1 /* $NetBSD: isakmp_xauth.c,v 1.25 2013/02/05 06:22:29 tteras Exp $ */ 2 3 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */ 4 5 /* 6 * Copyright (C) 2004-2005 Emmanuel Dreyfus 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "config.h" 35 36 #include <sys/types.h> 37 #include <sys/param.h> 38 #include <sys/socket.h> 39 #include <sys/queue.h> 40 41 #include <netinet/in.h> 42 43 #include <assert.h> 44 #include <stdlib.h> 45 #include <stdio.h> 46 #include <string.h> 47 #include <errno.h> 48 #include <pwd.h> 49 #include <grp.h> 50 #if TIME_WITH_SYS_TIME 51 # include <sys/time.h> 52 # include <time.h> 53 #else 54 # if HAVE_SYS_TIME_H 55 # include <sys/time.h> 56 # else 57 # include <time.h> 58 # endif 59 #endif 60 #include <netdb.h> 61 #ifdef HAVE_UNISTD_H 62 #include <unistd.h> 63 #endif 64 #include <ctype.h> 65 #include <resolv.h> 66 67 #ifdef HAVE_SHADOW_H 68 #include <shadow.h> 69 #endif 70 71 #include "var.h" 72 #include "misc.h" 73 #include "vmbuf.h" 74 #include "plog.h" 75 #include "sockmisc.h" 76 #include "schedule.h" 77 #include "debug.h" 78 79 #include "crypto_openssl.h" 80 #include "isakmp_var.h" 81 #include "isakmp.h" 82 #include "admin.h" 83 #include "privsep.h" 84 #include "evt.h" 85 #include "handler.h" 86 #include "throttle.h" 87 #include "remoteconf.h" 88 #include "isakmp_inf.h" 89 #include "isakmp_xauth.h" 90 #include "isakmp_unity.h" 91 #include "isakmp_cfg.h" 92 #include "strnames.h" 93 #include "ipsec_doi.h" 94 #include "remoteconf.h" 95 #include "localconf.h" 96 97 #ifdef HAVE_LIBRADIUS 98 #include <radlib.h> 99 struct rad_handle *radius_auth_state = NULL; 100 struct rad_handle *radius_acct_state = NULL; 101 struct xauth_rad_config xauth_rad_config; 102 #endif 103 104 #ifdef HAVE_LIBPAM 105 #include <security/pam_appl.h> 106 107 static char *PAM_usr = NULL; 108 static char *PAM_pwd = NULL; 109 static int PAM_conv(int, const struct pam_message **, 110 struct pam_response **, void *); 111 static struct pam_conv PAM_chat = { &PAM_conv, NULL }; 112 #endif 113 114 #ifdef HAVE_LIBLDAP 115 #include "ldap.h" 116 #include <arpa/inet.h> 117 struct xauth_ldap_config xauth_ldap_config; 118 #endif 119 120 void 121 xauth_sendreq(iph1) 122 struct ph1handle *iph1; 123 { 124 vchar_t *buffer; 125 struct isakmp_pl_attr *attr; 126 struct isakmp_data *typeattr; 127 struct isakmp_data *usrattr; 128 struct isakmp_data *pwdattr; 129 struct xauth_state *xst = &iph1->mode_cfg->xauth; 130 size_t tlen; 131 132 /* Status checks */ 133 if (iph1->status < PHASE1ST_ESTABLISHED) { 134 plog(LLV_ERROR, LOCATION, NULL, 135 "Xauth request while phase 1 is not completed\n"); 136 return; 137 } 138 139 if (xst->status != XAUTHST_NOTYET) { 140 plog(LLV_ERROR, LOCATION, NULL, 141 "Xauth request whith Xauth state %d\n", xst->status); 142 return; 143 } 144 145 plog(LLV_INFO, LOCATION, NULL, "Sending Xauth request\n"); 146 147 tlen = sizeof(*attr) + 148 + sizeof(*typeattr) + 149 + sizeof(*usrattr) + 150 + sizeof(*pwdattr); 151 152 if ((buffer = vmalloc(tlen)) == NULL) { 153 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n"); 154 return; 155 } 156 157 attr = (struct isakmp_pl_attr *)buffer->v; 158 memset(attr, 0, tlen); 159 160 attr->h.len = htons(tlen); 161 attr->type = ISAKMP_CFG_REQUEST; 162 attr->id = htons(eay_random()); 163 164 typeattr = (struct isakmp_data *)(attr + 1); 165 typeattr->type = htons(XAUTH_TYPE | ISAKMP_GEN_TV); 166 typeattr->lorv = htons(XAUTH_TYPE_GENERIC); 167 168 usrattr = (struct isakmp_data *)(typeattr + 1); 169 usrattr->type = htons(XAUTH_USER_NAME | ISAKMP_GEN_TLV); 170 usrattr->lorv = htons(0); 171 172 pwdattr = (struct isakmp_data *)(usrattr + 1); 173 pwdattr->type = htons(XAUTH_USER_PASSWORD | ISAKMP_GEN_TLV); 174 pwdattr->lorv = htons(0); 175 176 isakmp_cfg_send(iph1, buffer, 177 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1); 178 179 vfree(buffer); 180 181 xst->status = XAUTHST_REQSENT; 182 183 return; 184 } 185 186 int 187 xauth_attr_reply(iph1, attr, id) 188 struct ph1handle *iph1; 189 struct isakmp_data *attr; 190 int id; 191 { 192 char **outlet = NULL; 193 size_t alen = 0; 194 int type; 195 struct xauth_state *xst = &iph1->mode_cfg->xauth; 196 197 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 198 plog(LLV_ERROR, LOCATION, NULL, 199 "Xauth reply but peer did not declare " 200 "itself as Xauth capable\n"); 201 return -1; 202 } 203 204 if (xst->status != XAUTHST_REQSENT) { 205 plog(LLV_ERROR, LOCATION, NULL, 206 "Xauth reply while Xauth state is %d\n", xst->status); 207 return -1; 208 } 209 210 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK; 211 switch (type) { 212 case XAUTH_TYPE: 213 switch (ntohs(attr->lorv)) { 214 case XAUTH_TYPE_GENERIC: 215 xst->authtype = XAUTH_TYPE_GENERIC; 216 break; 217 default: 218 plog(LLV_WARNING, LOCATION, NULL, 219 "Unexpected authentication type %d\n", 220 ntohs(type)); 221 return -1; 222 } 223 break; 224 225 case XAUTH_USER_NAME: 226 outlet = &xst->authdata.generic.usr; 227 break; 228 229 case XAUTH_USER_PASSWORD: 230 outlet = &xst->authdata.generic.pwd; 231 break; 232 233 default: 234 plog(LLV_WARNING, LOCATION, NULL, 235 "ignored Xauth attribute %d\n", type); 236 break; 237 } 238 239 if (outlet != NULL) { 240 alen = ntohs(attr->lorv); 241 242 if ((*outlet = racoon_malloc(alen + 1)) == NULL) { 243 plog(LLV_ERROR, LOCATION, NULL, 244 "Cannot allocate memory for Xauth Data\n"); 245 return -1; 246 } 247 248 memcpy(*outlet, attr + 1, alen); 249 (*outlet)[alen] = '\0'; 250 outlet = NULL; 251 } 252 253 254 if ((xst->authdata.generic.usr != NULL) && 255 (xst->authdata.generic.pwd != NULL)) { 256 int port; 257 int res; 258 char *usr = xst->authdata.generic.usr; 259 char *pwd = xst->authdata.generic.pwd; 260 time_t throttle_delay = 0; 261 262 #if 0 /* Real debug, don't do that at home */ 263 plog(LLV_DEBUG, LOCATION, NULL, 