1 /* $NetBSD: isakmp_xauth.c,v 1.27 2014/03/18 18:20:35 riastradh Exp $ */ 2 3 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */ 4 5 /* 6 * Copyright (C) 2004-2005 Emmanuel Dreyfus 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "config.h" 35 36 #include <sys/types.h> 37 #include <sys/param.h> 38 #include <sys/socket.h> 39 #include <sys/queue.h> 40 41 #include <netinet/in.h> 42 43 #include <assert.h> 44 #include <stdlib.h> 45 #include <stdio.h> 46 #include <string.h> 47 #include <errno.h> 48 #include <pwd.h> 49 #include <grp.h> 50 #if TIME_WITH_SYS_TIME 51 # include <sys/time.h> 52 # include <time.h> 53 #else 54 # if HAVE_SYS_TIME_H 55 # include <sys/time.h> 56 # else 57 # include <time.h> 58 # endif 59 #endif 60 #include <netdb.h> 61 #ifdef HAVE_UNISTD_H 62 #include <unistd.h> 63 #endif 64 #include <ctype.h> 65 #include <resolv.h> 66 67 #ifdef HAVE_SHADOW_H 68 #include <shadow.h> 69 #endif 70 71 #include "var.h" 72 #include "misc.h" 73 #include "vmbuf.h" 74 #include "plog.h" 75 #include "sockmisc.h" 76 #include "schedule.h" 77 #include "debug.h" 78 79 #include "crypto_openssl.h" 80 #include "isakmp_var.h" 81 #include "isakmp.h" 82 #include "admin.h" 83 #include "privsep.h" 84 #include "evt.h" 85 #include "handler.h" 86 #include "throttle.h" 87 #include "remoteconf.h" 88 #include "isakmp_inf.h" 89 #include "isakmp_xauth.h" 90 #include "isakmp_unity.h" 91 #include "isakmp_cfg.h" 92 #include "strnames.h" 93 #include "ipsec_doi.h" 94 #include "remoteconf.h" 95 #include "localconf.h" 96 97 #ifdef HAVE_LIBRADIUS 98 #include <radlib.h> 99 struct rad_handle *radius_auth_state = NULL; 100 struct rad_handle *radius_acct_state = NULL; 101 struct xauth_rad_config xauth_rad_config; 102 #endif 103 104 #ifdef HAVE_LIBPAM 105 #include <security/pam_appl.h> 106 107 static char *PAM_usr = NULL; 108 static char *PAM_pwd = NULL; 109 static int PAM_conv(int, const struct pam_message **, 110 struct pam_response **, void *); 111 static struct pam_conv PAM_chat = { &PAM_conv, NULL }; 112 #endif 113 114 #ifdef HAVE_LIBLDAP 115 #include "ldap.h" 116 #include <arpa/inet.h> 117 struct xauth_ldap_config xauth_ldap_config; 118 #endif 119 120 void 121 xauth_sendreq(iph1) 122 struct ph1handle *iph1; 123 { 124 vchar_t *buffer; 125 struct isakmp_pl_attr *attr; 126 struct isakmp_data *typeattr; 127 struct isakmp_data *usrattr; 128 struct isakmp_data *pwdattr; 129 struct xauth_state *xst = &iph1->mode_cfg->xauth; 130 size_t tlen; 131 132 /* Status checks */ 133 if (iph1->status < PHASE1ST_ESTABLISHED) { 134 plog(LLV_ERROR, LOCATION, NULL, 135 "Xauth request while phase 1 is not completed\n"); 136 return; 137 } 138 139 if (xst->status != XAUTHST_NOTYET) { 140 plog(LLV_ERROR, LOCATION, NULL, 141 "Xauth request whith Xauth state %d\n", xst->status); 142 return; 143 } 144 145 plog(LLV_INFO, LOCATION, NULL, "Sending Xauth request\n"); 146 147 tlen = sizeof(*attr) + 148 + sizeof(*typeattr) + 149 + sizeof(*usrattr) + 150 + sizeof(*pwdattr); 151 152 if ((buffer = vmalloc(tlen)) == NULL) { 153 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n"); 154 return; 155 } 156 157 attr = (struct isakmp_pl_attr *)buffer->v; 158 memset(attr, 0, tlen); 159 160 attr->h.len = htons(tlen); 161 attr->type = ISAKMP_CFG_REQUEST; 162 attr->id = htons(eay_random()); 163 164 typeattr = (struct isakmp_data *)(attr + 1); 165 typeattr->type = htons(XAUTH_TYPE | ISAKMP_GEN_TV); 166 typeattr->lorv = htons(XAUTH_TYPE_GENERIC); 167 168 usrattr = (struct isakmp_data *)(typeattr + 1); 169 usrattr->type = htons(XAUTH_USER_NAME | ISAKMP_GEN_TLV); 170 usrattr->lorv = htons(0); 171 172 pwdattr = (struct isakmp_data *)(usrattr + 1); 173 pwdattr->type = htons(XAUTH_USER_PASSWORD | ISAKMP_GEN_TLV); 174 pwdattr->lorv = htons(0); 175 176 isakmp_cfg_send(iph1, buffer, 177 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1); 178 179 vfree(buffer); 180 181 xst->status = XAUTHST_REQSENT; 182 183 return; 184 } 185 186 int 187 xauth_attr_reply(iph1, attr, id) 188 struct ph1handle *iph1; 189 struct isakmp_data *attr; 190 int id; 191 { 192 char **outlet = NULL; 193 size_t alen = 0; 194 int type; 195 struct xauth_state *xst = &iph1->mode_cfg->xauth; 196 197 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 198 plog(LLV_ERROR, LOCATION, NULL, 199 "Xauth reply but peer did not declare " 200 "itself as Xauth capable\n"); 201 return -1; 202 } 203 204 if (xst->status != XAUTHST_REQSENT) { 205 plog(LLV_ERROR, LOCATION, NULL, 206 "Xauth reply while Xauth state is %d\n", xst->status); 207 return -1; 208 } 209 210 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK; 211 switch (type) { 212 case XAUTH_TYPE: 213 switch (ntohs(attr->lorv)) { 214 case XAUTH_TYPE_GENERIC: 215 xst->authtype = XAUTH_TYPE_GENERIC; 216 break; 217 default: 218 plog(LLV_WARNING, LOCATION, NULL, 219 "Unexpected authentication type %d\n", 220 ntohs(type)); 221 return -1; 222 } 223 break; 224 225 case XAUTH_USER_NAME: 226 outlet = &xst->authdata.generic.usr; 227 break; 228 229 case XAUTH_USER_PASSWORD: 230 outlet = &xst->authdata.generic.pwd; 231 break; 232 233 default: 234 plog(LLV_WARNING, LOCATION, NULL, 235 "ignored Xauth attribute %d\n", type); 236 break; 237 } 238 239 if (outlet != NULL) { 240 alen = ntohs(attr->lorv); 241 242 if ((*outlet = racoon_malloc(alen + 1)) == NULL) { 243 plog(LLV_ERROR, LOCATION, NULL, 244 "Cannot allocate memory for Xauth Data\n"); 245 return -1; 246 } 247 248 memcpy(*outlet, attr + 1, alen); 249 (*outlet)[alen] = '\0'; 250 outlet = NULL; 251 } 252 253 254 if ((xst->authdata.generic.usr != NULL) && 255 (xst->authdata.generic.pwd != NULL)) { 256 int port; 257 int res; 258 char *usr = xst->authdata.generic.usr; 259 char *pwd = xst->authdata.generic.pwd; 260 time_t throttle_delay = 0; 261 262 #if 0 /* Real debug, don't do that at home */ 263 plog(LLV_DEBUG, LOCATION, NULL, 264 "Got