed: %s\n", 942 xauth_ldap_config.pver, 943 ldap_err2string(res)); 944 goto ldap_end; 945 } 946 947 if (xauth_ldap_config.timeout > 0) { 948 static struct timeval timeout; 949 timeout.tv_sec = xauth_ldap_config.timeout; 950 timeout.tv_usec = 0; 951 if ((res = ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, 952 (void *)&timeout)) != LDAP_OPT_SUCCESS) { 953 plog(LLV_ERROR, LOCATION, NULL, 954 "LDAP_OPT_NETWORK_TIMEOUT %d failed: %s\n", 955 xauth_ldap_config.timeout, 956 ldap_err2string(res)); 957 goto ldap_end; 958 } 959 } 960 961 /* Enable TLS */ 962 if (xauth_ldap_config.tls) { 963 res = ldap_start_tls_s(ld, NULL, NULL); 964 if (res != LDAP_SUCCESS) { 965 plog(LLV_ERROR, LOCATION, NULL, 966 "ldap_start_tls_s failed: %s\n", 967 ldap_err2string(res)); 968 goto ldap_end; 969 } 970 } 971 972 /* 973 * attempt to bind to the ldap server. 974 * default to anonymous bind unless a 975 * user dn and password has been 976 * specified in our configuration 977 */ 978 if ((xauth_ldap_config.bind_dn != NULL)&& 979 (xauth_ldap_config.bind_pw != NULL)) 980 { 981 cred.bv_val = xauth_ldap_config.bind_pw->v; 982 cred.bv_len = strlen( cred.bv_val ); 983 res = ldap_sasl_bind_s(ld, 984 xauth_ldap_config.bind_dn->v, LDAP_SASL_SIMPLE, &cred, 985 NULL, NULL, NULL); 986 } 987 else 988 { 989 cred.bv_val = NULL; 990 cred.bv_len = 0; 991 res = ldap_sasl_bind_s(ld, 992 NULL, LDAP_SASL_SIMPLE, &cred, 993 NULL, NULL, NULL); 994 } 995 996 if (res!=LDAP_SUCCESS) { 997 plog(LLV_ERROR, LOCATION, NULL, 998 "ldap_sasl_bind_s (search) failed: %s\n", 999 ldap_err2string(res)); 1000 goto ldap_end; 1001 } 1002 1003 /* build an ldap user search filter */ 1004 tmplen = strlen(xauth_ldap_config.attr_user->v); 1005 tmplen += 1; 1006 tmplen += strlen(usr); 1007 tmplen += 1; 1008 filter = racoon_malloc(tmplen); 1009 if (filter == NULL) { 1010 plog(LLV_ERROR, LOCATION, NULL, 1011 "unable to alloc ldap search filter buffer\n"); 1012 goto ldap_end; 1013 } 1014 sprintf(filter, "%s=%s", 1015 xauth_ldap_config.attr_user->v, usr); 1016 1017 /* build our return attribute list */ 1018 tmplen = strlen(xauth_ldap_config.attr_addr->v) + 1; 1019 atlist[0] = racoon_malloc(tmplen); 1020 tmplen = strlen(xauth_ldap_config.attr_mask->v) + 1; 1021 atlist[1] = racoon_malloc(tmplen); 1022 if ((atlist[0] == NULL)||(atlist[1] == NULL)) { 1023 plog(LLV_ERROR, LOCATION, NULL, 1024 "unable to alloc ldap attrib list buffer\n"); 1025 goto ldap_end; 1026 } 1027 strcpy(atlist[0],xauth_ldap_config.attr_addr->v); 1028 strcpy(atlist[1],xauth_ldap_config.attr_mask->v); 1029 1030 /* attempt to locate the user dn */ 1031 if (xauth_ldap_config.base != NULL) 1032 basedn = xauth_ldap_config.base->v; 1033 if (xauth_ldap_config.subtree) 1034 scope = LDAP_SCOPE_SUBTREE; 1035 timeout.tv_sec = 15; 1036 timeout.tv_usec = 0; 1037 res = ldap_search_ext_s(ld, basedn, scope, 1038 filter, atlist, 0, NULL, NULL, 1039 &timeout, 2, &lr); 1040 if (res != LDAP_SUCCESS) { 1041 plog(LLV_ERROR, LOCATION, NULL, 1042 "ldap_search_ext_s failed: %s\n", 1043 ldap_err2string(res)); 1044 goto ldap_end; 1045 } 