264 "Got username \"%s\", password \"%s\"\n", usr, pwd); 265 #endif 266 strncpy(iph1->mode_cfg->login, usr, LOGINLEN); 267 iph1->mode_cfg->login[LOGINLEN] = '\0'; 268 269 res = -1; 270 if ((port = isakmp_cfg_getport(iph1)) == -1) { 271 plog(LLV_ERROR, LOCATION, NULL, 272 "Port pool depleted\n"); 273 goto skip_auth; 274 } 275 276 switch (isakmp_cfg_config.authsource) { 277 case ISAKMP_CFG_AUTH_SYSTEM: 278 res = privsep_xauth_login_system(usr, pwd); 279 break; 280 #ifdef HAVE_LIBRADIUS 281 case ISAKMP_CFG_AUTH_RADIUS: 282 res = xauth_login_radius(iph1, usr, pwd); 283 break; 284 #endif 285 #ifdef HAVE_LIBPAM 286 case ISAKMP_CFG_AUTH_PAM: 287 res = privsep_xauth_login_pam(iph1->mode_cfg->port, 288 iph1->remote, usr, pwd); 289 break; 290 #endif 291 #ifdef HAVE_LIBLDAP 292 case ISAKMP_CFG_AUTH_LDAP: 293 res = xauth_login_ldap(iph1, usr, pwd); 294 break; 295 #endif 296 default: 297 plog(LLV_ERROR, LOCATION, NULL, 298 "Unexpected authentication source\n"); 299 res = -1; 300 break; 301 } 302 303 /* 304 * Optional group authentication 305 */ 306 if (!res && (isakmp_cfg_config.groupcount)) 307 res = group_check(iph1, 308 isakmp_cfg_config.grouplist, 309 isakmp_cfg_config.groupcount); 310 311 /* 312 * On failure, throttle the connexion for the remote host 313 * in order to make password attacks more difficult. 314 */ 315 throttle_delay = throttle_host(iph1->remote, res); 316 if (throttle_delay > 0) { 317 char *str; 318 319 str = saddrwop2str(iph1->remote); 320 321 plog(LLV_ERROR, LOCATION, NULL, 322 "Throttling in action for %s: delay %lds\n", 323 str, (unsigned long)throttle_delay); 324 res = -1; 325 } else { 326 throttle_delay = 0; 327 } 328 329 skip_auth: 330 if (throttle_delay != 0) { 331 struct xauth_reply_arg *xra; 332 333 if ((xra = racoon_calloc(1, sizeof(*xra))) == NULL) { 334 plog(LLV_ERROR, LOCATION, NULL, 335 "malloc failed, bypass throttling\n"); 336 return xauth_reply(iph1, port, id, res); 337 } 338 339 /* 340 * We need to store the ph1, but it might have 341 * disapeared when xauth_reply is called, so 342 * store the index instead. 343 */ 344 xra->index = iph1->index; 345 xra->port = port; 346 xra->id = id; 347 xra->res = res; 348 sched_schedule(&xra->sc, throttle_delay, 349 xauth_reply_stub); 350 } else { 351 return xauth_reply(iph1, port, id, res); 352 } 353 } 354 355 return 0; 356 } 357 358 void 359 xauth_reply_stub(sc) 360 struct sched *sc; 361 { 362 struct xauth_reply_arg *xra = container_of(sc, struct xauth_reply_arg, sc); 363 struct ph1handle *iph1; 364 365 if ((iph1 = getph1byindex(&xra->index)) != NULL) 366 (void)xauth_reply(iph1, xra->port, xra->id, xra->res); 367 else 368 plog(LLV_ERROR, LOCATION, NULL, 369 "Delayed Xauth reply: phase 1 no longer exists.\n"); 370 371 racoon_free(xra); 372 } 373 374 int 375 xauth_reply(struct ph1handle *iph1, int port, int id, int res) 376 { 377 struct xauth_state *xst = &iph1->mode_cfg->xauth; 378 char *usr = xst->authdata.generic.usr; 379 380 if (res != 0) { 381 if (port != -1) 382 isakmp_cfg_putport(iph1, port); 383 384 plog(LLV_INFO, LOCATION, NULL, 385 "login failed for user \"%s\"\n", usr); 386 387 xauth_sendstatus(iph1, XAUTH_STATUS_FAIL, id); 388 xst->status = XAUTHST_NOTYET; 389 390 /* Delete Phase 1 SA */ 391 if (iph1->status >= PHASE1ST_ESTABLISHED) 392 isakmp_info_send_d1(iph1); 393 remph1(iph1); 394 delph1(iph1); 395 396 return -1; 397 } 398 399 xst->status = XAUTHST_OK; 400 plog(LLV_INFO, LOCATION, NULL, 401 "login succeeded for user \"%s\"\n", usr); 402 403 xauth_sendstatus(iph1, XAUTH_STATUS_OK, id); 404 405 return 0; 406 } 407 408 void 409 xauth_sendstatus(iph1, status, id) 410 struct ph1handle *iph1; 411 int status; 412 int id; 413 { 414 vchar_t *buffer; 415 struct isakmp_pl_attr *attr; 416 struct isakmp_data *stattr; 417 size_t tlen; 418 419 tlen = sizeof(*attr) + 420 + sizeof(*stattr); 421 422 if ((buffer = vmalloc(tlen)) == NULL) { 423 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n"); 424 return; 425 } 426 427 attr = (struct isakmp_pl_attr *)buffer->v; 428 memset(attr, 0, tlen); 429 430 attr->h.len = htons(tlen); 431 attr->type = ISAKMP_CFG_SET; 432 attr->id = htons(id); 433 434 stattr = (struct isakmp_data *)(attr + 1); 435 stattr->type = htons(XAUTH_STATUS | ISAKMP_GEN_TV); 436 stattr->lorv = htons(status); 437 438 isakmp_cfg_send(iph1, buffer, 439 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1); 440 441 vfree(buffer); 442 443 return; 444 } 445 446 #ifdef HAVE_LIBRADIUS 447 int 448 xauth_radius_init_conf(int free) 449 { 450 /* free radius config resources */ 451 if (free) { 452 int i; 453 for (i = 0; i < xauth_rad_config.auth_server_count; i++) { 454 vfree(xauth_rad_config.auth_server_list[i].host); 455 vfree(xauth_rad_config.auth_server_list[i].secret); 456 } 457 for (i = 0; i < xauth_rad_config.acct_server_count; i++) { 458 vfree(xauth_rad_config.acct_server_list[i].host); 459 vfree(xauth_rad_config.acct_server_list[i].secret); 460 } 461 if (radius_auth_state != NULL) { 462 rad_close(radius_auth_state); 463 radius_auth_state = NULL; 464 } 465 if (radius_acct_state != NULL) { 466 rad_close(radius_acct_state); 467 radius_acct_state = NULL; 468 } 469 } 470 471 /* initialize radius config */ 472 memset(&xauth_rad_config, 0, sizeof(xauth_rad_config)); 473 return 0; 474 } 475 476 int 477 xauth_radius_init(void) 478 { 479 /* For first time use, initialize Radius */ 480 if ((isakmp_cfg_config.authsource == ISAKMP_CFG_AUTH_RADIUS) && 481 (radius_auth_state == NULL)) { 482 if ((radius_auth_state = rad_auth_open()) == NULL) { 483 plog(LLV_ERROR, LOCATION, NULL, 484 "Cannot init libradius\n"); 485 return -1; 486 } 487 488 int auth_count = xauth_rad_config.auth_server_count; 489 int auth_added = 0; 490 if (auth_count) { 491 int i; 492 for (i = 0; i < auth_count; i++) { 493 if(!rad_add_server( 494 radius_auth_state, 495 