username \"%s\", password \"%s\"\n", usr, pwd); 265 #endif 266 strncpy(iph1->mode_cfg->login, usr, LOGINLEN); 267 iph1->mode_cfg->login[LOGINLEN] = '\0'; 268 269 res = -1; 270 if ((port = isakmp_cfg_getport(iph1)) == -1) { 271 plog(LLV_ERROR, LOCATION, NULL, 272 "Port pool depleted\n"); 273 goto skip_auth; 274 } 275 276 switch (isakmp_cfg_config.authsource) { 277 case ISAKMP_CFG_AUTH_SYSTEM: 278 res = privsep_xauth_login_system(usr, pwd); 279 break; 280 #ifdef HAVE_LIBRADIUS 281 case ISAKMP_CFG_AUTH_RADIUS: 282 res = xauth_login_radius(iph1, usr, pwd); 283 break; 284 #endif 285 #ifdef HAVE_LIBPAM 286 case ISAKMP_CFG_AUTH_PAM: 287 res = privsep_xauth_login_pam(iph1->mode_cfg->port, 288 iph1->remote, usr, pwd); 289 break; 290 #endif 291 #ifdef HAVE_LIBLDAP 292 case ISAKMP_CFG_AUTH_LDAP: 293 res = xauth_login_ldap(iph1, usr, pwd); 294 break; 295 #endif 296 default: 297 plog(LLV_ERROR, LOCATION, NULL, 298 "Unexpected authentication source\n"); 299 res = -1; 300 break; 301 } 302 303 /* 304 * Optional group authentication 305 */ 306 if (!res && (isakmp_cfg_config.groupcount)) 307 res = group_check(iph1, 308 isakmp_cfg_config.grouplist, 309 isakmp_cfg_config.groupcount); 310 311 /* 312 * On failure, throttle the connexion for the remote host 313 * in order to make password attacks more difficult. 314 */ 315 throttle_delay = throttle_host(iph1->remote, res); 316 if (throttle_delay > 0) { 317 char *str; 318 319 str = saddrwop2str(iph1->remote); 320 321 plog(LLV_ERROR, LOCATION, NULL, 322 "Throttling in action for %s: delay %lds\n", 323 str, (unsigned long)throttle_delay); 324 res = -1; 325 } else { 326 throttle_delay = 0; 327 } 328 329 skip_auth: 330 if (throttle_delay != 0) { 331 struct xauth_reply_arg *xra; 332 333 if ((xra = racoon_calloc(1, sizeof(*xra))) == NULL) { 334 plog(LLV_ERROR, LOCATION, NULL, 335 "malloc failed, bypass throttling\n"); 336 return xauth_reply(iph1, port, id, res); 337 } 338 339 /* 340 * We need to store the ph1, but it might have 341 * disapeared when xauth_reply is called, so 342 * store the index instead. 343 */ 344 xra->index = iph1->index; 345 xra->port = port; 346 xra->id = id; 347 xra->res = res; 348 sched_schedule(&xra->sc, throttle_delay, 349 xauth_reply_stub); 350 } else { 351 return xauth_reply(iph1, port, id, res); 352 } 353 } 354 355 return 0; 356 } 357 358 void 359 xauth_reply_stub(sc) 360 struct sched *sc; 361 { 362 struct xauth_reply_arg *xra = container_of(sc, struct xauth_reply_arg, sc); 363 struct ph1handle *iph1; 364 365 if ((iph1 = getph1byindex(&xra->index)) != NULL) 366 (void)xauth_reply(iph1, xra->port, xra->id, xra->res); 367 else 368 plog(LLV_ERROR, LOCATION, NULL, 369 "Delayed Xauth reply: phase 1 no longer exists.\n"); 370 371 racoon_free(xra); 372 } 373 374 int 375 xauth_reply(struct ph1handle *iph1, int port, int id, int res) 376 { 377 struct xauth_state *xst = &iph1->mode_cfg->xauth; 378 char *usr = xst->authdata.generic.usr; 379 380 if (res != 0) { 381 if (port != -1) 382 isakmp_cfg_putport(iph1, port); 383 384 plog(LLV_INFO, LOCATION, NULL, 385 "login failed for user \"%s\"\n", usr); 386 387 xauth_sendstatus(iph1, XAUTH_STATUS_FAIL, id); 388 xst->status = XAUTHST_NOTYET; 389 390 /* Delete Phase 1 SA */ 391 if (iph1->status >= PHASE1ST_ESTABLISHED) 392 isakmp_info_send_d1(iph1); 393 remph1(iph1); 394 delph1(iph1); 395 396 return -1; 397 } 398 399 xst->status = XAUTHST_OK; 400 plog(LLV_INFO, LOCATION, NULL, 401 "login succeeded for user \"%s\"\n", usr); 402 403 xauth_sendstatus(iph1, XAUTH_STATUS_OK, id); 404 405 return 0; 406 } 407 408 void 409 xauth_sendstatus(iph1, status, id) 410 struct ph1handle *iph1; 411 int status; 412 int id; 413 { 414 vchar_t *buffer; 415 struct isakmp_pl_attr *attr; 416 struct isakmp_data *stattr; 417 size_t tlen; 418 419 tlen = sizeof(*attr) + 420 + sizeof(*stattr); 421 422 if ((buffer = vmalloc(tlen)) == NULL) { 423 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n"); 424 return; 425 } 426 427 attr = (struct isakmp_pl_attr *)buffer->v; 428 memset(attr, 0, tlen); 429 430 attr->h.len = htons(tlen); 431 attr->type = ISAKMP_CFG_SET; 432 attr->id = htons(id); 433 434 stattr = (struct isakmp_data *)(attr + 1); 435 stattr->type = htons(XAUTH_STATUS | ISAKMP_GEN_TV); 436 stattr->lorv = htons(status); 437 438 isakmp_cfg_send(iph1, buffer, 439 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1); 440 441 vfree(buffer); 442 443 return; 444 } 445 446 #ifdef HAVE_LIBRADIUS 447 int 448 xauth_radius_init_conf(int free) 449 { 450 /* free radius config resources */ 451 if (free) { 452 int i; 453 for (i = 0; i < xauth_rad_config.auth_server_count; i++) { 454 vfree(xauth_rad_config.auth_server_list[i].host); 455 vfree(xauth_rad_config.auth_server_list[i].secret); 456 } 457 for (i = 0; i < xauth_rad_config.acct_server_count; i++) { 458 vfree(xauth_rad_config.acct_server_list[i].host); 459 vfree(xauth_rad_config.acct_server_list[i].secret); 460 } 461 if (radius_auth_state != NULL) { 462 rad_close(radius_auth_state); 463 radius_auth_state = NULL; 464 } 465 if (radius_acct_state != NULL) { 466 rad_close(radius_acct_state); 467 radius_acct_state = NULL; 468 } 469 } 470 471 /* initialize radius config */ 472 memset(&xauth_rad_config, 0, sizeof(xauth_rad_config)); 473 return 0; 474 } 475 476 int 477 xauth_radius_init(void) 478 { 479 /* For first time use, initialize Radius */ 480 if ((isakmp_cfg_config.authsource == ISAKMP_CFG_AUTH_RADIUS) && 481 (radius_auth_state == NULL)) { 482 if ((radius_auth_state = rad_auth_open()) == NULL) { 483 plog(LLV_ERROR, LOCATION, NULL, 484 "Cannot init libradius\n"); 485 return -1; 486 } 487 488 int auth_count = xauth_rad_config.auth_server_count; 489 int auth_added = 0; 490 if (auth_count) { 491 int i; 492 for (i = 0; i < auth_count; i++) { 493 if(!rad_add_server( 494 radius_auth_state, 495 xauth_rad_config.auth_server_list[i].host->v, 