1046 1047 /* check the number of ldap entries returned */ 1048 ecount = ldap_count_entries(ld, lr); 1049 if (ecount < 1) { 1050 plog(LLV_WARNING, LOCATION, NULL, 1051 "no ldap results for filter \'%s\'\n", 1052 filter); 1053 goto ldap_end; 1054 } 1055 if (ecount > 1) { 1056 plog(LLV_WARNING, LOCATION, NULL, 1057 "multiple (%i) ldap results for filter \'%s\'\n", 1058 ecount, filter); 1059 } 1060 1061 /* obtain the dn from the first result */ 1062 le = ldap_first_entry(ld, lr); 1063 if (le == NULL) { 1064 plog(LLV_ERROR, LOCATION, NULL, 1065 "ldap_first_entry failed: invalid entry returned\n"); 1066 goto ldap_end; 1067 } 1068 userdn = ldap_get_dn(ld, le); 1069 if (userdn == NULL) { 1070 plog(LLV_ERROR, LOCATION, NULL, 1071 "ldap_get_dn failed: invalid string returned\n"); 1072 goto ldap_end; 1073 } 1074 1075 /* cache the user dn in the xauth state */ 1076 iph1->mode_cfg->xauth.udn = racoon_malloc(strlen(userdn)+1); 1077 strcpy(iph1->mode_cfg->xauth.udn,userdn); 1078 1079 /* retrieve modecfg address */ 1080 bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_addr->v); 1081 if (bv != NULL) { 1082 char tmpaddr[16]; 1083 /* sanity check for address value */ 1084 if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) { 1085 plog(LLV_DEBUG, LOCATION, NULL, 1086 "ldap returned invalid modecfg address\n"); 1087 ldap_value_free_len(bv); 1088 goto ldap_end; 1089 } 1090 memcpy(tmpaddr,bv[0]->bv_val,bv[0]->bv_len); 1091 tmpaddr[bv[0]->bv_len]=0; 1092 iph1->mode_cfg->addr4.s_addr = inet_addr(tmpaddr); 1093 iph1->mode_cfg->flags |= ISAKMP_CFG_ADDR4_EXTERN; 1094 plog(LLV_INFO, LOCATION, NULL, 1095 "ldap returned modecfg address %s\n", tmpaddr); 1096 ldap_value_free_len(bv); 1097 } 1098 1099 /* retrieve modecfg netmask */ 1100 bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_mask->v); 1101 if (bv != NULL) { 1102 char tmpmask[16]; 1103 /* sanity check for netmask value */ 1104 if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) { 1105 plog(LLV_DEBUG, LOCATION, NULL, 1106 "ldap returned invalid modecfg netmask\n"); 1107 ldap_value_free_len(bv); 1108 goto ldap_end; 1109 } 1110 memcpy(tmpmask,bv[0]->bv_val,bv[0]->bv_len); 1111 tmpmask[bv[0]->bv_len]=0; 1112 iph1->mode_cfg->mask4.s_addr = inet_addr(tmpmask); 1113 iph1->mode_cfg->flags |= ISAKMP_CFG_MASK4_EXTERN; 1114 plog(LLV_INFO, LOCATION, NULL, 1115 "ldap returned modecfg netmask %s\n", tmpmask); 1116 ldap_value_free_len(bv); 1117 } 1118 1119 /* 1120 * finally, use the dn and the xauth 1121 * password to check the users given 1122 * credentials by attempting to bind 1123 * to the ldap server 1124 */ 1125 plog(LLV_INFO, LOCATION, NULL, 1126 "attempting ldap bind for dn \'%s\'\n", userdn); 1127 cred.bv_val = pwd; 1128 cred.bv_len = strlen( cred.bv_val ); 1129 res = ldap_sasl_bind_s(ld, 1130 userdn, NULL, &cred, 1131 NULL, NULL, NULL); 1132 if(res==LDAP_SUCCESS) 1133 rtn = 0; 1134 1135 ldap_end: 1136 1137 /* free ldap resources */ 1138 if (userdn != NULL) 1139 ldap_memfree(userdn); 1140 if (atlist[0] != NULL) 1141 racoon_free(atlist[0]); 1142 if (atlist[1] != NULL) 