xauth_rad_config.auth_server_list[i].host->v, 496 xauth_rad_config.auth_server_list[i].port, 497 xauth_rad_config.auth_server_list[i].secret->v, 498 xauth_rad_config.timeout, 499 xauth_rad_config.retries )) 500 auth_added++; 501 else 502 plog(LLV_WARNING, LOCATION, NULL, 503 "could not add radius auth server %s\n", 504 xauth_rad_config.auth_server_list[i].host->v); 505 } 506 } 507 508 if (!auth_added) { 509 if (rad_config(radius_auth_state, NULL) != 0) { 510 plog(LLV_ERROR, LOCATION, NULL, 511 "Cannot open libradius config file: %s\n", 512 rad_strerror(radius_auth_state)); 513 rad_close(radius_auth_state); 514 radius_auth_state = NULL; 515 return -1; 516 } 517 } 518 } 519 520 if ((isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS) && 521 (radius_acct_state == NULL)) { 522 if ((radius_acct_state = rad_acct_open()) == NULL) { 523 plog(LLV_ERROR, LOCATION, NULL, 524 "Cannot init libradius\n"); 525 return -1; 526 } 527 528 int acct_count = xauth_rad_config.acct_server_count; 529 int acct_added = 0; 530 if (acct_count) { 531 int i; 532 for (i = 0; i < acct_count; i++) { 533 if(!rad_add_server( 534 radius_acct_state, 535 xauth_rad_config.acct_server_list[i].host->v, 536 xauth_rad_config.acct_server_list[i].port, 537 xauth_rad_config.acct_server_list[i].secret->v, 538 xauth_rad_config.timeout, 539 xauth_rad_config.retries )) 540 acct_added++; 541 else 542 plog(LLV_WARNING, LOCATION, NULL, 543 "could not add radius account server %s\n", 544 xauth_rad_config.acct_server_list[i].host->v); 545 } 546 } 547 548 if (!acct_added) { 549 if (rad_config(radius_acct_state, NULL) != 0) { 550 plog(LLV_ERROR, LOCATION, NULL, 551 "Cannot open libradius config file: %s\n", 552 rad_strerror(radius_acct_state)); 553 rad_close(radius_acct_state); 554 radius_acct_state = NULL; 555 return -1; 556 } 557 } 558 } 559 560 return 0; 561 } 562 563 int 564 xauth_login_radius(iph1, usr, pwd) 565 struct ph1handle *iph1; 566 char *usr; 567 char *pwd; 568 { 569 int res; 570 const void *data; 571 size_t len; 572 int type; 573 574 if (rad_create_request(radius_auth_state, RAD_ACCESS_REQUEST) != 0) { 575 plog(LLV_ERROR, LOCATION, NULL, 576 "rad_create_request failed: %s\n", 577 rad_strerror(radius_auth_state)); 578 return -1; 579 } 580 581 if (rad_put_string(radius_auth_state, RAD_USER_NAME, usr) != 0) { 582 plog(LLV_ERROR, LOCATION, NULL, 583 "rad_put_string failed: %s\n", 584 rad_strerror(radius_auth_state)); 585 return -1; 586 } 587 588 if (rad_put_string(radius_auth_state, RAD_USER_PASSWORD, pwd) != 0) { 589 plog(LLV_ERROR, LOCATION, NULL, 590 "rad_put_string failed: %s\n", 591 rad_strerror(radius_auth_state)); 592 return -1; 593 } 594 595 if (isakmp_cfg_radius_common(radius_auth_state, iph1->mode_cfg->port) != 0) 596 return -1; 597 598 switch (res = rad_send_request(radius_auth_state)) { 599 case RAD_ACCESS_ACCEPT: 600 while ((type = rad_get_attr(radius_auth_state, &data, &len)) != 0) { 601 switch (type) { 602 case RAD_FRAMED_IP_ADDRESS: 603 iph1->mode_cfg->addr4 = rad_cvt_addr(data); 604 iph1->mode_cfg->flags 605 |= ISAKMP_CFG_ADDR4_EXTERN; 606 break; 607 608 case RAD_FRAMED_IP_NETMASK: 609 iph1->mode_cfg->mask4 = rad_cvt_addr(data); 610 iph1->mode_cfg->flags 611 |= ISAKMP_CFG_MASK4_EXTERN; 612 break; 613 614 default: 615 plog(LLV_INFO, LOCATION, NULL, 616 "Unexpected attribute: %d\n", type); 617 break; 618 } 619 } 620 621 return 0; 622 break; 623 624 case RAD_ACCESS_REJECT: 625 return -1; 626 break; 627 628 case -1: 629 plog(LLV_ERROR, LOCATION, NULL, 630 "rad_send_request failed: %s\n", 631 rad_strerror(radius_auth_state)); 632 return -1; 633 break; 634 default: 635 plog(LLV_ERROR, LOCATION, NULL, 636 "rad_send_request returned %d\n", res); 637 return -1; 638 break; 639 } 640 641 return -1; 642 } 643 #endif 644 645 #ifdef HAVE_LIBPAM 646 static int 647 PAM_conv(msg_count, msg, rsp, dontcare) 648 int msg_count; 649 const struct pam_message **msg; 650 struct pam_response **rsp; 651 void *dontcare; 652 { 653 int i; 654 int replies = 0; 655 struct pam_response *reply = NULL; 656 657 if ((reply = racoon_malloc(sizeof(*reply) * msg_count)) == NULL) 658 return PAM_CONV_ERR; 659 bzero(reply, sizeof(*reply) * msg_count); 660 661 for (i = 0; i < msg_count; i++) { 662 switch (msg[i]->msg_style) { 663 case PAM_PROMPT_ECHO_ON: 664 /* Send the username, libpam frees resp */ 665 reply[i].resp_retcode = PAM_SUCCESS; 666 if ((reply[i].resp = strdup(PAM_usr)) == NULL) { 667 plog(LLV_ERROR, LOCATION, 668 NULL, "strdup failed\n"); 669 exit(1); 670 } 671 break; 672 673 case PAM_PROMPT_ECHO_OFF: 674 /* Send the password, libpam frees resp */ 675 reply[i].resp_retcode = PAM_SUCCESS; 676 if ((reply[i].resp = strdup(PAM_pwd)) == NULL) { 677 plog(LLV_ERROR, LOCATION, 678 NULL, "strdup failed\n"); 679 exit(1); 680 } 681 break; 682 683 case PAM_TEXT_INFO: 684 case PAM_ERROR_MSG: 685 reply[i].resp_retcode = PAM_SUCCESS; 686 reply[i].resp = NULL; 687 break; 688 689 default: 690 if (reply != NULL) 691 racoon_free(reply); 692 return PAM_CONV_ERR; 693 break; 694 } 695 } 696 697 if (reply != NULL) 698 *rsp = reply; 699 700 return PAM_SUCCESS; 701 } 702 703 int 704 xauth_login_pam(port, raddr, usr, pwd) 705 int port; 706 struct sockaddr *raddr; 707 char *usr; 708 char *pwd; 709 { 710 int error; 711 int res; 712 const void *data; 713 size_t len; 714 int type; 715 char *remote = NULL; 716 pam_handle_t *pam = NULL; 717 718 if (isakmp_cfg_config.port_pool == NULL) { 719 plog(LLV_ERROR, LOCATION, NULL, 720 "isakmp_cfg_config.port_pool == NULL\n"); 721 return -1; 722 } 723 724 if ((error = pam_start("racoon", usr, 725 &PAM_chat, &isakmp_cfg_config.port_pool[port].pam)) != 0) { 726 if (isakmp_cfg_config.port_pool[port].pam == NULL) { 727 plog(LLV_ERROR, LOCATION, NULL, "pam_start failed\n"); 728 return -1; 729 } else { 730 plog(LLV_ERROR, LOCATION, NULL, 731 "pam_start failed: %s\n", 732 pam_strerror(isakmp_cfg_config.port_pool[port].pam, 733 error)); 734 goto out; 735 } 736 } 737 pam = isakmp_cfg_config.port_pool[port].pam; 738 739 if ((remote = strdup(saddrwop2str(raddr))) == NULL) { 740 plog(LLV_ERROR, LOCATION, NULL, 741 "cannot allocate memory: %s\n", strerror(errno)); 742 goto out; 743 } 744 745 if ((error = pam_set_item(pam, PAM_RHOST, remote)) != 0) { 746 plog(LLV_ERROR, LOCATION, NULL, 747 "pam_set_item failed: %s\n", 748 pam_strerror(pam, error)); 749 goto out; 750 } 751 752 if ((error = pam_set_item(pam, PAM_RUSER, usr)) != 0) { 753 plog(LLV_ERROR, LOCATION, NULL, 754 "pam_set_item failed: %s\n", 755 pam_strerror(pam, error)); 756 goto out; 757 } 758 759 PAM_usr = usr; 760 PAM_pwd = pwd; 761 error = pam_authenticate(pam, 0); 762 PAM_usr = NULL; 763 PAM_pwd = NULL; 764 if (error != 0) { 765 plog(LLV_ERROR, LOCATION, NULL, 766 "pam_authenticate failed: %s\n", 767 pam_strerror(pam, error)); 768 goto out; 769 } 770 771 if ((error = pam_acct_mgmt(pam, 0)) != 0) { 772 plog(LLV_ERROR, LOCATION, NULL, 773 "pam_acct_mgmt failed: %s\n", 774 pam_strerror(pam, error)); 775 goto out; 776 } 777 778 if ((error = pam_setcred(pam, 0)) != 0) { 779 plog(LLV_ERROR, LOCATION, NULL, 780 "pam_setcred failed: %s\n", 781 pam_strerror(pam, error)); 782 goto out; 783 } 784 785 if (remote != NULL) 786 free(remote); 787 788 return 0; 789 790 out: 791 pam_end(pam, error); 792 isakmp_cfg_config.port_pool[port].pam = NULL; 793 if (remote != NULL) 794 free(remote); 795 return -1; 796 } 797 #endif 798 799 #ifdef HAVE_LIBLDAP 800 int 801 xauth_ldap_init_conf(void) 802 { 803 int tmplen; 804 int error = -1; 805 806 xauth_ldap_config.pver = 3; 807 xauth_ldap_config.host = NULL; 808 xauth_ldap_config.port = LDAP_PORT; 809 xauth_ldap_config.tls = 0; 810 xauth_ldap_config.base = NULL; 811 xauth_ldap_config.subtree = 0; 812 xauth_ldap_config.bind_dn = NULL; 813 xauth_ldap_config.bind_pw = NULL; 814 xauth_ldap_config.auth_type = LDAP_AUTH_SIMPLE; 815 xauth_ldap_config.attr_user = NULL; 816 xauth_ldap_config.attr_addr = NULL; 817 xauth_ldap_config.attr_mask = NULL; 818 xauth_ldap_config.attr_group = NULL; 819 xauth_ldap_config.attr_member = NULL; 820 821 /* set default host */ 822 tmplen = strlen(LDAP_DFLT_HOST); 823 xauth_ldap_config.host = vmalloc(tmplen); 824 if (xauth_ldap_config.host == NULL) 825 goto out; 826 memcpy(xauth_ldap_config.host->v, LDAP_DFLT_HOST, tmplen); 827 828 /* set default user naming attribute */ 829 tmplen = strlen(LDAP_DFLT_USER); 830 xauth_ldap_config.attr_user = vmalloc(tmplen); 831 if (xauth_ldap_config.attr_user == NULL) 832 goto out; 833 memcpy(xauth_ldap_config.attr_user->v, LDAP_DFLT_USER, tmplen); 834 835 /* set default address attribute */ 836 tmplen = strlen(LDAP_DFLT_ADDR); 837 xauth_ldap_config.attr_addr = vmalloc(tmplen); 838 if (xauth_ldap_config.attr_addr == NULL) 839 goto out; 840 memcpy(xauth_ldap_config.attr_addr->v, LDAP_DFLT_ADDR, tmplen); 841 842 /* set default netmask attribute */ 843 tmplen = strlen(LDAP_DFLT_MASK); 844 xauth_ldap_config.attr_mask = vmalloc(tmplen); 845 if (xauth_ldap_config.attr_mask == NULL) 846 goto out; 847 memcpy(xauth_ldap_config.attr_mask->v, LDAP_DFLT_MASK, tmplen); 848 849 /* set default group naming attribute */ 850 tmplen = strlen(LDAP_DFLT_GROUP); 851 xauth_ldap_config.attr_group = vmalloc(tmplen); 852 if (xauth_ldap_config.attr_group == NULL) 853 goto out; 854 memcpy(xauth_ldap_config.attr_group->v, LDAP_DFLT_GROUP, tmplen); 855 856 /* set default member attribute */ 857 tmplen = strlen(LDAP_DFLT_MEMBER); 858 xauth_ldap_config.attr_member = vmalloc(tmplen); 859 if (xauth_ldap_config.attr_member == NULL) 860 goto out; 861 memcpy(xauth_ldap_config.attr_member->v, LDAP_DFLT_MEMBER, tmplen); 862 863 error = 0; 864 out: 865 if (error != 0) 866 plog(LLV_ERROR, LOCATION, NULL, "cannot allocate memory\n"); 867 868 return error; 869 } 870 871 int 872 xauth_login_ldap(iph1, usr, pwd) 873 struct ph1handle *iph1; 874 char *usr; 875 char *pwd; 876 { 877 int rtn = -1; 878 int res = -1; 879 LDAP *ld = NULL; 880 LDAPMessage *lr = NULL; 881 LDAPMessage *le = NULL; 882 struct berval cred; 883 struct berval **bv = NULL; 884 struct timeval timeout; 885 char *init = NULL; 886 char *filter = NULL; 887 char *atlist[3]; 888 char *basedn = NULL; 889 char *userdn = NULL; 890 int tmplen = 0; 891 int ecount = 0; 892 int scope = LDAP_SCOPE_ONE; 893 894 atlist[0] = NULL; 895 atlist[1] = NULL; 896 atlist[2] = NULL; 897 898 /* build our initialization url */ 899 tmplen = strlen("ldap://:") + 17; 900 tmplen += strlen(xauth_ldap_config.host->v); 901 init = racoon_malloc(tmplen); 902 if (init == NULL) { 903 plog(LLV_ERROR, LOCATION, NULL, 904 "unable to alloc ldap init url\n"); 905 goto ldap_end; 906 } 907 sprintf(init,"ldap://%s:%d", 908 xauth_ldap_config.host->v, 909 xauth_ldap_config.port ); 910 911 /* initialize the ldap handle */ 912 res = ldap_initialize(&ld, init); 913 if (res != LDAP_SUCCESS) { 914 plog(LLV_ERROR, LOCATION, NULL, 915 "ldap_initialize failed: %s\n", 916 ldap_err2string(res)); 917 goto ldap_end; 918 } 919 920 /* initialize the protocol version */ 921 ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, 922 &xauth_ldap_config.pver); 923 924 /* Enable TLS */ 925 if (xauth_ldap_config.tls) { 926 res = ldap_start_tls_s(ld, NULL, NULL); 927 if (res != LDAP_SUCCESS) { 928 plog(LLV_ERROR, LOCATION, NULL, 929 "ldap_start_tls_s failed: %s\n", 930 ldap_err2string(res)); 931 goto ldap_end; 932 } 933 } 934 935 /* 936 * attempt to bind to the ldap server. 937 * default to anonymous bind unless a 938 * user dn and password has been 939 * specified in our configuration 940 */ 941 if ((xauth_ldap_config.bind_dn != NULL)&& 942 (xauth_ldap_config.bind_pw != NULL)) 943 { 944 cred.bv_val = xauth_ldap_config.bind_pw->v; 945 cred.bv_len = strlen( cred.bv_val ); 946 res = ldap_sasl_bind_s(ld, 947 xauth_ldap_config.bind_dn->v, NULL, &cred, 948 NULL, NULL, NULL); 949 } 950 else 951 { 952 res = ldap_sasl_bind_s(ld, 953 NULL, NULL, NULL, 954 NULL, NULL, NULL); 955 } 956 957 if (res!