496 xauth_rad_config.auth_server_list[i].port, 497 xauth_rad_config.auth_server_list[i].secret->v, 498 xauth_rad_config.timeout, 499 xauth_rad_config.retries )) 500 auth_added++; 501 else 502 plog(LLV_WARNING, LOCATION, NULL, 503 "could not add radius auth server %s\n", 504 xauth_rad_config.auth_server_list[i].host->v); 505 } 506 } 507 508 if (!auth_added) { 509 if (rad_config(radius_auth_state, NULL) != 0) { 510 plog(LLV_ERROR, LOCATION, NULL, 511 "Cannot open libradius config file: %s\n", 512 rad_strerror(radius_auth_state)); 513 rad_close(radius_auth_state); 514 radius_auth_state = NULL; 515 return -1; 516 } 517 } 518 } 519 520 if ((isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS) && 521 (radius_acct_state == NULL)) { 522 if ((radius_acct_state = rad_acct_open()) == NULL) { 523 plog(LLV_ERROR, LOCATION, NULL, 524 "Cannot init libradius\n"); 525 return -1; 526 } 527 528 int acct_count = xauth_rad_config.acct_server_count; 529 int acct_added = 0; 530 if (acct_count) { 531 int i; 532 for (i = 0; i < acct_count; i++) { 533 if(!rad_add_server( 534 radius_acct_state, 535 xauth_rad_config.acct_server_list[i].host->v, 536 xauth_rad_config.acct_server_list[i].port, 537 xauth_rad_config.acct_server_list[i].secret->v, 538 xauth_rad_config.timeout, 539 xauth_rad_config.retries )) 540 acct_added++; 541 else 542 plog(LLV_WARNING, LOCATION, NULL, 543 "could not add radius account server %s\n", 544 xauth_rad_config.acct_server_list[i].host->v); 545 } 546 } 547 548 if (!acct_added) { 549 if (rad_config(radius_acct_state, NULL) != 0) { 550 plog(LLV_ERROR, LOCATION, NULL, 551 "Cannot open libradius config file: %s\n", 552 rad_strerror(radius_acct_state)); 553 rad_close(radius_acct_state); 554 radius_acct_state = NULL; 555 return -1; 556 } 557 } 558 } 559 560 return 0; 561 } 562 563 int 564 xauth_login_radius(iph1, usr, pwd) 565 struct ph1handle *iph1; 566 char *usr; 567 char *pwd; 568 { 569 int res; 570 const void *data; 571 size_t len; 572 int type; 573 574 if (rad_create_request(radius_auth_state, RAD_ACCESS_REQUEST) != 0) { 575 plog(LLV_ERROR, LOCATION, NULL, 576 "rad_create_request failed: %s\n", 577 rad_strerror(radius_auth_state)); 578 return -1; 579 } 580 581 if (rad_put_string(radius_auth_state, RAD_USER_NAME, usr) != 0) { 582 plog(LLV_ERROR, LOCATION, NULL, 583 "rad_put_string failed: %s\n", 584 rad_strerror(radius_auth_state)); 585 return -1; 586 } 587 588 if (rad_put_string(radius_auth_state, RAD_USER_PASSWORD, pwd) != 0) { 589 plog(LLV_ERROR, LOCATION, NULL, 590 "rad_put_string failed: %s\n", 591 rad_strerror(radius_auth_state)); 592 return -1; 593 } 594 595 if (rad_put_string(radius_auth_state, RAD_CALLING_STATION_ID, 596 saddr2str(iph1->remote)) != 0) 597 return -1; 598 599 if (isakmp_cfg_radius_common(radius_auth_state, iph1->mode_cfg->port) != 0) 600 return -1; 601 602 switch (res = rad_send_request(radius_auth_state)) { 603 case RAD_ACCESS_ACCEPT: 604 while ((type = rad_get_attr(radius_auth_state, &data, &len)) != 0) { 605 switch (type) { 606 case RAD_FRAMED_IP_ADDRESS: 607 iph1->mode_cfg->addr4 = rad_cvt_addr(data); 608 iph1->mode_cfg->flags 609 |= ISAKMP_CFG_ADDR4_EXTERN; 610 break; 611 612 case RAD_FRAMED_IP_NETMASK: 613 iph1->mode_cfg->mask4 = rad_cvt_addr(data); 614 iph1->mode_cfg->flags 615 |= ISAKMP_CFG_MASK4_EXTERN; 616 break; 617 618 default: 619 plog(LLV_INFO, LOCATION, NULL, 620 "Unexpected attribute: %d\n", type); 621 break; 622 } 623 } 624 625 return 0; 626 break; 627 628 case RAD_ACCESS_REJECT: 629 return -1; 630 break; 631 632 case -1: 633 plog(LLV_ERROR, LOCATION, NULL, 634 "rad_send_request failed: %s\n", 635 rad_strerror(radius_auth_state)); 636 return -1; 637 break; 638 default: 639 plog(LLV_ERROR, LOCATION, NULL, 640 "rad_send_request returned %d\n", res); 641 return -1; 642 break; 643 } 644 645 return -1; 646 } 647 #endif 648 649 #ifdef HAVE_LIBPAM 650 static int 651 PAM_conv(msg_count, msg, rsp, dontcare) 652 int msg_count; 653 const struct pam_message **msg; 654 struct pam_response **rsp; 655 void *dontcare; 656 { 657 int i; 658 int replies = 0; 659 struct pam_response *reply = NULL; 660 661 if ((reply = racoon_malloc(sizeof(*reply) * msg_count)) == NULL) 662 return PAM_CONV_ERR; 663 bzero(reply, sizeof(*reply) * msg_count); 664 665 for (i = 0; i < msg_count; i++) { 666 switch (msg[i]->msg_style) { 667 case PAM_PROMPT_ECHO_ON: 668 /* Send the username, libpam frees resp */ 669 reply[i].resp_retcode = PAM_SUCCESS; 670 if ((reply[i].resp = strdup(PAM_usr)) == NULL) { 671 plog(LLV_ERROR, LOCATION, 672 NULL, "strdup failed\n"); 673 exit(1); 674 } 675 break; 676 677 case PAM_PROMPT_ECHO_OFF: 678 /* Send the password, libpam frees resp */ 679 reply[i].resp_retcode = PAM_SUCCESS; 680 if ((reply[i].resp = strdup(PAM_pwd)) == NULL) { 681 plog(LLV_ERROR, LOCATION, 682 NULL, "strdup failed\n"); 683 exit(1); 684 } 685 break; 686 687 case PAM_TEXT_INFO: 688 case PAM_ERROR_MSG: 689 reply[i].resp_retcode = PAM_SUCCESS; 690 reply[i].resp = NULL; 691 break; 692 693 default: 694 if (reply != NULL) 695 racoon_free(reply); 696 return PAM_CONV_ERR; 697 break; 698 } 699 } 700 701 if (reply != NULL) 702 *rsp = reply; 703 704 return PAM_SUCCESS; 705 } 706 707 int 708 xauth_login_pam(port, raddr, usr, pwd) 709 int port; 710 struct sockaddr *raddr; 711 char *usr; 712 char *pwd; 713 { 714 int error; 715 int res; 716 const void *data; 717 size_t len; 718 int type; 719 char *remote = NULL; 720 pam_handle_t *pam = NULL; 721 722 if (isakmp_cfg_config.port_pool == NULL) { 723 plog(LLV_ERROR, LOCATION, NULL, 724 "isakmp_cfg_config.port_pool == NULL\n"); 725 return -1; 726 } 727 728 if ((error = pam_start("racoon", usr, 729 &PAM_chat, &isakmp_cfg_config.port_pool[port].pam)) != 0) { 730 if (isakmp_cfg_config.port_pool[port].pam == NULL) { 731 plog(LLV_ERROR, LOCATION, NULL, "pam_start failed\n"); 