1143 racoon_free(atlist[1]); 1144 if (filter != NULL) 1145 racoon_free(filter); 1146 if (lr != NULL) 1147 ldap_msgfree(lr); 1148 if (init != NULL) 1149 racoon_free(init); 1150 1151 ldap_unbind_ext_s(ld, NULL, NULL); 1152 1153 return rtn; 1154 } 1155 1156 int 1157 xauth_group_ldap(udn, grp) 1158 char * udn; 1159 char * grp; 1160 { 1161 int rtn = -1; 1162 int res = -1; 1163 LDAP *ld = NULL; 1164 LDAPMessage *lr = NULL; 1165 LDAPMessage *le = NULL; 1166 struct berval cred; 1167 struct timeval timeout; 1168 char *init = NULL; 1169 char *filter = NULL; 1170 char *basedn = NULL; 1171 char *groupdn = NULL; 1172 int tmplen = 0; 1173 int ecount = 0; 1174 int scope = LDAP_SCOPE_ONE; 1175 1176 /* build our initialization url */ 1177 tmplen = strlen("ldap://:") + 17; 1178 tmplen += strlen(xauth_ldap_config.host->v); 1179 init = racoon_malloc(tmplen); 1180 if (init == NULL) { 1181 plog(LLV_ERROR, LOCATION, NULL, 1182 "unable to alloc ldap init url\n"); 1183 goto ldap_group_end; 1184 } 1185 sprintf(init,"ldap://%s:%d", 1186 xauth_ldap_config.host->v, 1187 xauth_ldap_config.port ); 1188 1189 /* initialize the ldap handle */ 1190 res = ldap_initialize(&ld, init); 1191 if (res != LDAP_SUCCESS) { 1192 plog(LLV_ERROR, LOCATION, NULL, 1193 "ldap_initialize failed: %s\n", 1194 ldap_err2string(res)); 1195 goto ldap_group_end; 1196 } 1197 1198 /* initialize the protocol version */ 1199 ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, 1200 &xauth_ldap_config.pver); 1201 1202 /* Enable TLS */ 1203 if (xauth_ldap_config.tls) { 1204 res = ldap_start_tls_s(ld, NULL, NULL); 1205 if (res != LDAP_SUCCESS) { 1206 plog(LLV_ERROR, LOCATION, NULL, 1207 "ldap_start_tls_s failed: %s\n", 1208 ldap_err2string(res)); 1209 goto ldap_group_end; 1210 } 1211 } 1212 1213 /* 1214 * attempt to bind to the ldap server. 1215 * default to anonymous bind unless a 1216 * user dn and password has been 1217 * specified in our configuration 1218 */ 1219 if ((xauth_ldap_config.bind_dn != NULL)&& 1220 (xauth_ldap_config.bind_pw != NULL)) 1221 { 1222 cred.bv_val = xauth_ldap_config.bind_pw->v; 1223 cred.bv_len = strlen( cred.bv_val ); 1224 res = ldap_sasl_bind_s(ld, 1225 xauth_ldap_config.bind_dn->v, NULL, &cred, 1226 NULL, NULL, NULL); 1227 } 1228 else 1229 { 1230 res = ldap_sasl_bind_s(ld, 1231 NULL, NULL, NULL, 1232 NULL, NULL, NULL); 1233 } 1234 1235 if (res!=LDAP_SUCCESS) { 1236 plog(LLV_ERROR, LOCATION, NULL, 1237 "ldap_sasl_bind_s (search) failed: %s\n", 1238 ldap_err2string(res)); 1239 goto ldap_group_end; 1240 } 1241 1242 /* build an ldap group search filter */ 1243 tmplen = strlen("(&(=)(=))") + 1; 1244 tmplen += strlen(xauth_ldap_config.attr_group->v); 1245 tmplen += strlen(grp); 1246 tmplen += strlen(xauth_ldap_config.attr_member->v); 1247 tmplen += strlen(udn); 1248 filter = racoon_malloc(tmplen); 1249 if (filter == NULL) { 1250 plog(LLV_ERROR, LOCATION, NULL, 1251 "unable to alloc ldap search filter buffer\n"); 1252 goto ldap_group_end; 1253 } 1254 sprintf(filter, "(&(%s=%s)(%s=%s))", 1255 xauth_ldap_config.attr_group->v, grp, 1256 