=LDAP_SUCCESS) { 958 plog(LLV_ERROR, LOCATION, NULL, 959 "ldap_sasl_bind_s (search) failed: %s\n", 960 ldap_err2string(res)); 961 goto ldap_end; 962 } 963 964 /* build an ldap user search filter */ 965 tmplen = strlen(xauth_ldap_config.attr_user->v); 966 tmplen += 1; 967 tmplen += strlen(usr); 968 tmplen += 1; 969 filter = racoon_malloc(tmplen); 970 if (filter == NULL) { 971 plog(LLV_ERROR, LOCATION, NULL, 972 "unable to alloc ldap search filter buffer\n"); 973 goto ldap_end; 974 } 975 sprintf(filter, "%s=%s", 976 xauth_ldap_config.attr_user->v, usr); 977 978 /* build our return attribute list */ 979 tmplen = strlen(xauth_ldap_config.attr_addr->v) + 1; 980 atlist[0] = racoon_malloc(tmplen); 981 tmplen = strlen(xauth_ldap_config.attr_mask->v) + 1; 982 atlist[1] = racoon_malloc(tmplen); 983 if ((atlist[0] == NULL)||(atlist[1] == NULL)) { 984 plog(LLV_ERROR, LOCATION, NULL, 985 "unable to alloc ldap attrib list buffer\n"); 986 goto ldap_end; 987 } 988 strcpy(atlist[0],xauth_ldap_config.attr_addr->v); 989 strcpy(atlist[1],xauth_ldap_config.attr_mask->v); 990 991 /* attempt to locate the user dn */ 992 if (xauth_ldap_config.base != NULL) 993 basedn = xauth_ldap_config.base->v; 994 if (xauth_ldap_config.subtree) 995 scope = LDAP_SCOPE_SUBTREE; 996 timeout.tv_sec = 15; 997 timeout.tv_usec = 0; 998 res = ldap_search_ext_s(ld, basedn, scope, 999 filter, atlist, 0, NULL, NULL, 1000 &timeout, 2, &lr); 1001 if (res != LDAP_SUCCESS) { 1002 plog(LLV_ERROR, LOCATION, NULL, 1003 "ldap_search_ext_s failed: %s\n", 1004 ldap_err2string(res)); 1005 goto ldap_end; 1006 } 1007 1008 /* check the number of ldap entries returned */ 1009 ecount = ldap_count_entries(ld, lr); 1010 if (ecount < 1) { 1011 plog(LLV_WARNING, LOCATION, NULL, 1012 "no ldap results for filter \'%s\'\n", 1013 filter); 1014 goto ldap_end; 1015 } 1016 if (ecount > 1) { 1017 plog(LLV_WARNING, LOCATION, NULL, 1018 "multiple (%i) ldap results for filter \'%s\'\n", 1019 ecount, filter); 1020 } 1021 1022 /* obtain the dn from the first result */ 1023 le = ldap_first_entry(ld, lr); 1024 if (le == NULL) { 1025 plog(LLV_ERROR, LOCATION, NULL, 1026 "ldap_first_entry failed: invalid entry returned\n"); 1027 goto ldap_end; 1028 } 1029 userdn = ldap_get_dn(ld, le); 1030 if (userdn == NULL) { 1031 plog(LLV_ERROR, LOCATION, NULL, 1032 "ldap_get_dn failed: invalid string returned\n"); 1033 goto ldap_end; 1034 } 1035 1036 /* cache the user dn in the xauth state */ 1037 iph1->mode_cfg->xauth.udn = racoon_malloc(strlen(userdn)+1); 1038 strcpy(iph1->mode_cfg->xauth.udn,userdn); 1039 1040 /* retrieve modecfg address */ 1041 bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_addr->v); 1042 if (bv != NULL) { 1043 char tmpaddr[16]; 1044 /* sanity check for address value */ 1045 if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) { 1046 plog(LLV_DEBUG, LOCATION, NULL, 1047 "ldap returned invalid modecfg address\n"); 1048 ldap_value_free_len(bv); 1049 goto ldap_end; 1050 } 1051 memcpy(tmpaddr,bv[0]->bv_val,bv[0]->bv_len); 1052 tmpaddr[bv[0]->bv_len]=0; 1053 iph1->mode_cfg->addr4.s_addr = inet_addr(tmpaddr); 1054 iph1->mode_cfg->flags |= ISAKMP_CFG_ADDR4_EXTERN; 1055 plog(LLV_INFO, LOCATION, NULL, 1056 "ldap returned modecfg address %s\n", tmpaddr); 1057 ldap_value_free_len(bv); 1058 } 1059 1060 /* retrieve modecfg netmask */ 1061 bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_mask->v); 1062 if (bv != NULL) { 1063 char tmpmask[16]; 1064 /* sanity check for netmask value */ 1065 if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) { 1066 plog(LLV_DEBUG, LOCATION, NULL, 1067 "ldap returned invalid modecfg netmask\n"); 1068 ldap_value_free_len(bv); 1069 goto ldap_end; 1070 } 1071 memcpy(tmpmask,bv[0]->bv_val,bv[0]->bv_len); 1072 tmpmask[bv[0]->bv_len]=0; 1073 iph1->mode_cfg->mask4.s_addr = inet_addr(tmpmask); 1074 iph1->mode_cfg->flags |= ISAKMP_CFG_MASK4_EXTERN; 1075 plog(LLV_INFO, LOCATION, NULL, 1076 "ldap returned modecfg netmask %s\n", tmpmask); 1077 ldap_value_free_len(bv); 1078 } 1079 1080 /* 1081 * finally, use the dn and the xauth 1082 * password to check the users given 1083 * credentials by attempting to bind 1084 * to the ldap server 1085 */ 1086 plog(LLV_INFO, LOCATION, NULL, 1087 "attempting ldap bind for dn \'%s\'\n", userdn); 1088 cred.bv_val = pwd; 1089 cred.bv_len = strlen( cred.bv_val ); 1090 res = ldap_sasl_bind_s(ld, 1091 userdn, NULL, &cred, 1092 NULL, NULL, NULL); 1093 if(res==LDAP_SUCCESS) 1094 rtn = 0; 1095 1096 ldap_end: 1097 1098 /* free ldap resources */ 1099 if (userdn != NULL) 1100 ldap_memfree(userdn); 1101 if (atlist[0] != NULL) 1102 racoon_free(atlist[0]); 1103 if (atlist[1] != NULL) 1104 racoon_free(atlist[1]); 1105 if (filter != NULL) 1106 racoon_free(filter); 1107 if (lr != NULL) 1108 ldap_msgfree(lr); 1109 if (init != NULL) 1110 racoon_free(init); 1111 1112 ldap_unbind_ext_s(ld, NULL, NULL); 1113 1114 return rtn; 1115 } 1116 1117 int 1118 xauth_group_ldap(udn, grp) 1119 char * udn; 1120 char * grp; 1121 { 1122 int rtn = -1; 1123 int res = -1; 1124 LDAP *ld = NULL; 1125 LDAPMessage *lr = NULL; 1126 LDAPMessage *le = NULL; 1127 struct berval cred; 1128 struct timeval timeout; 1129 char *init = NULL; 1130 char *filter = NULL; 1131 char *basedn = NULL; 1132 char *groupdn = NULL; 1133 int tmplen = 0; 1134 int ecount = 0; 1135 int scope = LDAP_SCOPE_ONE; 1136 1137 /* build our initialization url */ 1138 tmplen = strlen("ldap://:") + 17; 1139 tmplen += strlen(xauth_ldap_config.host->v); 1140 init = racoon_malloc(tmplen); 1141 if (init == NULL) { 1142 plog(LLV_ERROR, LOCATION, NULL, 1143 "unable to alloc ldap init url\n"); 1144 goto ldap_group_end; 1145 } 1146 sprintf(init,"ldap://%s:%d", 1147 xauth_ldap_config.host->v, 1148 xauth_ldap_config.port ); 1149 1150 /* initialize the ldap handle */ 1151 res = ldap_initialize(&ld, init); 1152 if (res != LDAP_SUCCESS) { 1153 plog(LLV_ERROR, LOCATION, NULL, 1154 "ldap_initialize failed: %s\n", 1155 ldap_err2string(res)); 1156 goto ldap_group_end; 1157 } 1158 1159 /* initialize the protocol version */ 1160 ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, 1161 &xauth_ldap_config.pver); 1162 1163 /* Enable TLS */ 1164 if (xauth_ldap_config.tls) { 1165 res = ldap_start_tls_s(ld, NULL, NULL); 1166 if (res != LDAP_SUCCESS) { 1167 plog(LLV_ERROR, LOCATION, NULL, 1168 "ldap_start_tls_s failed: %s\n", 1169 ldap_err2string(res)); 1170 goto ldap_group_end; 1171 } 1172 } 1173 1174 /* 1175 * attempt to bind to the ldap server. 1176 * default to anonymous bind unless a 1177 * user dn and password has been 1178 * specified in our configuration 1179 */ 1180 if ((xauth_ldap_config.bind_dn != NULL)&& 1181 (xauth_ldap_config.bind_pw != NULL)) 1182 { 1183 cred.bv_val = xauth_ldap_config.bind_pw->v; 1184 cred.bv_len = strlen( cred.bv_val ); 1185 res = ldap_sasl_bind_s(ld, 1186 xauth_ldap_config.bind_dn->v, NULL, &cred, 1187 NULL, NULL, NULL); 1188 } 1189 else 1190 { 1191 res = ldap_sasl_bind_s(ld, 1192 NULL, NULL, NULL, 1193 NULL, NULL, NULL); 1194 } 1195 1196 if (res!=LDAP_SUCCESS) { 1197 plog(LLV_ERROR, LOCATION, NULL, 1198 "ldap_sasl_bind_s (search) failed: %s\n", 1199 ldap_err2string(res)); 1200 goto ldap_group_end; 1201 } 1202 1203 /* build an ldap group search filter */ 1204 tmplen = strlen("(&(=)(=))") + 1; 1205 tmplen += strlen(xauth_ldap_config.attr_group->v); 1206 tmplen += strlen(grp); 1207 tmplen += strlen(xauth_ldap_config.attr_member->v); 1208 tmplen += strlen(udn); 1209 filter = racoon_malloc(tmplen); 1210 if (filter == NULL) { 1211 plog(LLV_ERROR, LOCATION, NULL, 1212 "unable to alloc ldap search filter buffer\n"); 1213 goto ldap_group_end; 1214 } 1215 sprintf(filter, "(&(%s=%s)(%s=%s))", 1216 xauth_ldap_config.attr_group->v, grp, 1217 xauth_ldap_config.attr_member->v, udn); 1218 1219 /* attempt to locate the group dn */ 1220 if (xauth_ldap_config.base != NULL) 1221 basedn = xauth_ldap_config.base->v; 1222 if (xauth_ldap_config.subtree) 1223 scope = LDAP_SCOPE_SUBTREE; 1224 timeout.tv_sec = 15; 1225 timeout.tv_usec = 0; 1226 res = ldap_search_ext_s(ld, basedn, scope, 1227 filter, NULL, 0, NULL, NULL, 1228 &timeout, 2, &lr); 1229 if (res != LDAP_SUCCESS) { 1230 plog(LLV_ERROR, LOCATION, NULL, 1231 "ldap_search_ext_s failed: %s\n", 1232 ldap_err2string(res)); 1233 goto ldap_group_end; 1234 } 1235 1236 /* check the number of ldap entries returned */ 1237 ecount = ldap_count_entries(ld, lr); 1238 if (ecount < 1) { 1239 plog(LLV_WARNING, LOCATION, NULL, 1240 "no ldap results for filter \'%s\'\n", 1241 filter); 1242 goto ldap_group_end; 1243 } 1244 1245 /* success */ 1246 rtn = 0; 1247 1248 /* obtain the dn from the first result */ 1249 le = ldap_first_entry(ld, lr); 1250 if (le == NULL) { 1251 plog(LLV_ERROR, LOCATION, NULL, 1252 "ldap_first_entry failed: invalid entry returned\n"); 1253 goto ldap_group_end; 1254 } 1255 groupdn = ldap_get_dn(ld, le); 1256 if (groupdn == NULL) { 1257 plog(LLV_ERROR, LOCATION, NULL, 1258 "ldap_get_dn failed: invalid string returned\n"); 1259 goto ldap_group_end; 1260 } 1261 1262 plog(LLV_INFO, LOCATION, NULL, 1263 "ldap membership group returned \'%s\'\n", groupdn); 1264 ldap_group_end: 1265 1266 /* free ldap resources */ 1267 if (groupdn != NULL) 1268 ldap_memfree(groupdn); 1269 if (filter != NULL) 1270 racoon_free(filter); 1271 if (lr != NULL) 1272 ldap_msgfree(lr); 1273 if (init != NULL) 1274 racoon_free(init); 1275 1276 ldap_unbind_ext_s(ld, NULL, NULL); 1277 1278 return rtn; 1279 } 1280 1281 #endif 1282 1283 int 1284 xauth_login_system(usr, pwd) 1285 char *usr; 1286 char *pwd; 1287 { 1288 struct passwd *pw; 1289 char *cryptpwd; 1290 char *syscryptpwd; 1291 #ifdef HAVE_SHADOW_H 1292 struct spwd *spw; 1293 1294 if ((spw = getspnam(usr)) == NULL) 1295 return -1; 1296 1297 syscryptpwd = spw->sp_pwdp; 1298 #endif 1299 1300 if ((pw = getpwnam(usr)) == NULL) 1301 return -1; 1302 1303 #ifndef HAVE_SHADOW_H 1304 syscryptpwd = pw->pw_passwd; 1305 #endif 1306 1307 /* No root login. Ever. */ 1308 if (pw->pw_uid == 0) 1309 return -1; 1310 1311 if ((cryptpwd = crypt(pwd, syscryptpwd)) == NULL) 1312 return -1; 1313 1314 if (strcmp(cryptpwd, syscryptpwd) == 0) 1315 return 0; 1316 1317 return -1; 1318 } 1319 1320 int 1321 xauth_group_system(usr, grp) 1322 char * usr; 1323 char * grp; 1324 { 1325 struct group * gr; 1326 char * member; 1327 int index = 0; 1328 1329 gr = getgrnam(grp); 1330 if (gr == NULL) { 1331 plog(LLV_ERROR, LOCATION, NULL, 1332 "the system group name \'%s\' is unknown\n", 1333 grp); 1334 return -1; 1335 } 1336 1337 while ((member = gr->gr_mem[index++])!=NULL) { 1338 if (!strcmp(member,usr)) { 1339 plog(LLV_INFO, LOCATION, NULL, 1340 "membership validated\n"); 1341 return 0; 1342 } 1343 } 1344 1345 return -1; 1346 } 1347 1348 int 1349 xauth_check(iph1) 1350 struct ph1handle *iph1; 1351 { 1352 struct xauth_state *xst = &iph1->mode_cfg->xauth; 1353 1354 /* 1355 * Only the server side (edge device) really check for Xauth 1356 * status. It does it if the chose authmethod is using Xauth. 1357 * On the client side (roadwarrior), we don't check anything. 