732 return -1; 733 } else { 734 plog(LLV_ERROR, LOCATION, NULL, 735 "pam_start failed: %s\n", 736 pam_strerror(isakmp_cfg_config.port_pool[port].pam, 737 error)); 738 goto out; 739 } 740 } 741 pam = isakmp_cfg_config.port_pool[port].pam; 742 743 if ((remote = strdup(saddrwop2str(raddr))) == NULL) { 744 plog(LLV_ERROR, LOCATION, NULL, 745 "cannot allocate memory: %s\n", strerror(errno)); 746 goto out; 747 } 748 749 if ((error = pam_set_item(pam, PAM_RHOST, remote)) != 0) { 750 plog(LLV_ERROR, LOCATION, NULL, 751 "pam_set_item failed: %s\n", 752 pam_strerror(pam, error)); 753 goto out; 754 } 755 756 if ((error = pam_set_item(pam, PAM_RUSER, usr)) != 0) { 757 plog(LLV_ERROR, LOCATION, NULL, 758 "pam_set_item failed: %s\n", 759 pam_strerror(pam, error)); 760 goto out; 761 } 762 763 PAM_usr = usr; 764 PAM_pwd = pwd; 765 error = pam_authenticate(pam, 0); 766 PAM_usr = NULL; 767 PAM_pwd = NULL; 768 if (error != 0) { 769 plog(LLV_ERROR, LOCATION, NULL, 770 "pam_authenticate failed: %s\n", 771 pam_strerror(pam, error)); 772 goto out; 773 } 774 775 if ((error = pam_acct_mgmt(pam, 0)) != 0) { 776 plog(LLV_ERROR, LOCATION, NULL, 777 "pam_acct_mgmt failed: %s\n", 778 pam_strerror(pam, error)); 779 goto out; 780 } 781 782 if ((error = pam_setcred(pam, 0)) != 0) { 783 plog(LLV_ERROR, LOCATION, NULL, 784 "pam_setcred failed: %s\n", 785 pam_strerror(pam, error)); 786 goto out; 787 } 788 789 if (remote != NULL) 790 free(remote); 791 792 return 0; 793 794 out: 795 pam_end(pam, error); 796 isakmp_cfg_config.port_pool[port].pam = NULL; 797 if (remote != NULL) 798 free(remote); 799 return -1; 800 } 801 #endif 802 803 #ifdef HAVE_LIBLDAP 804 int 805 xauth_ldap_init_conf(void) 806 { 807 int tmplen; 808 int error = -1; 809 810 xauth_ldap_config.pver = 3; 811 xauth_ldap_config.host = NULL; 812 xauth_ldap_config.port = LDAP_PORT; 813 xauth_ldap_config.tls = 0; 814 xauth_ldap_config.base = NULL; 815 xauth_ldap_config.subtree = 0; 816 xauth_ldap_config.bind_dn = NULL; 817 xauth_ldap_config.bind_pw = NULL; 818 xauth_ldap_config.auth_type = LDAP_AUTH_SIMPLE; 819 xauth_ldap_config.attr_user = NULL; 820 xauth_ldap_config.attr_addr = NULL; 821 xauth_ldap_config.attr_mask = NULL; 822 xauth_ldap_config.attr_group = NULL; 823 xauth_ldap_config.attr_member = NULL; 824 825 /* set default host */ 826 tmplen = strlen(LDAP_DFLT_HOST); 827 xauth_ldap_config.host = vmalloc(tmplen); 828 if (xauth_ldap_config.host == NULL) 829 goto out; 830 memcpy(xauth_ldap_config.host->v, LDAP_DFLT_HOST, tmplen); 831 832 /* set default user naming attribute */ 833 tmplen = strlen(LDAP_DFLT_USER); 834 xauth_ldap_config.attr_user = vmalloc(tmplen); 835 if (xauth_ldap_config.attr_user == NULL) 836 goto out; 837 memcpy(xauth_ldap_config.attr_user->v, LDAP_DFLT_USER, tmplen); 838 839 /* set default address attribute */ 840 tmplen = strlen(LDAP_DFLT_ADDR); 841 xauth_ldap_config.attr_addr = vmalloc(tmplen); 842 if (xauth_ldap_config.attr_addr == NULL) 843 goto out; 844 memcpy(xauth_ldap_config.attr_addr->v, LDAP_DFLT_ADDR, tmplen); 845 846 /* set default netmask attribute */ 847 tmplen = strlen(LDAP_DFLT_MASK); 848 xauth_ldap_config.attr_mask = vmalloc(tmplen); 849 if (xauth_ldap_config.attr_mask == NULL) 850 goto out; 851 memcpy(xauth_ldap_config.attr_mask->v, LDAP_DFLT_MASK, tmplen); 852 853 /* set default group naming attribute */ 854 tmplen = strlen(LDAP_DFLT_GROUP); 855 xauth_ldap_config.attr_group = vmalloc(tmplen); 856 if (xauth_ldap_config.attr_group == NULL) 857 goto out; 858 memcpy(xauth_ldap_config.attr_group->v, LDAP_DFLT_GROUP, tmplen); 859 860 /* set default member attribute */ 861 tmplen = strlen(LDAP_DFLT_MEMBER); 862 xauth_ldap_config.attr_member = vmalloc(tmplen); 863 if (xauth_ldap_config.attr_member == NULL) 864 goto out; 865 memcpy(xauth_ldap_config.attr_member->v, LDAP_DFLT_MEMBER, tmplen); 866 867 error = 0; 868 out: 869 if (error != 0) 870 plog(LLV_ERROR, LOCATION, NULL, "cannot allocate memory\n"); 871 872 return error; 873 } 874 875 int 876 xauth_login_ldap(iph1, usr, pwd) 877 struct ph1handle *iph1; 878 char *usr; 879 char *pwd; 880 { 881 int rtn = -1; 882 int res = -1; 883 LDAP *ld = NULL; 884 LDAPMessage *lr = NULL; 885 LDAPMessage *le = NULL; 886 struct berval cred; 887 struct berval **bv = NULL; 888 struct timeval timeout; 889 char *init = NULL; 890 char *filter = NULL; 891 char *atlist[3]; 892 char *basedn = NULL; 893 char *userdn = NULL; 894 int tmplen = 0; 895 int ecount = 0; 896 int scope = LDAP_SCOPE_ONE; 897 898 atlist[0] = NULL; 899 atlist[1] = NULL; 900 atlist[2] = NULL; 901 902 /* build our initialization url */ 903 tmplen = strlen("ldap://:") + 17; 904 tmplen += strlen(xauth_ldap_config.host->v); 905 init = racoon_malloc(tmplen); 906 if (init == NULL) { 907 plog(LLV_ERROR, LOCATION, NULL, 908 "unable to alloc ldap init url\n"); 909 goto ldap_end; 910 } 911 sprintf(init,"ldap://%s:%d", 912 xauth_ldap_config.host->v, 913 xauth_ldap_config.port ); 914 915 /* initialize the ldap handle */ 916 res = ldap_initialize(&ld, init); 917 if (res != LDAP_SUCCESS) { 918 plog(LLV_ERROR, LOCATION, NULL, 919 "ldap_initialize failed: %s\n", 920 ldap_err2string(res)); 921 goto ldap_end; 922 } 923 924 /* initialize the protocol version */ 925 ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, 926 &xauth_ldap_config.pver); 927 928 /* Enable TLS */ 929 if (xauth_ldap_config.tls) { 930 res = ldap_start_tls_s(ld, NULL, NULL); 931 if (res != LDAP_SUCCESS) { 932 plog(LLV_ERROR, LOCATION, NULL, 933 "ldap_start_tls_s failed: %s\n", 934 ldap_err2string(res)); 935 goto ldap_end; 936 } 937 } 938 939 /* 940 * attempt to bind to the ldap server. 