xauth_ldap_config.attr_member->v, udn); 1257 1258 /* attempt to locate the group dn */ 1259 if (xauth_ldap_config.base != NULL) 1260 basedn = xauth_ldap_config.base->v; 1261 if (xauth_ldap_config.subtree) 1262 scope = LDAP_SCOPE_SUBTREE; 1263 timeout.tv_sec = 15; 1264 timeout.tv_usec = 0; 1265 res = ldap_search_ext_s(ld, basedn, scope, 1266 filter, NULL, 0, NULL, NULL, 1267 &timeout, 2, &lr); 1268 if (res != LDAP_SUCCESS) { 1269 plog(LLV_ERROR, LOCATION, NULL, 1270 "ldap_search_ext_s failed: %s\n", 1271 ldap_err2string(res)); 1272 goto ldap_group_end; 1273 } 1274 1275 /* check the number of ldap entries returned */ 1276 ecount = ldap_count_entries(ld, lr); 1277 if (ecount < 1) { 1278 plog(LLV_WARNING, LOCATION, NULL, 1279 "no ldap results for filter \'%s\'\n", 1280 filter); 1281 goto ldap_group_end; 1282 } 1283 1284 /* success */ 1285 rtn = 0; 1286 1287 /* obtain the dn from the first result */ 1288 le = ldap_first_entry(ld, lr); 1289 if (le == NULL) { 1290 plog(LLV_ERROR, LOCATION, NULL, 1291 "ldap_first_entry failed: invalid entry returned\n"); 1292 goto ldap_group_end; 1293 } 1294 groupdn = ldap_get_dn(ld, le); 1295 if (groupdn == NULL) { 1296 plog(LLV_ERROR, LOCATION, NULL, 1297 "ldap_get_dn failed: invalid string returned\n"); 1298 goto ldap_group_end; 1299 } 1300 1301 plog(LLV_INFO, LOCATION, NULL, 1302 "ldap membership group returned \'%s\'\n", groupdn); 1303 ldap_group_end: 1304 1305 /* free ldap resources */ 1306 if (groupdn != NULL) 1307 ldap_memfree(groupdn); 1308 if (filter != NULL) 1309 racoon_free(filter); 1310 if (lr != NULL) 1311 ldap_msgfree(lr); 1312 if (init != NULL) 1313 racoon_free(init); 1314 1315 ldap_unbind_ext_s(ld, NULL, NULL); 1316 1317 return rtn; 1318 } 1319 1320 #endif 1321 1322 int 1323 xauth_login_system(usr, pwd) 1324 char *usr; 1325 char *pwd; 1326 { 1327 struct passwd *pw; 1328 char *cryptpwd; 1329 char *syscryptpwd; 1330 #ifdef HAVE_SHADOW_H 1331 struct spwd *spw; 1332 1333 if ((spw = getspnam(usr)) == NULL) 1334 return -1; 1335 1336 syscryptpwd = spw->sp_pwdp; 1337 #endif 1338 1339 if ((pw = getpwnam(usr)) == NULL) 1340 return -1; 1341 1342 #ifndef HAVE_SHADOW_H 1343 syscryptpwd = pw->pw_passwd; 1344 #endif 1345 1346 /* No root login. Ever. */ 1347 if (pw->pw_uid == 0) 1348 return -1; 1349 1350 if ((cryptpwd = crypt(pwd, syscryptpwd)) == NULL) 1351 return -1; 1352 1353 if (strcmp(cryptpwd, syscryptpwd) == 0) 1354 return 0; 1355 1356 return -1; 1357 } 1358 1359 static int 1360 xauth_group_system(char *usr, char *grp) 1361 { 1362 struct group * gr; 1363 char * member; 1364 int index = 0; 1365 1366 gr = getgrnam(grp); 1367 if (gr == NULL) { 1368 plog(LLV_ERROR, LOCATION, NULL, 1369 "the system group name \'%s\' is unknown\n", 1370 grp); 1371 return -1; 1372 } 1373 1374 while ((member = gr->gr_mem[index++])!=NULL) { 1375 if (!strcmp(member,usr)) { 1376 plog(LLV_INFO, LOCATION, NULL, 1377 "membership validated\n"); 1378 return 0; 1379 } 1380 } 1381 1382 return -1; 1383 } 1384 1385 int 1386 xauth_check(iph1) 1387 struct ph1handle *iph1; 1388 { 1389 struct xauth_state *xst = &iph1->mode_cfg->xauth; 1390 1391 /* 1392 * Only the server side (edge device) really check for Xauth 1393 * status. It does it if the chose authmethod is using Xauth. 