1358 */ 1359 switch (iph1->approval->authmethod) { 1360 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 1361 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 1362 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 1363 /* The following are not yet implemented */ 1364 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 1365 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 1366 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 1367 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 1368 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 1369 plog(LLV_ERROR, LOCATION, NULL, 1370 "Hybrid auth negotiated but peer did not " 1371 "announced as Xauth capable\n"); 1372 return -1; 1373 } 1374 1375 if (xst->status != XAUTHST_OK) { 1376 plog(LLV_ERROR, LOCATION, NULL, 1377 "Hybrid auth negotiated but peer did not " 1378 "succeed Xauth exchange\n"); 1379 return -1; 1380 } 1381 1382 return 0; 1383 break; 1384 default: 1385 return 0; 1386 break; 1387 } 1388 1389 return 0; 1390 } 1391 1392 int 1393 group_check(iph1, grp_list, grp_count) 1394 struct ph1handle *iph1; 1395 char **grp_list; 1396 int grp_count; 1397 { 1398 int res = -1; 1399 int grp_index = 0; 1400 char * usr = NULL; 1401 1402 /* check for presence of modecfg data */ 1403 1404 if(iph1->mode_cfg == NULL) { 1405 plog(LLV_ERROR, LOCATION, NULL, 1406 "xauth group specified but modecfg not found\n"); 1407 return res; 1408 } 1409 1410 /* loop through our group list */ 1411 1412 for(; grp_index < grp_count; grp_index++) { 1413 1414 /* check for presence of xauth data */ 1415 1416 usr = iph1->mode_cfg->xauth.authdata.generic.usr; 1417 1418 if(usr == NULL) { 1419 plog(LLV_ERROR, LOCATION, NULL, 1420 "xauth group specified but xauth not found\n"); 1421 return res; 1422 } 1423 1424 /* call appropriate group validation funtion */ 1425 1426 switch (isakmp_cfg_config.groupsource) { 1427 1428 case ISAKMP_CFG_GROUP_SYSTEM: 1429 res = xauth_group_system( 1430 usr, 1431 grp_list[grp_index]); 1432 break; 1433 1434 #ifdef HAVE_LIBLDAP 1435 case ISAKMP_CFG_GROUP_LDAP: 1436 res = xauth_group_ldap( 1437 iph1->mode_cfg->xauth.udn, 1438 grp_list[grp_index]); 1439 break; 1440 #endif 1441 1442 default: 1443 /* we should never get here */ 1444 plog(LLV_ERROR, LOCATION, NULL, 1445 "Unknown group auth source\n"); 1446 break; 1447 } 1448 1449 if( !res ) { 1450 plog(LLV_INFO, LOCATION, NULL, 1451 "user \"%s\" is a member of group \"%s\"\n", 1452 usr, 1453 grp_list[grp_index]); 1454 break; 1455 } else { 1456 plog(LLV_INFO, LOCATION, NULL, 1457 "user \"%s\" is not a member of group \"%s\"\n", 1458 usr, 1459 grp_list[grp_index]); 1460 } 1461 } 1462 1463 return res; 1464 } 1465 1466 vchar_t * 1467 isakmp_xauth_req(iph1, attr) 1468 struct ph1handle *iph1; 1469 struct isakmp_data *attr; 1470 { 1471 int type; 1472 size_t dlen = 0; 1473 int ashort = 0; 1474 int value = 0; 1475 vchar_t *buffer = NULL; 1476 char *mraw = NULL, *mdata; 1477 char *data; 1478 vchar_t *usr = NULL; 1479 vchar_t *pwd = NULL; 1480 size_t skip = 0; 1481 int freepwd = 0; 1482 1483 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 1484 plog(LLV_ERROR, LOCATION, NULL, 1485 "Xauth mode config request but peer " 1486 "did not declare itself as Xauth capable\n"); 1487 return NULL; 1488 } 1489 1490 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK; 1491 1492 /* Sanity checks */ 1493 switch(type) { 1494 case XAUTH_TYPE: 1495 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) { 1496 plog(LLV_ERROR, LOCATION, NULL, 1497 "Unexpected long XAUTH_TYPE attribute\n"); 1498 return NULL; 1499 } 1500 if (ntohs(attr->lorv) != XAUTH_TYPE_GENERIC) { 1501 plog(LLV_ERROR, LOCATION, NULL, 1502 "Unsupported Xauth authentication %d\n", 1503 ntohs(attr->lorv)); 1504 return NULL; 1505 } 1506 ashort = 1; 1507 dlen = 0; 1508 value = XAUTH_TYPE_GENERIC; 1509 break; 1510 1511 case XAUTH_USER_NAME: 1512 if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login) { 1513 plog(LLV_ERROR, LOCATION, NULL, "Xauth performed " 1514 "with no login supplied\n"); 1515 return NULL; 1516 } 1517 1518 dlen = iph1->rmconf->xauth->login->l - 1; 1519 iph1->rmconf->xauth->state |= XAUTH_SENT_USERNAME; 1520 break; 1521 1522 case XAUTH_USER_PASSWORD: 1523 if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login) 1524 return NULL; 1525 1526 skip = sizeof(struct ipsecdoi_id_b); 1527 usr = vmalloc(iph1->rmconf->xauth->login->l - 1 + skip); 1528 if (usr == NULL) { 1529 plog(LLV_ERROR, LOCATION, NULL, 1530 "Cannot allocate memory\n"); 1531 return NULL; 1532 } 1533 memset(usr->v, 0, skip); 1534 memcpy(usr->v + skip, 1535 iph1->rmconf->xauth->login->v, 1536 iph1->rmconf->xauth->login->l - 1); 1537 1538 if (iph1->rmconf->xauth->pass) { 1539 /* A key given through racoonctl */ 1540 pwd = iph1->rmconf->xauth->pass; 1541 } else { 1542 if ((pwd = getpskbyname(usr)) == NULL) { 1543 plog(LLV_ERROR, LOCATION, NULL, 1544 "No password was found for login %s\n", 1545 iph1->rmconf->xauth->login->v); 1546 vfree(usr); 1547 return NULL; 1548 } 1549 /* We have to free it before returning */ 1550 freepwd = 1; 1551 } 1552 vfree(usr); 1553 1554 iph1->rmconf->xauth->state |= XAUTH_SENT_PASSWORD; 1555 dlen = pwd->l; 1556 1557 break; 1558 case XAUTH_MESSAGE: 1559 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) { 1560 dlen = ntohs(attr->lorv); 1561 if (dlen > 0) { 1562 mraw = (char*)(attr + 1); 1563 mdata = binsanitize(mraw, dlen); 1564 if (mdata == NULL) { 1565 plog(LLV_ERROR, LOCATION, iph1->remote, 1566 "Cannot allocate memory\n"); 1567 return NULL; 1568 } 1569 plog(LLV_NOTIFY,LOCATION, iph1->remote, 1570 "XAUTH Message: '%s'.