941 * default to anonymous bind unless a 942 * user dn and password has been 943 * specified in our configuration 944 */ 945 if ((xauth_ldap_config.bind_dn != NULL)&& 946 (xauth_ldap_config.bind_pw != NULL)) 947 { 948 cred.bv_val = xauth_ldap_config.bind_pw->v; 949 cred.bv_len = strlen( cred.bv_val ); 950 res = ldap_sasl_bind_s(ld, 951 xauth_ldap_config.bind_dn->v, NULL, &cred, 952 NULL, NULL, NULL); 953 } 954 else 955 { 956 res = ldap_sasl_bind_s(ld, 957 NULL, NULL, NULL, 958 NULL, NULL, NULL); 959 } 960 961 if (res!=LDAP_SUCCESS) { 962 plog(LLV_ERROR, LOCATION, NULL, 963 "ldap_sasl_bind_s (search) failed: %s\n", 964 ldap_err2string(res)); 965 goto ldap_end; 966 } 967 968 /* build an ldap user search filter */ 969 tmplen = strlen(xauth_ldap_config.attr_user->v); 970 tmplen += 1; 971 tmplen += strlen(usr); 972 tmplen += 1; 973 filter = racoon_malloc(tmplen); 974 if (filter == NULL) { 975 plog(LLV_ERROR, LOCATION, NULL, 976 "unable to alloc ldap search filter buffer\n"); 977 goto ldap_end; 978 } 979 sprintf(filter, "%s=%s", 980 xauth_ldap_config.attr_user->v, usr); 981 982 /* build our return attribute list */ 983 tmplen = strlen(xauth_ldap_config.attr_addr->v) + 1; 984 atlist[0] = racoon_malloc(tmplen); 985 tmplen = strlen(xauth_ldap_config.attr_mask->v) + 1; 986 atlist[1] = racoon_malloc(tmplen); 987 if ((atlist[0] == NULL)||(atlist[1] == NULL)) { 988 plog(LLV_ERROR, LOCATION, NULL, 989 "unable to alloc ldap attrib list buffer\n"); 990 goto ldap_end; 991 } 992 strcpy(atlist[0],xauth_ldap_config.attr_addr->v); 993 strcpy(atlist[1],xauth_ldap_config.attr_mask->v); 994 995 /* attempt to locate the user dn */ 996 if (xauth_ldap_config.base != NULL) 997 basedn = xauth_ldap_config.base->v; 998 if (xauth_ldap_config.subtree) 999 scope = LDAP_SCOPE_SUBTREE; 1000 timeout.tv_sec = 15; 1001 timeout.tv_usec = 0; 1002 res = ldap_search_ext_s(ld, basedn, scope, 1003 filter, atlist, 0, NULL, NULL, 1004 &timeout, 2, &lr); 1005 if (res != LDAP_SUCCESS) { 1006 plog(LLV_ERROR, LOCATION, NULL, 1007 "ldap_search_ext_s failed: %s\n", 1008 ldap_err2string(res)); 1009 goto ldap_end; 1010 } 1011 1012 /* check the number of ldap entries returned */ 1013 ecount = ldap_count_entries(ld, lr); 1014 if (ecount < 1) { 1015 plog(LLV_WARNING, LOCATION, NULL, 1016 "no ldap results for filter \'%s\'\n", 1017 filter); 1018 goto ldap_end; 1019 } 1020 if (ecount > 1) { 1021 plog(LLV_WARNING, LOCATION, NULL, 1022 "multiple (%i) ldap results for filter \'%s\'\n", 1023 ecount, filter); 1024 } 1025 1026 /* obtain the dn from the first result */ 1027 le = ldap_first_entry(ld, lr); 1028 if (le == NULL) { 1029 plog(LLV_ERROR, LOCATION, NULL, 1030 "ldap_first_entry failed: invalid entry returned\n"); 1031 goto ldap_end; 1032 } 1033 userdn = ldap_get_dn(ld, le); 1034 if (userdn == NULL) { 1035 plog(LLV_ERROR, LOCATION, NULL, 1036 "ldap_get_dn failed: invalid string returned\n"); 1037 goto ldap_end; 1038 } 1039 1040 /* cache the user dn in the xauth state */ 1041 iph1->mode_cfg->xauth.udn = racoon_malloc(strlen(userdn)+1); 1042 strcpy(iph1->mode_cfg->xauth.udn,userdn); 1043 1044 /* retrieve modecfg address */ 1045 bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_addr->v); 1046 if (bv != NULL) { 1047 char tmpaddr[16]; 1048 /* sanity check for address value */ 1049 if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) { 1050 plog(LLV_DEBUG, LOCATION, NULL, 1051 "ldap returned invalid modecfg address\n"); 1052 ldap_value_free_len(bv); 1053 goto ldap_end; 1054 } 1055 memcpy(tmpaddr,bv[0]->bv_val,bv[0]->bv_len); 1056 tmpaddr[bv[0]->bv_len]=0; 1057 iph1->mode_cfg->addr4.s_addr = inet_addr(tmpaddr); 1058 iph1->mode_cfg->flags |= ISAKMP_CFG_ADDR4_EXTERN; 1059 plog(LLV_INFO, LOCATION, NULL, 1060 "ldap returned modecfg address %s\n", tmpaddr); 1061 ldap_value_free_len(bv); 1062 } 1063 1064 /* retrieve modecfg netmask */ 1065 bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_mask->v); 1066 if (bv != NULL) { 1067 char tmpmask[16]; 1068 /* sanity check for netmask value */ 1069 if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) { 1070 plog(LLV_DEBUG, LOCATION, NULL, 1071 "ldap returned invalid modecfg netmask\n"); 1072 ldap_value_free_len(bv); 1073 goto ldap_end; 1074 } 1075 memcpy(tmpmask,bv[0]->bv_val,bv[0]->bv_len); 1076 tmpmask[bv[0]->bv_len]=0; 1077 iph1->mode_cfg->mask4.s_addr = inet_addr(tmpmask); 1078 iph1->mode_cfg->flags |= ISAKMP_CFG_MASK4_EXTERN; 1079 plog(LLV_INFO, LOCATION, NULL, 1080 "ldap returned modecfg netmask %s\n", tmpmask); 1081 ldap_value_free_len(bv); 1082 } 1083 1084 /* 1085 * finally, use the dn and the xauth 1086 * password to check the users given 1087 * credentials by attempting to bind 1088 * to the ldap server 1089 */ 1090 plog(LLV_INFO, LOCATION, NULL, 1091 "attempting ldap bind for dn \'%s\'\n", userdn); 1092 cred.bv_val = pwd; 1093 cred.bv_len = strlen( cred.bv_val ); 1094 res = ldap_sasl_bind_s(ld, 1095 userdn, NULL, &cred, 1096 NULL, NULL, NULL); 1097 if(res==LDAP_SUCCESS) 1098 rtn = 0; 1099 1100 ldap_end: 1101 1102 /* free ldap resources */ 1103 if (userdn != NULL) 1104 ldap_memfree(userdn); 1105 if (atlist[0] != NULL) 1106 racoon_free(atlist[0]); 1107 if (atlist[1] != NULL) 1108 racoon_free(atlist[1]); 1109 if (filter != NULL) 1110 racoon_free(filter); 1111 if (lr != NULL) 1112 ldap_msgfree(lr); 1113 if (init != NULL) 1114 racoon_free(init); 1115 1116 ldap_unbind_ext_s(ld, NULL, NULL); 1117 1118 return rtn; 1119 } 1120 1121 int 1122 xauth_group_ldap(udn, grp) 1123 char * udn; 1124 char * grp; 1125 { 1126 int rtn = -1; 1127 int res = -1; 1128 LDAP *ld = NULL; 1129 LDAPMessage *lr = NULL; 1130 LDAPMessage *le = NULL; 1131 struct berval cred; 1132 struct timeval timeout; 1133 char *init = NULL; 1134 char *filter = NULL; 1135 char *basedn = NULL; 1136 char *groupdn = NULL; 1137 int tmplen = 0; 1138 int ecount = 0; 1139 int scope = LDAP_SCOPE_ONE; 1140 1141 /* build our initialization url */ 1142 tmplen = strlen("ldap://:") + 17; 1143 tmplen += strlen(xauth_ldap_config.host->v); 1144 init = racoon_malloc(tmplen); 1145 if (init == NULL) { 1146 plog(LLV_ERROR, LOCATION, NULL, 1147 "unable to alloc ldap init url\n"); 1148 goto ldap_group_end; 1149 } 1150 sprintf(init,"ldap://%s:%d", 1151 xauth_ldap_config.host->v, 1152 xauth_ldap_config.port ); 1153 1154 /* initialize the ldap handle */ 1155 res = ldap_initialize(&ld, init); 1156 if (res != LDAP_SUCCESS) { 1157 plog(LLV_ERROR, LOCATION, NULL, 1158 "ldap_initialize failed: %s\n", 1159 ldap_err2string(res)); 1160 goto ldap_group_end; 1161 } 1162 1163 /* initialize the protocol version */ 1164 ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, 1165 &xauth_ldap_config.pver); 1166 1167 /* Enable TLS */ 1168 if (xauth_ldap_config.tls) { 1169 res = ldap_start_tls_s(ld, NULL, NULL); 1170 if (res != LDAP_SUCCESS) { 1171 plog(LLV_ERROR, LOCATION, NULL, 1172 "ldap_start_tls_s failed: %s\n", 1173 ldap_err2string(res)); 1174 goto ldap_group_end; 1175 } 1176 } 1177 1178 /* 1179 * attempt to bind to the ldap server. 1180 * default to anonymous bind unless a 1181 * user dn and password has been 1182 * specified in our configuration 1183 */ 1184 if ((xauth_ldap_config.bind_dn != NULL)&& 1185 (xauth_ldap_config.bind_pw != NULL)) 1186 { 1187 cred.bv_val = xauth_ldap_config.bind_pw->v; 1188 cred.bv_len = strlen( cred.bv_val ); 1189 res = ldap_sasl_bind_s(ld, 1190 xauth_ldap_config.bind_dn->v, NULL, &cred, 1191 NULL, NULL, NULL); 1192 } 1193 else 1194 { 1195 res = ldap_sasl_bind_s(ld, 1196 NULL, NULL, NULL, 1197 NULL, NULL, NULL); 1198 } 1199 1200 if (res!=LDAP_SUCCESS) { 1201 plog(LLV_ERROR, LOCATION, NULL, 1202 "ldap_sasl_bind_s (search) failed: %s\n", 1203 ldap_err2string(res)); 1204 goto ldap_group_end; 1205 } 1206 1207 /* build an ldap group search filter */ 1208 tmplen = strlen("(&(=)(=))") + 1; 1209 tmplen += strlen(xauth_ldap_config.attr_group->v); 1210 tmplen += strlen(grp); 1211 tmplen += strlen(xauth_ldap_config.attr_member->v); 1212 tmplen += strlen(udn); 1213 filter = racoon_malloc(tmplen); 1214 if (filter == NULL) { 1215 plog(LLV_ERROR, LOCATION, NULL, 1216 "unable to alloc ldap search filter buffer\n"); 1217 goto ldap_group_end; 1218 } 1219 sprintf(filter, "(&(%s=%s)(%s=%s))", 1220 xauth_ldap_config.attr_group->v, grp, 1221 xauth_ldap_config.attr_member->v, udn); 1222 1223 /* attempt to locate the group dn */ 1224 if (xauth_ldap_config.base != NULL) 1225 basedn = xauth_ldap_config.base->v; 1226 if (xauth_ldap_config.subtree) 1227 scope = LDAP_SCOPE_SUBTREE; 1228 timeout.tv_sec = 15; 1229 timeout.tv_usec = 0; 1230 res = ldap_search_ext_s(ld, basedn, scope, 1231 filter, NULL, 0, NULL, NULL, 1232 &timeout, 2, &lr); 1233 if (res != LDAP_SUCCESS) { 1234 plog(LLV_ERROR, LOCATION, NULL, 1235 "ldap_search_ext_s failed: %s\n", 1236 ldap_err2string(res)); 1237 goto ldap_group_end; 1238 } 1239 1240 /* check the number of ldap entries returned */ 1241 ecount = ldap_count_entries(ld, lr); 1242 if (ecount < 1) { 1243 plog(LLV_WARNING, LOCATION, NULL, 1244 "no ldap results for filter \'%s\'\n", 1245 filter); 1246 goto ldap_group_end; 1247 } 1248 1249 /* success */ 1250 rtn = 0; 1251 1252 /* obtain the dn from the first result */ 1253 le = ldap_first_entry(ld, lr); 1254 if (le == NULL) { 1255 plog(LLV_ERROR, LOCATION, NULL, 1256 "ldap_first_entry failed: invalid entry returned\n"); 1257 goto ldap_group_end; 1258 } 1259 groupdn = ldap_get_dn(ld, le); 1260 if (groupdn == NULL) { 1261 plog(LLV_ERROR, LOCATION, NULL, 1262 "ldap_get_dn failed: invalid string returned\n"); 1263 goto ldap_group_end; 1264 } 1265 1266 plog(LLV_INFO, LOCATION, NULL, 1267 "ldap membership group returned \'%s\'\n", groupdn); 1268 ldap_group_end: 1269 1270 /* free ldap resources */ 1271 if (groupdn != NULL) 1272 ldap_memfree(groupdn); 1273 if (filter != NULL) 1274 racoon_free(filter); 1275 if (lr != NULL) 1276 ldap_msgfree(lr); 1277 if (init != NULL) 1278 racoon_free(init); 1279 1280 ldap_unbind_ext_s(ld, NULL, NULL); 1281 1282 return rtn; 1283 } 1284 1285 #endif 1286 1287 int 1288 xauth_login_system(usr, pwd) 1289 char *usr; 1290 char *pwd; 1291 { 1292 struct passwd *pw; 1293 char *cryptpwd; 1294 char *syscryptpwd; 1295 #ifdef HAVE_SHADOW_H 1296 struct spwd *spw; 1297 1298 if ((spw = getspnam(usr)) == NULL) 1299 return -1; 1300 1301 syscryptpwd = spw->sp_pwdp; 1302 #endif 1303 1304 if ((pw = getpwnam(usr)) == NULL) 1305 return -1; 1306 1307 #ifndef HAVE_SHADOW_H 1308 syscryptpwd = pw->pw_passwd; 1309 #endif 1310 1311 /* No root login. Ever. */ 1312 if (pw->pw_uid == 0) 1313 return -1; 1314 1315 if ((cryptpwd = crypt(pwd, syscryptpwd)) == NULL) 1316 return -1; 1317 1318 if (strcmp(cryptpwd, syscryptpwd) == 0) 1319 return 0; 1320 1321 return -1; 1322 } 1323 1324 int 1325 xauth_group_system(usr, grp) 1326 char * usr; 1327 char * grp; 1328 { 1329 struct group * gr; 1330 char * member; 1331 int index = 0; 1332 1333 gr = getgrnam(grp); 1334 if (gr == NULL) { 1335 plog(LLV_ERROR, LOCATION, NULL, 1336 "the system group name \'%s\' is unknown\n", 1337 grp); 1338 return -1; 1339 } 1340 1341 while ((member = gr->gr_mem[index++])!=NULL) { 1342 if (!strcmp(member,usr)) { 1343 plog(LLV_INFO, LOCATION, NULL, 1344 "membership validated\n"); 1345 return 0; 1346 } 1347 } 1348 1349 return -1; 1350 } 1351 1352 int 1353 xauth_check(iph1) 1354 struct ph1handle *iph1; 1355 { 1356 struct xauth_state *xst = &iph1->mode_cfg->xauth; 1357 1358 /* 1359 * Only the server side (edge device) really check for Xauth 1360 * status. It does it if the chose authmethod is using Xauth. 1361 * On the client side (roadwarrior), we don't check anything. 