1394 * On the client side (roadwarrior), we don't check anything. 1395 */ 1396 switch (iph1->approval->authmethod) { 1397 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 1398 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 1399 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 1400 /* The following are not yet implemented */ 1401 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 1402 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 1403 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 1404 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 1405 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 1406 plog(LLV_ERROR, LOCATION, NULL, 1407 "Hybrid auth negotiated but peer did not " 1408 "announced as Xauth capable\n"); 1409 return -1; 1410 } 1411 1412 if (xst->status != XAUTHST_OK) { 1413 plog(LLV_ERROR, LOCATION, NULL, 1414 "Hybrid auth negotiated but peer did not " 1415 "succeed Xauth exchange\n"); 1416 return -1; 1417 } 1418 1419 return 0; 1420 break; 1421 default: 1422 return 0; 1423 break; 1424 } 1425 1426 return 0; 1427 } 1428 1429 int 1430 group_check(iph1, grp_list, grp_count) 1431 struct ph1handle *iph1; 1432 char **grp_list; 1433 int grp_count; 1434 { 1435 int res = -1; 1436 int grp_index = 0; 1437 char * usr = NULL; 1438 1439 /* check for presence of modecfg data */ 1440 1441 if(iph1->mode_cfg == NULL) { 1442 plog(LLV_ERROR, LOCATION, NULL, 1443 "xauth group specified but modecfg not found\n"); 1444 return res; 1445 } 1446 1447 /* loop through our group list */ 1448 1449 for(; grp_index < grp_count; grp_index++) { 1450 1451 /* check for presence of xauth data */ 1452 1453 usr = iph1->mode_cfg->xauth.authdata.generic.usr; 1454 1455 if(usr == NULL) { 1456 plog(LLV_ERROR, LOCATION, NULL, 1457 "xauth group specified but xauth not found\n"); 1458 return res; 1459 } 1460 1461 /* call appropriate group validation function */ 1462 1463 switch (isakmp_cfg_config.groupsource) { 1464 1465 case ISAKMP_CFG_GROUP_SYSTEM: 1466 res = xauth_group_system( 1467 usr, 1468 grp_list[grp_index]); 1469 break; 1470 1471 #ifdef HAVE_LIBLDAP 1472 case ISAKMP_CFG_GROUP_LDAP: 1473 res = xauth_group_ldap( 1474 iph1->mode_cfg->xauth.udn, 1475 grp_list[grp_index]); 1476 break; 1477 #endif 1478 1479 default: 1480 /* we should never get here */ 1481 plog(LLV_ERROR, LOCATION, NULL, 1482 "Unknown group auth source\n"); 1483 break; 1484 } 1485 1486 if( !res ) { 1487 plog(LLV_INFO, LOCATION, NULL, 1488 "user \"%s\" is a member of group \"%s\"\n", 1489 usr, 1490 grp_list[grp_index]); 1491 break; 1492 } else { 1493 plog(LLV_INFO, LOCATION, NULL, 1494 "user \"%s\" is not a member of group \"%s\"\n", 1495 usr, 1496 grp_list[grp_index]); 1497 } 1498 } 1499 1500 return res; 1501 } 1502 1503 vchar_t * 1504 isakmp_xauth_req(iph1, attr) 1505 struct ph1handle *iph1; 1506 struct isakmp_data *attr; 1507 { 1508 int type; 1509 size_t dlen = 0; 1510 int