\n", 1571 mdata); 1572 racoon_free(mdata); 1573 } 1574 } 1575 return NULL; 1576 default: 1577 plog(LLV_WARNING, LOCATION, NULL, 1578 "Ignored attribute %s\n", s_isakmp_cfg_type(type)); 1579 return NULL; 1580 break; 1581 } 1582 1583 if ((buffer = vmalloc(sizeof(*attr) + dlen)) == NULL) { 1584 plog(LLV_ERROR, LOCATION, NULL, 1585 "Cannot allocate memory\n"); 1586 goto out; 1587 } 1588 1589 attr = (struct isakmp_data *)buffer->v; 1590 if (ashort) { 1591 attr->type = htons(type | ISAKMP_GEN_TV); 1592 attr->lorv = htons(value); 1593 goto out; 1594 } 1595 1596 attr->type = htons(type | ISAKMP_GEN_TLV); 1597 attr->lorv = htons(dlen); 1598 data = (char *)(attr + 1); 1599 1600 switch(type) { 1601 case XAUTH_USER_NAME: 1602 /* 1603 * iph1->rmconf->xauth->login->v is valid, 1604 * we just checked it in the previous switch case 1605 */ 1606 memcpy(data, iph1->rmconf->xauth->login->v, dlen); 1607 break; 1608 case XAUTH_USER_PASSWORD: 1609 memcpy(data, pwd->v, dlen); 1610 break; 1611 default: 1612 break; 1613 } 1614 1615 out: 1616 if (freepwd) 1617 vfree(pwd); 1618 1619 return buffer; 1620 } 1621 1622 vchar_t * 1623 isakmp_xauth_set(iph1, attr) 1624 struct ph1handle *iph1; 1625 struct isakmp_data *attr; 1626 { 1627 int type; 1628 vchar_t *buffer = NULL; 1629 char *data; 1630 struct xauth_state *xst; 1631 size_t dlen = 0; 1632 char* mraw = NULL, *mdata; 1633 1634 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 1635 plog(LLV_ERROR, LOCATION, NULL, 1636 "Xauth mode config set but peer " 1637 "did not declare itself as Xauth capable\n"); 1638 return NULL; 1639 } 1640 1641 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK; 1642 1643 switch(type) { 1644 case XAUTH_STATUS: 1645 /* 1646 * We should only receive ISAKMP mode_cfg SET XAUTH_STATUS 1647 * when running as a client (initiator). 1648 */ 1649 xst = &iph1->mode_cfg->xauth; 1650 switch (iph1->approval->authmethod) { 1651 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 1652 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: 1653 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 1654 /* Not implemented ... */ 1655 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 1656 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 1657 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 1658 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 1659 break; 1660 default: 1661 plog(LLV_ERROR, LOCATION, NULL, 1662 "Unexpected XAUTH_STATUS_OK\n"); 1663 return NULL; 1664 break; 1665 } 1666 1667 /* If we got a failure, delete iph1 */ 1668 if (ntohs(attr->lorv) != XAUTH_STATUS_OK) { 1669 plog(LLV_ERROR, LOCATION, NULL, 1670 "Xauth authentication failed\n"); 1671 1672 evt_phase1(iph1, EVT_PHASE1_XAUTH_FAILED, NULL); 1673 1674 iph1->mode_cfg->flags |= ISAKMP_CFG_DELETE_PH1; 1675 } else { 1676 evt_phase1(iph1, EVT_PHASE1_XAUTH_SUCCESS, NULL); 1677 } 1678 1679 1680 /* We acknowledge it */ 1681 break; 1682 case XAUTH_MESSAGE: 1683 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) { 1684 dlen = ntohs(attr->lorv); 1685 if (dlen > 0) { 1686 mraw = (char*)(attr + 1); 1687 mdata = binsanitize(mraw, dlen); 1688 if (mdata == NULL) { 1689 plog(LLV_ERROR, LOCATION, iph1->remote, 1690 "Cannot allocate memory\n"); 1691 return NULL; 1692 } 1693 plog(LLV_NOTIFY,LOCATION, iph1->remote, 1694 "XAUTH Message: '%s'.\n", 1695 mdata); 1696 racoon_free(mdata); 1697 } 1698 } 1699 1700 default: 1701 plog(LLV_WARNING, LOCATION, NULL, 1702 "Ignored attribute %s\n", s_isakmp_cfg_type(type)); 1703 return NULL; 1704 break; 1705 } 1706 1707 if ((buffer = vmalloc(sizeof(*attr))) == NULL) { 1708 plog(LLV_ERROR, LOCATION, NULL, 1709 "Cannot allocate memory\n"); 1710 return NULL; 1711 } 1712 1713 attr = (struct isakmp_data *)buffer->v; 1714 attr->type = htons(type | ISAKMP_GEN_TV); 1715 attr->lorv = htons(0); 1716 1717 return buffer; 1718 } 1719 1720 1721 void 1722 xauth_rmstate(xst) 1723 struct xauth_state *xst; 1724 { 1725 switch (xst->authtype) { 1726 case XAUTH_TYPE_GENERIC: 1727 if (xst->authdata.generic.usr) 1728 racoon_free(xst->authdata.generic.usr); 1729 1730 if (xst->authdata.generic.pwd) 1731 racoon_free(xst->authdata.generic.pwd); 1732 1733 break; 1734 1735 case XAUTH_TYPE_CHAP: 1736 case XAUTH_TYPE_OTP: 1737 case XAUTH_TYPE_SKEY: 1738 plog(LLV_WARNING, LOCATION, NULL, 1739 "Unsupported authtype %d\n", xst->authtype); 1740 break; 1741 1742 default: 1743 plog(LLV_WARNING, LOCATION, NULL, 1744 "Unexpected authtype %d\n", xst->authtype); 1745 break; 1746 } 1747 1748 #ifdef HAVE_LIBLDAP 1749 if (xst->udn != NULL) 1750 racoon_free(xst->udn); 1751 #endif 1752 return; 1753 } 1754 1755 int 1756 xauth_rmconf_used(xauth_rmconf) 1757 struct xauth_rmconf **xauth_rmconf; 1758 { 1759 if (*xauth_rmconf == NULL) { 1760 *xauth_rmconf = racoon_malloc(sizeof(**xauth_rmconf)); 1761 if (*xauth_rmconf == NULL) { 1762 plog(LLV_ERROR, LOCATION, NULL, 1763 "xauth_rmconf_used: malloc failed\n"); 1764 return -1; 1765 } 1766 1767 (*xauth_rmconf)->login = NULL; 1768 (*xauth_rmconf)->pass = NULL; 1769 (*xauth_rmconf)->state = 0; 1770 } 1771 1772 return 0; 1773 } 1774 1775 void 1776 xauth_rmconf_delete(xauth_rmconf) 1777 struct xauth_rmconf **xauth_rmconf; 1778 { 1779 if (*xauth_rmconf != NULL) { 1780 if ((*xauth_rmconf)->login != NULL) 1781 vfree((*xauth_rmconf)->login); 1782 if ((*xauth_rmconf)->pass != NULL) 1783 vfree((*xauth_rmconf)->pass); 1784 1785 racoon_free(*xauth_rmconf); 1786 *xauth_rmconf = NULL; 1787 } 1788 1789 return; 1790 } 1791 1792 struct xauth_rmconf * 1793 xauth_rmconf_dup(xauth_rmconf) 1794 struct xauth_rmconf *xauth_rmconf; 1795 { 1796 struct xauth_rmconf *new; 1797 1798 if (xauth_rmconf != NULL) { 1799 new = racoon_malloc(sizeof(*new)); 1800 if (new == NULL) { 1801 plog(LLV_ERROR, LOCATION, NULL, 1802 "xauth_rmconf_dup: malloc failed\n"); 1803 return NULL; 1804 } 1805 1806 memcpy(new, xauth_rmconf, sizeof(*new)); 1807 1808 if (xauth_rmconf->login != NULL) { 1809 new->login = vdup(xauth_rmconf->login); 1810 if (new->login == NULL) { 1811 plog(LLV_ERROR, LOCATION, NULL, 1812 "xauth_rmconf_dup: malloc failed (login)\n"); 1813 return NULL; 1814 } 1815 } 1816 if (xauth_rmconf->pass != NULL) { 1817 new->pass = vdup(xauth_rmconf->pass); 1818 if (new->pass == NULL) { 1819 plog(LLV_ERROR, LOCATION, NULL, 1820 "xauth_rmconf_dup: malloc failed (password)\n"); 1821 return NULL; 1822 } 1823 } 1824 1825 return new; 1826 } 1827 1828 return NULL; 1829 } 1830