1362 */ 1363 switch (iph1->approval->authmethod) { 1364 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 1365 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 1366 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 1367 /* The following are not yet implemented */ 1368 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 1369 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 1370 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 1371 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 1372 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 1373 plog(LLV_ERROR, LOCATION, NULL, 1374 "Hybrid auth negotiated but peer did not " 1375 "announced as Xauth capable\n"); 1376 return -1; 1377 } 1378 1379 if (xst->status != XAUTHST_OK) { 1380 plog(LLV_ERROR, LOCATION, NULL, 1381 "Hybrid auth negotiated but peer did not " 1382 "succeed Xauth exchange\n"); 1383 return -1; 1384 } 1385 1386 return 0; 1387 break; 1388 default: 1389 return 0; 1390 break; 1391 } 1392 1393 return 0; 1394 } 1395 1396 int 1397 group_check(iph1, grp_list, grp_count) 1398 struct ph1handle *iph1; 1399 char **grp_list; 1400 int grp_count; 1401 { 1402 int res = -1; 1403 int grp_index = 0; 1404 char * usr = NULL; 1405 1406 /* check for presence of modecfg data */ 1407 1408 if(iph1->mode_cfg == NULL) { 1409 plog(LLV_ERROR, LOCATION, NULL, 1410 "xauth group specified but modecfg not found\n"); 1411 return res; 1412 } 1413 1414 /* loop through our group list */ 1415 1416 for(; grp_index < grp_count; grp_index++) { 1417 1418 /* check for presence of xauth data */ 1419 1420 usr = iph1->mode_cfg->xauth.authdata.generic.usr; 1421 1422 if(usr == NULL) { 1423 plog(LLV_ERROR, LOCATION, NULL, 1424 "xauth group specified but xauth not found\n"); 1425 return res; 1426 } 1427 1428 /* call appropriate group validation funtion */ 1429 1430 switch (isakmp_cfg_config.groupsource) { 1431 1432 case ISAKMP_CFG_GROUP_SYSTEM: 1433 res = xauth_group_system( 1434 usr, 1435 grp_list[grp_index]); 1436 break; 1437 1438 #ifdef HAVE_LIBLDAP 1439 case ISAKMP_CFG_GROUP_LDAP: 1440 res = xauth_group_ldap( 1441 iph1->mode_cfg->xauth.udn, 1442 grp_list[grp_index]); 1443 break; 1444 #endif 1445 1446 default: 1447 /* we should never get here */ 1448 plog(LLV_ERROR, LOCATION, NULL, 1449 "Unknown group auth source\n"); 1450 break; 1451 } 1452 1453 if( !res ) { 1454 plog(LLV_INFO, LOCATION, NULL, 1455 "user \"%s\" is a member of group \"%s\"\n", 1456 usr, 1457 grp_list[grp_index]); 1458 break; 1459 } else { 1460 plog(LLV_INFO, LOCATION, NULL, 1461 "user \"%s\" is not a member of group \"%s\"\n", 1462 usr, 1463 grp_list[grp_index]); 1464 } 1465 } 1466 1467 return res; 1468 } 1469 1470 vchar_t * 1471 isakmp_xauth_req(iph1, attr) 1472 struct ph1handle *iph1; 1473 struct isakmp_data *attr; 1474 { 1475 int type; 1476 size_t dlen = 0; 1477 int ashort = 0; 1478 int value = 0; 1479 vchar_t *buffer = NULL; 1480 char *mraw = NULL, *mdata; 1481 char *data; 1482 vchar_t *usr = NULL; 1483 vchar_t *pwd = NULL; 1484 size_t skip = 0; 1485 int freepwd = 0; 1486 1487 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 1488 plog(LLV_ERROR, LOCATION, NULL, 1489 "Xauth mode config request but peer " 1490 "did not declare itself as Xauth capable\n"); 1491 return NULL; 1492 } 1493 1494 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK; 1495 1496 /* Sanity checks */ 1497 switch(type) { 1498 case XAUTH_TYPE: 1499 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) { 1500 plog(LLV_ERROR, LOCATION, NULL, 1501 "Unexpected long XAUTH_TYPE attribute\n"); 1502 return NULL; 1503 } 1504 if (ntohs(attr->lorv) != XAUTH_TYPE_GENERIC) { 1505 plog(LLV_ERROR, LOCATION, NULL, 1506 "Unsupported Xauth authentication %d\n", 1507 ntohs(attr->lorv)); 1508 return NULL; 1509 } 1510 ashort = 1; 1511 dlen = 0; 1512 value = XAUTH_TYPE_GENERIC; 1513 break; 1514 1515 case XAUTH_USER_NAME: 1516 if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login) { 1517 plog(LLV_ERROR, LOCATION, NULL, "Xauth performed " 1518 "with no login supplied\n"); 1519 return NULL; 1520 } 1521 1522 dlen = iph1->rmconf->xauth->login->l - 1; 1523 iph1->rmconf->xauth->state |= XAUTH_SENT_USERNAME; 1524 break; 1525 1526 case XAUTH_USER_PASSWORD: 1527 if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login) 1528 return NULL; 1529 1530 skip = sizeof(struct ipsecdoi_id_b); 1531 usr = vmalloc(iph1->rmconf->xauth->login->l - 1 + skip); 1532 if (usr == NULL) { 1533 plog(LLV_ERROR, LOCATION, NULL, 1534 "Cannot allocate memory\n"); 1535 return NULL; 1536 } 1537 memset(usr->v, 0, skip); 1538 memcpy(usr->v + skip, 1539 iph1->rmconf->xauth->login->v, 1540 iph1->rmconf->xauth->login->l - 1); 1541 1542 if (iph1->rmconf->xauth->pass) { 1543 /* A key given through racoonctl */ 1544 pwd = iph1->rmconf->xauth->pass; 1545 } else { 1546 if ((pwd = getpskbyname(usr)) == NULL) { 1547 plog(LLV_ERROR, LOCATION, NULL, 1548 "No password was found for login %s\n", 1549 iph1->rmconf->xauth->login->v); 1550 vfree(usr); 1551 return NULL; 1552 } 1553 /* We have to free it before returning */ 1554 freepwd = 1; 1555 } 1556 vfree(usr); 1557 1558 iph1->rmconf->xauth->state |= XAUTH_SENT_PASSWORD; 1559 dlen = pwd->l; 1560 1561 break; 1562 case XAUTH_MESSAGE: 1563 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) { 1564 dlen = ntohs(attr->lorv); 1565 if (dlen > 0) { 1566 mraw = (char*)(attr + 1); 1567 mdata = binsanitize(mraw, dlen); 1568 if (mdata == NULL) { 1569 plog(LLV_ERROR, LOCATION, iph1->remote, 1570 "Cannot allocate memory\n"); 1571 return NULL; 1572 } 1573 plog(LLV_NOTIFY,LOCATION, iph1->remote, 1574 "XAUTH Message: '%s'.