ashort = 0; 1511 int value = 0; 1512 vchar_t *buffer = NULL; 1513 char *mraw = NULL, *mdata; 1514 char *data; 1515 vchar_t *usr = NULL; 1516 vchar_t *pwd = NULL; 1517 size_t skip = 0; 1518 int freepwd = 0; 1519 1520 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 1521 plog(LLV_ERROR, LOCATION, NULL, 1522 "Xauth mode config request but peer " 1523 "did not declare itself as Xauth capable\n"); 1524 return NULL; 1525 } 1526 1527 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK; 1528 1529 /* Sanity checks */ 1530 switch(type) { 1531 case XAUTH_TYPE: 1532 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) { 1533 plog(LLV_ERROR, LOCATION, NULL, 1534 "Unexpected long XAUTH_TYPE attribute\n"); 1535 return NULL; 1536 } 1537 if (ntohs(attr->lorv) != XAUTH_TYPE_GENERIC) { 1538 plog(LLV_ERROR, LOCATION, NULL, 1539 "Unsupported Xauth authentication %d\n", 1540 ntohs(attr->lorv)); 1541 return NULL; 1542 } 1543 ashort = 1; 1544 dlen = 0; 1545 value = XAUTH_TYPE_GENERIC; 1546 break; 1547 1548 case XAUTH_USER_NAME: 1549 if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login) { 1550 plog(LLV_ERROR, LOCATION, NULL, "Xauth performed " 1551 "with no login supplied\n"); 1552 return NULL; 1553 } 1554 1555 dlen = iph1->rmconf->xauth->login->l - 1; 1556 iph1->rmconf->xauth->state |= XAUTH_SENT_USERNAME; 1557 break; 1558 1559 case XAUTH_USER_PASSWORD: 1560 if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login) 1561 return NULL; 1562 1563 skip = sizeof(struct ipsecdoi_id_b); 1564 usr = vmalloc(iph1->rmconf->xauth->login->l - 1 + skip); 1565 if (usr == NULL) { 1566 plog(LLV_ERROR, LOCATION, NULL, 1567 "Cannot allocate memory\n"); 1568 return NULL; 1569 } 1570 memset(usr->v, 0, skip); 1571 memcpy(usr->v + skip, 1572 iph1->rmconf->xauth->login->v, 1573 iph1->rmconf->xauth->login->l - 1); 1574 1575 if (iph1->rmconf->xauth->pass) { 1576 /* A key given through racoonctl */ 1577 pwd = iph1->rmconf->xauth->pass; 1578 } else { 1579 if ((pwd = getpskbyname(usr)) == NULL) { 1580 plog(LLV_ERROR, LOCATION, NULL, 1581 "No password was found for login %s\n", 1582 iph1->rmconf->xauth->login->v); 1583 vfree(usr); 1584 return NULL; 1585 } 1586 /* We have to free it before returning */ 1587 freepwd = 1; 1588 } 1589 vfree(usr); 1590 1591 iph1->rmconf->xauth->state |= XAUTH_SENT_PASSWORD; 1592 dlen = pwd->l; 1593 1594 break; 1595 case XAUTH_MESSAGE: 1596 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) { 1597 dlen = ntohs(attr->lorv); 1598 if (dlen > 0) { 1599 mraw = (char*)(attr + 1); 1600 mdata = binsanitize(mraw, dlen); 1601 if (mdata == NULL) { 1602 plog(LLV_ERROR, LOCATION, iph1->remote, 1603 "Cannot allocate memory\n"); 1604 return NULL; 1605 } 1606 plog(LLV_NOTIFY,LOCATION, iph1->remote, 1607 "XAUTH Message: '%s'.