\n", 1575 mdata); 1576 racoon_free(mdata); 1577 } 1578 } 1579 return NULL; 1580 default: 1581 plog(LLV_WARNING, LOCATION, NULL, 1582 "Ignored attribute %s\n", s_isakmp_cfg_type(type)); 1583 return NULL; 1584 break; 1585 } 1586 1587 if ((buffer = vmalloc(sizeof(*attr) + dlen)) == NULL) { 1588 plog(LLV_ERROR, LOCATION, NULL, 1589 "Cannot allocate memory\n"); 1590 goto out; 1591 } 1592 1593 attr = (struct isakmp_data *)buffer->v; 1594 if (ashort) { 1595 attr->type = htons(type | ISAKMP_GEN_TV); 1596 attr->lorv = htons(value); 1597 goto out; 1598 } 1599 1600 attr->type = htons(type | ISAKMP_GEN_TLV); 1601 attr->lorv = htons(dlen); 1602 data = (char *)(attr + 1); 1603 1604 switch(type) { 1605 case XAUTH_USER_NAME: 1606 /* 1607 * iph1->rmconf->xauth->login->v is valid, 1608 * we just checked it in the previous switch case 1609 */ 1610 memcpy(data, iph1->rmconf->xauth->login->v, dlen); 1611 break; 1612 case XAUTH_USER_PASSWORD: 1613 memcpy(data, pwd->v, dlen); 1614 break; 1615 default: 1616 break; 1617 } 1618 1619 out: 1620 if (freepwd) 1621 vfree(pwd); 1622 1623 return buffer; 1624 } 1625 1626 vchar_t * 1627 isakmp_xauth_set(iph1, attr) 1628 struct ph1handle *iph1; 1629 struct isakmp_data *attr; 1630 { 1631 int type; 1632 vchar_t *buffer = NULL; 1633 char *data; 1634 struct xauth_state *xst; 1635 size_t dlen = 0; 1636 char* mraw = NULL, *mdata; 1637 1638 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 1639 plog(LLV_ERROR, LOCATION, NULL, 1640 "Xauth mode config set but peer " 1641 "did not declare itself as Xauth capable\n"); 1642 return NULL; 1643 } 1644 1645 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK; 1646 1647 switch(type) { 1648 case XAUTH_STATUS: 1649 /* 1650 * We should only receive ISAKMP mode_cfg SET XAUTH_STATUS 1651 * when running as a client (initiator). 1652 */ 1653 xst = &iph1->mode_cfg->xauth; 1654 switch (iph1->approval->authmethod) { 1655 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 1656 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: 1657 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 1658 /* Not implemented ... */ 1659 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 1660 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 1661 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 1662 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 1663 break; 1664 default: 1665 plog(LLV_ERROR, LOCATION, NULL, 1666 "Unexpected XAUTH_STATUS_OK\n"); 1667 return NULL; 1668 break; 1669 } 1670 1671 /* If we got a failure, delete iph1 */ 1672 if (ntohs(attr->lorv) != XAUTH_STATUS_OK) { 1673 plog(LLV_ERROR, LOCATION, NULL, 1674 "Xauth authentication failed\n"); 1675 1676 evt_phase1(iph1, EVT_PHASE1_XAUTH_FAILED, NULL); 1677 1678 iph1->mode_cfg->flags |= ISAKMP_CFG_DELETE_PH1; 1679 } else { 1680 evt_phase1(iph1, EVT_PHASE1_XAUTH_SUCCESS, NULL); 1681 } 1682 1683 1684 /* We acknowledge it */ 1685 break; 1686 case XAUTH_MESSAGE: 1687 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) { 1688 dlen = ntohs(attr->lorv); 1689 if (dlen > 0) { 1690 mraw = (char*)(attr + 1); 1691 mdata = binsanitize(mraw, dlen); 1692 if (mdata == NULL) { 1693 plog(LLV_ERROR, LOCATION, iph1->remote, 1694 "Cannot allocate memory\n"); 1695 return NULL; 1696 } 1697 plog(LLV_NOTIFY,LOCATION, iph1->remote, 1698 "XAUTH Message: '%s'.\n", 1699 mdata); 1700 racoon_free(mdata); 1701 } 1702 } 1703 1704 default: 1705 plog(LLV_WARNING, LOCATION, NULL, 1706 "Ignored attribute %s\n", s_isakmp_cfg_type(type)); 1707 return NULL; 1708 break; 1709 } 1710 1711 if ((buffer = vmalloc(sizeof(*attr))) == NULL) { 1712 plog(LLV_ERROR, LOCATION, NULL, 1713 "Cannot allocate memory\n"); 1714 return NULL; 1715 } 1716 1717 attr = (struct isakmp_data *)buffer->v; 1718 attr->type = htons(type | ISAKMP_GEN_TV); 1719 attr->lorv = htons(0); 1720 1721 return buffer; 1722 } 1723 1724 1725 void 1726 xauth_rmstate(xst) 1727 struct xauth_state *xst; 1728 { 1729 switch (xst->authtype) { 1730 case XAUTH_TYPE_GENERIC: 1731 if (xst->authdata.generic.usr) 1732 racoon_free(xst->authdata.generic.usr); 1733 1734 if (xst->authdata.generic.pwd) 1735 racoon_free(xst->authdata.generic.pwd); 1736 1737 break; 1738 1739 case XAUTH_TYPE_CHAP: 1740 case XAUTH_TYPE_OTP: 1741 case XAUTH_TYPE_SKEY: 1742 plog(LLV_WARNING, LOCATION, NULL, 1743 "Unsupported authtype %d\n", xst->authtype); 1744 break; 1745 1746 default: 1747 plog(LLV_WARNING, LOCATION, NULL, 1748 "Unexpected authtype %d\n", xst->authtype); 1749 break; 1750 } 1751 1752 #ifdef HAVE_LIBLDAP 1753 if (xst->udn != NULL) 1754 racoon_free(xst->udn); 1755 #endif 1756 return; 1757 } 1758 1759 int 1760 xauth_rmconf_used(xauth_rmconf) 1761 struct xauth_rmconf **xauth_rmconf; 1762 { 1763 if (*xauth_rmconf == NULL) { 1764 *xauth_rmconf = racoon_malloc(sizeof(**xauth_rmconf)); 1765 if (*xauth_rmconf == NULL) { 1766 plog(LLV_ERROR, LOCATION, NULL, 1767 "xauth_rmconf_used: malloc failed\n"); 1768 return -1; 1769 } 1770 1771 (*xauth_rmconf)->login = NULL; 1772 (*xauth_rmconf)->pass = NULL; 1773 (*xauth_rmconf)->state = 0; 1774 } 1775 1776 return 0; 1777 } 1778 1779 void 1780 xauth_rmconf_delete(xauth_rmconf) 1781 struct xauth_rmconf **xauth_rmconf; 1782 { 1783 if (*xauth_rmconf != NULL) { 1784 if ((*xauth_rmconf)->login != NULL) 1785 vfree((*xauth_rmconf)->login); 1786 if ((*xauth_rmconf)->pass != NULL) 1787 vfree((*xauth_rmconf)->pass); 1788 1789 racoon_free(*xauth_rmconf); 1790 *xauth_rmconf = NULL; 1791 } 1792 1793 return; 1794 } 1795 1796 struct xauth_rmconf * 1797 xauth_rmconf_dup(xauth_rmconf) 1798 struct xauth_rmconf *xauth_rmconf; 1799 { 1800 struct xauth_rmconf *new; 1801 1802 if (xauth_rmconf != NULL) { 1803 new = racoon_malloc(sizeof(*new)); 1804 if (new == NULL) { 1805 plog(LLV_ERROR, LOCATION, NULL, 1806 "xauth_rmconf_dup: malloc failed\n"); 1807 return NULL; 1808 } 1809 1810 memcpy(new, xauth_rmconf, sizeof(*new)); 1811 1812 if (xauth_rmconf->login != NULL) { 1813 new->login = vdup(xauth_rmconf->login); 1814 if (new->login == NULL) { 1815 plog(LLV_ERROR, LOCATION, NULL, 1816 "xauth_rmconf_dup: malloc failed (login)\n"); 1817 return NULL; 1818 } 1819 } 1820 if (xauth_rmconf->pass != NULL) { 1821 new->pass = vdup(xauth_rmconf->pass); 1822 if (new->pass == NULL) { 1823 plog(LLV_ERROR, LOCATION, NULL, 1824 "xauth_rmconf_dup: malloc failed (password)\n"); 1825 return NULL; 1826 } 1827 } 1828 1829 return new; 1830 } 1831 1832 return NULL; 1833 } 1834