\n", 1608 mdata); 1609 racoon_free(mdata); 1610 } 1611 } 1612 return NULL; 1613 default: 1614 plog(LLV_WARNING, LOCATION, NULL, 1615 "Ignored attribute %s\n", s_isakmp_cfg_type(type)); 1616 return NULL; 1617 break; 1618 } 1619 1620 if ((buffer = vmalloc(sizeof(*attr) + dlen)) == NULL) { 1621 plog(LLV_ERROR, LOCATION, NULL, 1622 "Cannot allocate memory\n"); 1623 goto out; 1624 } 1625 1626 attr = (struct isakmp_data *)buffer->v; 1627 if (ashort) { 1628 attr->type = htons(type | ISAKMP_GEN_TV); 1629 attr->lorv = htons(value); 1630 goto out; 1631 } 1632 1633 attr->type = htons(type | ISAKMP_GEN_TLV); 1634 attr->lorv = htons(dlen); 1635 data = (char *)(attr + 1); 1636 1637 switch(type) { 1638 case XAUTH_USER_NAME: 1639 /* 1640 * iph1->rmconf->xauth->login->v is valid, 1641 * we just checked it in the previous switch case 1642 */ 1643 memcpy(data, iph1->rmconf->xauth->login->v, dlen); 1644 break; 1645 case XAUTH_USER_PASSWORD: 1646 memcpy(data, pwd->v, dlen); 1647 break; 1648 default: 1649 break; 1650 } 1651 1652 out: 1653 if (freepwd) 1654 vfree(pwd); 1655 1656 return buffer; 1657 } 1658 1659 vchar_t * 1660 isakmp_xauth_set(iph1, attr) 1661 struct ph1handle *iph1; 1662 struct isakmp_data *attr; 1663 { 1664 int type; 1665 vchar_t *buffer = NULL; 1666 struct xauth_state *xst; 1667 size_t dlen = 0; 1668 char* mraw = NULL, *mdata; 1669 1670 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 1671 plog(LLV_ERROR, LOCATION, NULL, 1672 "Xauth mode config set but peer " 1673 "did not declare itself as Xauth capable\n"); 1674 return NULL; 1675 } 1676 1677 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK; 1678 1679 switch(type) { 1680 case XAUTH_STATUS: 1681 /* 1682 * We should only receive ISAKMP mode_cfg SET XAUTH_STATUS 1683 * when running as a client (initiator). 1684 */ 1685 xst = &iph1->mode_cfg->xauth; 1686 switch (iph1->approval->authmethod) { 1687 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 1688 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: 1689 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 1690 /* Not implemented ... */ 1691 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 1692 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 1693 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 1694 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 1695 break; 1696 default: 1697 plog(LLV_ERROR, LOCATION, NULL, 1698 "Unexpected XAUTH_STATUS_OK\n"); 1699 return NULL; 1700 break; 1701 } 1702 1703 /* If we got a failure, delete iph1 */ 1704 if (ntohs(attr->lorv) != XAUTH_STATUS_OK) { 1705 plog(LLV_ERROR, LOCATION, NULL, 1706 "Xauth authentication failed\n"); 1707 1708 evt_phase1(iph1, EVT_PHASE1_XAUTH_FAILED, NULL); 1709 1710 iph1->mode_cfg->flags |= ISAKMP_CFG_DELETE_PH1; 1711 } else { 1712 evt_phase1(iph1, EVT_PHASE1_XAUTH_SUCCESS, NULL); 1713 } 1714 1715 1716 /* We acknowledge it */ 1717 break; 1718 case XAUTH_MESSAGE: 1719 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) { 1720 dlen = ntohs(attr->lorv); 1721 if (dlen > 0) { 1722 mraw = (char*)(attr + 1); 1723 mdata = binsanitize(mraw, dlen); 1724 if (mdata == NULL) { 1725 plog(LLV_ERROR, LOCATION, iph1->remote, 1726 "Cannot allocate memory\n"); 1727 return NULL; 1728 } 1729 plog(LLV_NOTIFY,LOCATION, iph1->remote, 1730 "XAUTH Message: '%s'.\n", 1731 mdata); 1732 racoon_free(mdata); 1733 } 1734 } 1735 1736 default: 1737 plog(LLV_WARNING, LOCATION, NULL, 1738 "Ignored attribute %s\n", s_isakmp_cfg_type(type)); 1739 return NULL; 1740 break; 1741 } 1742 1743 if ((buffer = vmalloc(sizeof(*attr))) == NULL) { 1744 plog(LLV_ERROR, LOCATION, NULL, 1745 "Cannot allocate memory\n"); 1746 return NULL; 1747 } 1748 1749 attr = (struct isakmp_data *)buffer->v; 1750 attr->type = htons(type | ISAKMP_GEN_TV); 1751 attr->lorv = htons(0); 1752 1753 return buffer; 1754 } 1755 1756 1757 void 1758 xauth_rmstate(xst) 1759 struct xauth_state *xst; 1760 { 1761 switch (xst->authtype) { 1762 case XAUTH_TYPE_GENERIC: 1763 if (xst->authdata.generic.usr) 1764 racoon_free(xst->authdata.generic.usr); 1765 1766 if (xst->authdata.generic.pwd) 1767 racoon_free(xst->authdata.generic.pwd); 1768 1769 break; 1770 1771 case XAUTH_TYPE_CHAP: 1772 case XAUTH_TYPE_OTP: 1773 case XAUTH_TYPE_SKEY: 1774 plog(LLV_WARNING, LOCATION, NULL, 1775 "Unsupported authtype %d\n", xst->authtype); 1776 break; 1777 1778 default: 1779 plog(LLV_WARNING, LOCATION, NULL, 1780 "Unexpected authtype %d\n", xst->authtype); 1781 break; 1782 } 1783 1784 #ifdef HAVE_LIBLDAP 1785 if (xst->udn != NULL) 1786 racoon_free(xst->udn); 1787 #endif 1788 return; 1789 } 1790 1791 int 1792 xauth_rmconf_used(xauth_rmconf) 1793 struct xauth_rmconf **xauth_rmconf; 1794 { 1795 if (*xauth_rmconf == NULL) { 1796 *xauth_rmconf = racoon_malloc(sizeof(**xauth_rmconf)); 1797 if (*xauth_rmconf == NULL) { 1798 plog(LLV_ERROR, LOCATION, NULL, 1799 "xauth_rmconf_used: malloc failed\n"); 1800 return -1; 1801 } 1802 1803 (*xauth_rmconf)->login = NULL; 1804 (*xauth_rmconf)->pass = NULL; 1805 (*xauth_rmconf)->state = 0; 1806 } 1807 1808 return 0; 1809 } 1810 1811 void 1812 xauth_rmconf_delete(xauth_rmconf) 1813 struct xauth_rmconf **xauth_rmconf; 1814 { 1815 if (*xauth_rmconf != NULL) { 1816 if ((*xauth_rmconf)->login != NULL) 1817 vfree((*xauth_rmconf)->login); 1818 if ((*xauth_rmconf)->pass != NULL) 1819 vfree((*xauth_rmconf)->pass); 1820 1821 racoon_free(*xauth_rmconf); 1822 *xauth_rmconf = NULL; 1823 } 1824 1825 return; 1826 } 1827 1828 struct xauth_rmconf * 1829 xauth_rmconf_dup(xauth_rmconf) 1830 struct xauth_rmconf *xauth_rmconf; 1831 { 1832 struct xauth_rmconf *new; 1833 1834 if (xauth_rmconf != NULL) { 1835 new = racoon_malloc(sizeof(*new)); 1836 if (new == NULL) { 1837 plog(LLV_ERROR, LOCATION, NULL, 1838 "%s: malloc failed\n", __func__); 1839 return NULL; 1840 } 1841 1842 memcpy(new, xauth_rmconf, sizeof(*new)); 1843 1844 if (xauth_rmconf->login != NULL) { 1845 new->login = vdup(xauth_rmconf->login); 1846 if (new->login == NULL) { 1847 plog(LLV_ERROR, LOCATION, NULL, 1848 "%s: malloc failed (login)\n", __func__); 1849 goto out; 1850 } 1851 } 1852 if (xauth_rmconf->pass != NULL) { 1853 new->pass = vdup(xauth_rmconf->pass); 1854 if (new->pass == NULL) { 1855 plog(LLV_ERROR, LOCATION, NULL, 1856 "%s: malloc failed (password)\n", __func__); 1857 goto out; 1858 } 1859 } 1860 1861 return new; 1862 } 1863 1864 return NULL; 1865 out: 1866 vfree(new->login); 1867 racoon_free(new); 1868 return NULL; 1869 } 1870